Restricting YouTube Access Based on User Behavior
You can set up Threat Defender to restrict access to certain websites for a certain time.
This example shows how to use the following concepts:
Behavior-based correlation for users
Event tracking tables
Objective
YouTube access is restricted to 5 minutes. Afterwards, YouTube is blocked for an hour.
In this example, the restriction is based on the behavior of users independently of the devices they use. If you do not track users and want to see how to restrict access based on devices, refer to Restricting YouTube Access Based on Asset Behavior.
To implement this, you need to set up a correlation scenario with two event tracking tables and a dedicated rule set.
Creating the Correlation Scenario
First, navigate to Policy > Advanced Correlation. Set up a new correlation scenario that will contain the rules and event tracking tables.
Creating the Event Tracking Tables
In the correlation scenario, open the Event Tracking Tables tab. Create two event tracking tables. One stores users for 5 minutes, the other stores users for one hour. This way, two lists with YouTube users are created.
Event tracking tables track the users.
Since you only want to track the primary attribute, i.e. the User, select None as secondary attribute. This is important as Threat Defender would compare the attribute pairs if a secondary attribute was selected. In that case, the rules would not match.
The following table shows the required settings of the event tracking tables:
Name |
Retention Time |
Primary Attribute Type |
Max. No. Primary |
Secondary Attribute Type |
Max. No. Secondary |
|---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
Note
Under Maximum Number of Primary Attributes, make sure that both tables are large enough to fit the number of users in your network.
For detailed instructions on how to create an event tracking table, refer to Creating an Event Tracking Table.
Creating the Rule Set
Set up a rule set of five rules in the correlation scenario:
Rule 1 allows all traffic except YouTube.
Rule 2 allows YouTube access for users on the five minutes list.
Rule 3 rejects YouTube access for users on the one hour list.
Rule 4 adds users to the five minutes list who started a new YouTube connection.
Rule 5 adds users generating YouTube traffic to the one hour list.
The following table shows the required rule settings:
Rule |
Source |
Destination |
Condition |
Actions |
|---|---|---|---|---|
|
|
Classification |
Final Action: Allow Traffic and Skip to Next Scenario |
|
|
|
Classification |
Final Action: Allow Traffic and Skip to Next Scenario |
|
|
|
Classification |
Final Action: Reject Traffic and Stop Processing |
|
|
|
Classification |
Add to Event Tracking Table |
|
|
|
Classification |
Add to Event Tracking Table |
For detailed instructions on how to create a rule in a correlation scenario, refer to Creating Rules in a Correlation Scenario.
Click the APPLY CHANGES button at the top of the menu bar to activate your configuration changes.
Result
The system processes the specified rule set in a top-down approach:
The system allows all traffic but YouTube.
For YouTube traffic the system checks if the requesting user is in any of the event tracking tables:
If the user is on the
5 min userslist, Threat Defender allows YouTube access and skips to the next correlation scenario.If the user is not on the
5 min userslist but on the1 hour userslist, Threat Defender rejects YouTube access and skips to the next correlation scenario.If the user is on none of the two lists, Threat Defender adds the user to both event tracking tables.