Advanced SWG: Implement Threat Intelligence filtering
Implementation Effort: Low
User Impact: Medium
Overview
In a Zero Trust security model, implicit trust is eliminated, and every access request is continuously validated based on identity, risk, and context. Threat Intelligence (TI) filtering is vital in this paradigm, as it enables dynamic, real-time protection against emerging internet threats—without assuming that any network traffic is inherently safe.
By integrating TI into Secure Web Gateway (SWG) policies, organizations can ensure that users and devices are rigorously evaluated before accessing resources. This process leverages up-to-date threat data from both Microsoft and multiple third-party sources to identify and block connections to destinations classified as "High Severity" risks—such as phishing sites, malware distribution points, botnets, and command-and-control servers—at the FQDN or URL level.
Key capabilities:
- Identify and block access to destinations labeled as "High Severity" threats based on FQDN or URL (threats identified according to Microsoft and 3rd Party Threat intel sources)
- Configure allow list of FQDNs to handle false positives
- Enrich the traffic log with the Threat Type (e.g., Botnet, C2, Phishing, Malware, etc.) of the matched indicator
- Provide user and context-aware policy through identity-centric Conditional Access policy integration
Implementation steps:
- Enable Internet Access traffic forwarding profile and assign users/groups
- Create threat intelligence policy (automatically includes rule blocking high severity threats)
- Configure allow list rules for known false positives or business-critical sites (optional)
- Link threat intelligence policy to security profile (or use baseline security profile for tenant-wide protection)
- Create Conditional Access policy targeting "All internet resources with Global Secure Access" and assign security profile
- Verify enforcement by testing access to known malicious sites (e.g., entratestthreat.com) and reviewing Traffic logs for Threat Type metadata