Forcepoint CASB

About

Forcepoint Cloud Access Security Broker (CASB) automatically discovers cloud application use, analyzes the risks and enforces appropriate controls for SaaS and production applications.

Product Details

Vendor URL: Forcepoint CASB

Product Type: Cloud Security

Product Tier: Tier II

Integration Method: Syslog

Parser Details

Log Format: SYSLOG + KV

Expected Normalization Rate: 75%

Data Label: FORCEPOINT_CASB

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field	UDM Field
	target.hostname
event_timestamp	metadata.event_timestamp
kv.cap_frootid	target.group.attribute.label
kv.msg	additional.fields
kv.node	target.domain.name
kv.OGID	target.group.attribute.label

Product Event Types

Event	UDM Event Classification
All	GENERIC_EVENT

Log Sample

<142>May  8 16:46:46 exampledbhost01 tag_audit_log: node=exampledbhost01.examplecompany.com type=PATH msg=audit(1683564398.857:114464): item=0 name="/home/sampleAdminUser/" inode=65048 dev=08:06 mode=012300 ouid=1002 ogid=1003 rdev=00:00 obj=unconfined_u:object_r:user_home_dir_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="sampleAdminUser" OGID="sampleAdminGroup"

Sample Parsing

      metadata.event_timestamp = 1689949145
      metadata.event_type: GENERIC_EVENT
      additional.fields["FolderName"] = "/home/sampleAdminUser/"
      additional.fields["Logname"] = "tag_audit_log"
      additional.fields["Message"] = "audit(1683564398.857:114464):"
      target.hostname = "exampledbhost01"
      target.domain.name = "exampledbhost01.examplecompany.com"
      target.group.attribute.labels["OwnerUserID"] = "sampleAdminUser"
      target.group.attribute.labels["OwnerGroupID"] = "sampleAdminGroup"

Parser Alerting

This product currently does not have any Parser-based Alerting