SSE Incident Management
SSE Security Service Edge Incident Management SWG CASB ZTNA DLP FWaaS SASE Detection Response SOAR Playbook Zscaler Netskope
| SSE Component | Function | Incident Type | Response |
|---|---|---|---|
| SWG | Web Traffic Filter | Malware Download, Phishing | Block URL, Alert SOC |
| CASB | Cloud App Control | Shadow IT, Data Leak | Block App, DLP Alert |
| ZTNA | Zero Trust Access | Unauthorized Access | Block User, MFA Challenge |
| DLP | Data Protection | Data Exfiltration | Block Transfer, Alert Legal |
| FWaaS | Cloud Firewall | Network Attack, C2 | Block IP, Isolate Device |
Incident Detection
# === SSE Incident Detection Rules ===
from dataclasses import dataclass
@dataclass
class DetectionRule:
rule_id: str
name: str
source: str
condition: str
severity: str
response: str
rules = [
DetectionRule("SSE-001",
"Malware Download Detected",
"SWG (Secure Web Gateway)",
"file_verdict == 'malicious' AND action == 'allowed'",
"CRITICAL",
"Block hash, Isolate device, Scan endpoint, Alert SOC"),
DetectionRule("SSE-002",
"Phishing URL Accessed",
"SWG + Threat Intel",
"url_category == 'phishing' AND user_clicked == true",
"HIGH",
"Block URL, Reset password, Check email, Alert user"),
DetectionRule("SSE-003",
"Large Data Transfer to Personal Cloud",
"CASB + DLP",
"app_category == 'personal_storage' AND bytes > 1GB",
"HIGH",
"Block transfer, Review content, Alert manager"),
DetectionRule("SSE-004",
"Login from Unusual Country",
"ZTNA + Identity",
"geo_country NOT IN allowed_countries AND risk_score > 70",
"HIGH",
"Block access, MFA challenge, Alert SOC"),
DetectionRule("SSE-005",
"Multiple Policy Violations",
"All SSE Components",
"violation_count > 5 AND timeframe < 1h AND same_user",
"MEDIUM",
"Restrict access, Review user activity, Alert manager"),
DetectionRule("SSE-006",
"Command & Control Communication",
"FWaaS + DNS",
"dest_ip IN c2_ioc_list OR dns_query matches dga_pattern",
"CRITICAL",
"Block IP/DNS, Isolate device, Full investigation"),
]
print("=== Detection Rules ===")
for r in rules:
print(f"\n [{r.rule_id}] {r.name}")
print(f" Source: {r.source}")
print(f" Condition: {r.condition}")
print(f" Severity: {r.severity}")
print(f" Response: {r.response}")Response Workflow
# === Incident Response Workflow ===
@dataclass
class ResponsePhase:
phase: str
actions: str
tools: str
timeline: str
owner: str
phases = [
ResponsePhase("1. Detection & Alert",
"SSE ตรวจจับ Anomaly สร้าง Alert ส่ง SIEM/SOAR",
"SSE Platform, SIEM (Splunk/Sentinel), PagerDuty",
"0-5 นาที (อัตโนมัติ)",
"SSE Platform (Auto)"),
ResponsePhase("2. Triage & Classification",
"จัดลำดับ Severity กำหนด Incident Type มอบหมาย Analyst",
"SOAR Playbook, SIEM Correlation",
"5-15 นาที",
"SOC L1 Analyst"),
ResponsePhase("3. Investigation",
"วิเคราะห์ Timeline Scope Impact Root Cause IOC",
"SSE Logs, EDR, SIEM, Threat Intel",
"15-60 นาที",
"SOC L2/L3 Analyst"),
ResponsePhase("4. Containment",
"Block Threat หยุดการแพร่กระจาย Isolate Affected",
"SSE Policy Update, EDR Isolate, IAM Block",
"ทันทีหลัง Investigation",
"SOC Analyst + IT Ops"),
ResponsePhase("5. Eradication & Recovery",
"ลบ Malware ปิดช่องโหว่ กู้คืนระบบ Verify Clean",
"EDR, Patch Management, Backup Restore",
"1-24 ชั่วโมง",
"IT Ops + Security"),
ResponsePhase("6. Post-Incident",
"สรุปบทเรียน อัพเดท Playbook ปรับ Policy Detection Rule",
"Incident Report, Policy Update, Rule Tuning",
"ภายใน 1 สัปดาห์",
"SOC Manager + Team"),
]
print("=== Response Phases ===")
for p in phases:
print(f"\n [{p.phase}]")
print(f" Actions: {p.actions}")
print(f" Tools: {p.tools}")
print(f" Timeline: {p.timeline}")
print(f" Owner: {p.owner}")SOAR Playbook
# === SOAR Playbook Examples ===
@dataclass
class PlaybookStep:
step: int
action: str
automated: bool
tool: str
@dataclass
class Playbook:
name: str
trigger: str
steps: list
malware_pb = Playbook("Malware Detection", "SSE-001 Alert", [
PlaybookStep(1, "Block file hash ใน SSE SWG Policy", True, "SSE API"),
PlaybookStep(2, "Query EDR หา Device ที่ Download", True, "EDR API"),
PlaybookStep(3, "Isolate Device จาก Network", True, "EDR API"),
PlaybookStep(4, "Scan Device หา IOC อื่น", True, "EDR API"),
PlaybookStep(5, "Check VirusTotal สำหรับ Hash", True, "VT API"),
PlaybookStep(6, "สร้าง Jira Ticket", True, "Jira API"),
PlaybookStep(7, "แจ้ง SOC Team ทาง Slack", True, "Slack API"),
PlaybookStep(8, "Review และ Approve Recovery", False, "Human"),
])
phishing_pb = Playbook("Phishing Response", "SSE-002 Alert", [
PlaybookStep(1, "Block Phishing URL ใน SWG", True, "SSE API"),
PlaybookStep(2, "Check User คลิก URL หรือยัง", True, "SSE Logs"),
PlaybookStep(3, "Reset User Password (ถ้าคลิก)", True, "IAM API"),
PlaybookStep(4, "Scan Inbox หา Email เดียวกัน", True, "Email API"),
PlaybookStep(5, "ลบ Phishing Email ทุก Inbox", True, "Email API"),
PlaybookStep(6, "แจ้ง User ที่ได้รับ Email", True, "Email"),
PlaybookStep(7, "อัพเดท Threat Intel IOC", True, "TI Platform"),
])
for pb in [malware_pb, phishing_pb]:
print(f"\n=== {pb.name} (Trigger: {pb.trigger}) ===")
for s in pb.steps:
auto = "AUTO" if s.automated else "MANUAL"
print(f" Step {s.step}: [{auto}] {s.action} ({s.tool})")เคล็ดลับ
- Playbook: สร้าง Playbook สำหรับ Incident ที่พบบ่อยที่สุดก่อน
- Tuning: Tune Detection Rule ลด False Positive ทุกสัปดาห์
- MTTD/MTTR: วัด Mean Time to Detect/Respond ปรับปรุงทุกเดือน
- Correlation: รวม Event หลายตัวเป็น Incident เดียว ลด Alert Fatigue
- Human: ใส่ Human Approval สำหรับ Action ที่ Impact สูง
SSE คืออะไร
Security Service Edge SWG CASB ZTNA DLP FWaaS SASE Cloud Security Zscaler Netskope Palo Alto Cloudflare ลด Complexity จัดการจากที่เดียว
Incident Management ทำอย่างไร
Detection Triage Investigation Containment Eradication Recovery Lessons Learned Playbook SOAR SIEM SOC Analyst Severity Timeline
ตั้งค่า Detection อย่างไร
Alert Rule Malware Phishing Data Transfer Login Country Policy Violation SIEM Correlation Threat Intel Tuning False Positive Alert Fatigue
SOAR Integration ทำอย่างไร
Playbook อัตโนมัติ Malware Block Isolate Scan Phishing Block Reset Password Email Scan Cortex XSOAR Tines Shuffle Human Approval
สรุป
SSE Security Incident Management SWG CASB ZTNA DLP Detection Response SOAR Playbook SIEM SOC MTTD MTTR Tuning Correlation
