Set Up Credential Phishing Prevention (Strata Cloud Manager)

1. Configure the user credential detection method you want to use.
   Review Methods to Check for Corporate Credential Submissions for details about each method.

   • For IP User Mapping, set up local users and groups, Identity Redistribution, or Authentication with Prisma Access.
   • To use Domain Credential Filter, set up Identity Redistribution and local users and groups or Authentication.
   • To use Group Mapping, set up local users and groups or Authentication.
2. Create a Decryption policy rule that decrypts the traffic you want to monitor for user credential submissions.
3. Create or modify a URL Access Management Profile.
   1. Select ManageConfigurationNGFW and Prisma AccessSecurity ServicesURL Access Management.
   2. Under URL Access Management Profiles, click Add Profile or select an existing profile.
4. Configure the User Credential Detection settings.
   1. Under User Credential Detection, select a User Credential Detection method.
      • Use IP User Mapping—Checks for valid corporate username submissions and verifies that the login username maps to the source IP address of the session. To do this, Prisma Access matches the submitted username and source IP address of the session against its IP-address-to-username mapping table.
      • Use Domain Credential Filter—Checks for valid corporate username and password submissions and verifies that the username maps to the IP address of the logged-in user.
      • Use Group Mapping—Checks for valid username submissions based on the user-to-group mapping table populated when you map users to groups. You can apply credential detection to any part of the directory or for specific groups that have access to your most sensitive applications, such as IT.
        This method is prone to false positives in environments that do not have uniquely structured usernames. Because of this, you should only use this method to protect your high-value user accounts.

   2. For Valid Username Detected Log Severity, select the severity level that the firewall records in log when it detects corporate credential submissions:
      • high
      • (default) medium
      • low
5. Configure the action taken when the firewall detects corporate credential submissions.
   1. Under Access Control, select an action for User Credential Submission for each URL category with its Site Access set to allow or alert.
      You can select from the following actions:

      • (Recommended) alert—Lets users submit credentials to websites in the given URL category but generates a URL Filtering log each time this happens.
      • (Default) allow–Lets users submit credentials to the website.
      • (Recommended) block—Prevents users from submitting credentials to websites in the given URL category. When a user tries to submit credentials, the firewall displays the anti-phishing block page.
      • continue—Presents the anti-phishing continue page to users when they attempt to submit credentials. Users must select Continue on the response page to proceed to the website.
   2. Save the profile.
6. Apply the URL Access Management profile to your Security policy rules.
   1. Select ManageConfigurationNGFW and Prisma AccessSecurity ServicesSecurity Policy.
   2. Under Security Policy Rules, create or select a Security policy rule.
   3. Select ActionsProfile Group, and then select a URL Access Management profile group.
   4. Save the rule.
7. Click Push Config.