Skip to content

Forcepoint DLP

Forcepoint

About

Data protection does not have to get in the way of business productivity. Forcepoint’s focus on unified policies, user risk, and automation makes data security frictionless and intuitive.

Product Details

Vendor URL: Forcepoint DLP

Product Type: DLP

Product Tier: Tier II

Integration Method: Syslog

Integration URL: Forcepoint Integration guide

Admin Guide: Forcepoint DLP Admin Guigde

Parser Details

Log Format: Syslog CEF

Expected Normalization Rate: near 100%

Data Label: FORCEPOINT_DLP

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
vendor metadata.vendor_name
product metadata.product_name
version metadata.product_version
product_event metadata.product_event_type
Defined metadata.event_type
toaddress network.email.to
ccaddress network.email.cc
src, shost principal.hostname
src, shost principal.ip
dst, dhost target.hostname
dst, dhost target.ip
esuser network.email.from
suser principal.user.userid
from network.email.from
duser network.email.to
messageid network.email.mail_id
replyto network.email.reply_to
cs1 additional.fields
in additional.fields
external_id additional.fields
encrypt_delivery additional.fields
delivery_code_info additional.fields
analyzed_by additional.fields
delivery_code additional.fields
reason security_result.summary
spfresult security_result.description
app target.application
msg network.email.subject
msg metadata.description
max_match additional.fields
xmailer additional.fields
dvc_direction additional.fields
dvc_facility additional.fields
dvc_process_name security_result.summary
act security_result.description
url security_result.url_back_to_product
url target.url
cat security_result.rule_name
event_action security_result.action
additional_exceptionReason additional.fields
hybrid_spam_score additional.fields
local_spam_score additional.fields
fname01-20 security_result.about.file.full_path
fhash01 security_result.about.file.sha256
observer_ip observer.ip
observer observer.hostname
observer observer.ip
LOW, MEDIUM, HIGH security_result.severity

Product Event Types

Product Event metadata.event_type
Message, Policy, Delivery EMAIL_TRANSACTION
Connection NETWORK_CONNECTION
Default GENERIC_EVENT

Log Sample

<13>Oct 18 08:33:34 hostname1 CEF:0|Forcepoint|Email Security|8.4.0|Message|Message|5| dvc=10.10.10.10 dvchost=l320-esg rt=1634564044000 externalId=1549036383915611140 messageId=4882427997340155632 suser=user@external.com duser=john.doe@domain.com msg=Job/Pick Ticket Created - Job/Pick Ticket Number: 101 in=6045 trueSrc=10.162.162.1 from="Job Ticket Notification" <user@external.com> to=jane.doe@domain.com cc= x-mailer= fname= url=

Sample Parsing

metadata.event_timestamp = "2021-10-18T13:34:04Z"
metadata.event_type = "EMAIL_TRANSACTION"
metadata.vendor_name = "Forcepoint"
metadata.product_name = "Email Security"
metadata.product_event_type = "Message"
additional.External ID = "AAAA036383915611140"
additional.IN = "6045"
principal.ip = "10.162.162.1"
principal.asset.ip = "10.162.162.1"
observer.hostname = "hostname1"
observer.ip = "10.10.10.10"
network.email.from = "user@external.com"
network.email.to = "john.doe@domain.com"
network.email.to = "jane.doe@domain.com"
network.email.mail_id = "5555427997340155632"
network.email.subject = "Job/Pick Ticket Created - Job/Pick Ticket Number: 10"

Parser Alerting

This product currently does not have any Parser-based Alerting