Forcepoint DLP¶
About¶
Data protection does not have to get in the way of business productivity. Forcepoint’s focus on unified policies, user risk, and automation makes data security frictionless and intuitive.
Product Details¶
Vendor URL: Forcepoint DLP
Product Type: DLP
Product Tier: Tier II
Integration Method: Syslog
Integration URL: Forcepoint Integration guide
Admin Guide: Forcepoint DLP Admin Guigde
Parser Details¶
Log Format: Syslog CEF
Expected Normalization Rate: near 100%
Data Label: FORCEPOINT_DLP
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| vendor | metadata.vendor_name |
| product | metadata.product_name |
| version | metadata.product_version |
| product_event | metadata.product_event_type |
| Defined | metadata.event_type |
| toaddress | network.email.to |
| ccaddress | network.email.cc |
| src, shost | principal.hostname |
| src, shost | principal.ip |
| dst, dhost | target.hostname |
| dst, dhost | target.ip |
| esuser | network.email.from |
| suser | principal.user.userid |
| from | network.email.from |
| duser | network.email.to |
| messageid | network.email.mail_id |
| replyto | network.email.reply_to |
| cs1 | additional.fields |
| in | additional.fields |
| external_id | additional.fields |
| encrypt_delivery | additional.fields |
| delivery_code_info | additional.fields |
| analyzed_by | additional.fields |
| delivery_code | additional.fields |
| reason | security_result.summary |
| spfresult | security_result.description |
| app | target.application |
| msg | network.email.subject |
| msg | metadata.description |
| max_match | additional.fields |
| xmailer | additional.fields |
| dvc_direction | additional.fields |
| dvc_facility | additional.fields |
| dvc_process_name | security_result.summary |
| act | security_result.description |
| url | security_result.url_back_to_product |
| url | target.url |
| cat | security_result.rule_name |
| event_action | security_result.action |
| additional_exceptionReason | additional.fields |
| hybrid_spam_score | additional.fields |
| local_spam_score | additional.fields |
| fname01-20 | security_result.about.file.full_path |
| fhash01 | security_result.about.file.sha256 |
| observer_ip | observer.ip |
| observer | observer.hostname |
| observer | observer.ip |
| LOW, MEDIUM, HIGH | security_result.severity |
Product Event Types¶
| Product Event | metadata.event_type |
|---|---|
| Message, Policy, Delivery | EMAIL_TRANSACTION |
| Connection | NETWORK_CONNECTION |
| Default | GENERIC_EVENT |
Log Sample¶
<13>Oct 18 08:33:34 hostname1 CEF:0|Forcepoint|Email Security|8.4.0|Message|Message|5| dvc=10.10.10.10 dvchost=l320-esg rt=1634564044000 externalId=1549036383915611140 messageId=4882427997340155632 suser=user@external.com duser=john.doe@domain.com msg=Job/Pick Ticket Created - Job/Pick Ticket Number: 101 in=6045 trueSrc=10.162.162.1 from="Job Ticket Notification" <user@external.com> to=jane.doe@domain.com cc= x-mailer= fname= url=
Sample Parsing¶
metadata.event_timestamp = "2021-10-18T13:34:04Z"
metadata.event_type = "EMAIL_TRANSACTION"
metadata.vendor_name = "Forcepoint"
metadata.product_name = "Email Security"
metadata.product_event_type = "Message"
additional.External ID = "AAAA036383915611140"
additional.IN = "6045"
principal.ip = "10.162.162.1"
principal.asset.ip = "10.162.162.1"
observer.hostname = "hostname1"
observer.ip = "10.10.10.10"
network.email.from = "user@external.com"
network.email.to = "john.doe@domain.com"
network.email.to = "jane.doe@domain.com"
network.email.mail_id = "5555427997340155632"
network.email.subject = "Job/Pick Ticket Created - Job/Pick Ticket Number: 10"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon