Forcepoint Cloud Security Gateway and AWS Security Hub

Table of contents

Forcepoint Cloud Security Gateway and AWS Security Hub
Summary
Source Code
Caveats
Requirements
Register a user in AWS and retrieve credentials
Configure SIEM Integration inside Forcepoint Cloud Security Gateway
1. Log Export permissions
2. Enable SIEM logging
Enable AWS Config
Implementation options
1. Implementation – Docker
2. Implementation - Traditional
Troubleshooting
Appendix A – Mapping fields between Forcepoint Cloud Security Gateway Email log and ASFF
Appendix B – Mapping fields between Forcepoint Cloud Security Gateway Web log and ASFF
Appendix C – Creating custom Insights into AWS Security Hub
1. Example 1 – Blocked Web activities by Severity
2. Example 2 – Blocked Email activities by Severity

License

These contents are licensed under Apache License, Version 2.0. http://www.apache.org/licenses/LICENSE-2.0

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE SITE AND ITS CONTENT IS PROVIDED TO YOU ON AN “AS IS,” “AS AVAILABLE” AND “WHERE-IS” BASIS. ALL CONDITIONS, REPRESENTATIONS AND WARRANTIES WITH RESPECT TO THE SITE OR ITS CONTENT, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT OF THIRD PARTY RIGHTS, ARE HEREBY DISCLAIMED

Document Revision

Version	Date	Author	Notes
0.1	07 September 2020	Dlo Bagari	First draft
0.2	11 September 2020	Neelima Rai	Added Troubleshooting chapter
0.3	14 September 2020	Mattia Maggioli	Review
0.4	31 March 2021	Dlo Bagari	Implemented new export method with retry logic in case of outages
0.5	07 April 2021	Neelima Rai	Updated Troubleshooting chapter

Summary

This guide provides step by step instructions to configure an event-driven pipeline to export Forcepoint Cloud Security Gateway web/email logs to AWS Security Hub.

The code and instructions provided enable system administrators to automatically:

Export selected web/email logs from Forcepoint Cloud Security Gateway into AWS Security Hub
Process on-the-fly and import logs as “Findings” inside AWS Security Hub.

A description of the workflow between the components involved in this POC is depicted in this diagram:

Source Code

https://github.com/Forcepoint/fp-bd-csg-security-hub

Caveats

The integration described in this document was developed and tested with the following products as of March 2021:

Forcepoint Cloud Security Gateway
AWS Security Hub – ASFF format as of 2020-04-13
Golang 1.14
Docker version 19.03.12

The following activities are out of the scope of this document and therefore left to the system administrator, as part of ordinary maintenance procedures to be put in place within the existing infrastructure.

configuration of appropriate hygiene procedures to handle logs produced during any step of the solution workflow
monitoring of the scripts, services, and applications involved in the solution

Requirements

Two implementation options are provided in this document

Docker – leverages docker images where the integration component is already installed with all necessary dependencies.
Traditional – requires the manual deployment of the integration component inside a CentOS 7.3 host-machine.

Register a user in AWS and retrieve credentials

To create a user, set required polices, and retrieve the user’s credentials do the following steps:

Sign into the AWS Management Console and open the Amazon IAM console
Open the Users section and click Add User in the top left
Enter a name for the new user and select Programmatic access in the Access type section
Click on Next: Permissions
Select Attach existing policies directly and search for AdministratorAccess
Select AdministratorAccess and click Next
Add tags if required by your organization policies (tags are not required by this integration)
Review the details and then click Create user
In the next screen you will be presented with your new user along with your Access key ID and Secret access key: save these or the CSV file in a secure location. This is the only time the Secret access key will be available.

Configure SIEM Integration inside Forcepoint Cloud Security Gateway

Log Export permissions

Ensure your account has Log Export permission.

Login to the Forcepoint Cloud Security Gateway portal
Click ACCOUNT > Contacts
Under the User Name column, find your username and click on it.
In the Account Permissions section, ensure the Log Export box is clicked.
Click Save

Enable SIEM logging

In your Security Portal, navigate to Reporting > Account Reports > SIEM Integration
Select Web Security as a data type:
Enable data export:
From the Attributes section, drag and drop the following attributes into the columns section:
- Risk Class
- Action
- User
- Policy
- Category
- Domain
- Protocol
- URL – Full
- Cloud App
- Cloud App Category
- Cloud App Risk Level
- Connection IP
- Connection IP City
- Connection IP Country
- Connection Name
- Destination IP
- Source IP
- Analytic Name
- File Sandbox Status
- Severity
- Threat Name
- Threat Type
- Date & Time
- File Name
- File Type
- Operating System
- User Agent
- Authentication Method
- Classification Type
- Date Center
- Filtering Source
- HTTP Status Code
- Request Method
- Bytes Received
- Bytes Sent
Make sure all the above attributes are selected and DO NOT remove any of these attributes from the columns section: AWS Security Hub won’t be able to ingest events log if data are missing.
Click Save
Change Data type to Email Security
Enable data export
From the Attributes section, drag and drop the following attributes into the columns section:
- Direction
- From: Address
- Policy
- Recipient Address
- Recipient Domain
- Sender Domain
- Sender Name
- Subject
- Action
- Black/Whitelisted
- Blocked Attachment Ext
- Filtering Reason
- Sender IP
- Sender IP Country
- Attachment File Type
- Attachment Filename
- Emb. URL Risk Class
- Emb. URL Severity
- Advanced Encryption
- File Sandbox status
- Virus Name
- Date & Time
- Message Size
- Spam score
- Attachment Size
Make sure all the above attributes are selected and DO NOT remove any of these attributes from the columns section: AWS Security Hub won’t be able to ingest events log if data are missing.
Click Save

Enable AWS Config

AWS Security Hub requires AWS Config to be enabled. AWS Config is a web service that performs configuration management of supported AWS resources in your account and delivers log files to you.

To configure AWS Config settings:

Open the AWS Config console at https://console.aws.amazon.com/config/
Select the Region to configure AWS Config in.

If the AWS Config is NOT configured in the selected region, do the following steps:

Choose 1-click setup
click Confirm

Implementation options

Two implementation options are provided in this document

Docker – leverages a docker image where the integration component is already installed with all necessary dependencies: the user must only edit the configuration files and run the container on an existing docker setup
Traditional – requires manual deployment of the integration component inside a clean host machine (recommended) or an existing one, provided all requirements are satisfied.

Implementation – Docker

The solution described in this chapter requires

A Linux machine (CentOS 7.3 recommended) with at least 20GB free disk space and 2 GB RAM. This machine will be referenced in the rest of this document as the docker-host.
Docker Engine must be installed on the docker-host, visit docker-installation-docs to install Docker Engine on docker-host
Docker-compose must be installed on the docker-host , visit docker-compose-installation-docs to install docker-compose on docker-host

Step 1: Download Docker Compose files

Download fp-csg-export-aws-security-hub-docker.tar.gz
Decompress the fp-csg-export-aws-security-hub-docker.tar.gz file with the following command:

tar -zxvf fp-csg-export-aws-security-hub-docker.tar.gz

The output of the above command is a directory named fp-csg-export-aws-security-hub-docker

Step 2: Define the required environment variables

Change your current directory to fp-csg-export-aws-security-hub-docker

cd fp-csg-export-aws-security-hub-docker
Open .env file

vi .env

Change the value of the environment variables inside .env. The following table explains each variable and defines if they need to be changed

Variable Name	Description	Requires to be changed
AWS_REGION_CODE	Aws region code, for example, if your region is US East (Ohio) the value for this parameter will be us-east-2. To find your region code visit: https://docs.aws.amazon.com/general/latest/gr/rande.html	YES
AWS_ACCESS_KEY_ID	The ID for the AWS user created in the chapter Register a user in AWS and retrieve credentials	YES
AWS_SECRET_ACCESS_KEY	The secret associated to the AWS user created in the chapter Register a user in AWS and retrieve credentials	YES
CSG_USERNAME	Username for Forcepoint Cloud Security Gateway	YES
CSG_PASSWORD	Password for Forcepoint Cloud Security Gateway	YES
CSG_WEB_LOGS_INCLUDE	Include filter: if a parameter in the web log matches a specified parameter in CSG_WEB_LOGS_INCLUDE then process that log. Example: to process web logs where the Action field of the log contains blocked: CSG_WEB_LOGS_INCLUDE=”Action=Blocked” To filter by multiple parameters, separate the parameter by a comma. Example: CSG_WEB_LOGS_INCLUDE="Action=Blocked,PolicyName=My Web Policy"	NO
CSG_WEB_LOGS_EXCLUDE	Exclude filter: if a parameter in the web log matches a specified parameter in CSG_WEB_LOGS_EXCLUDE, then log will NOT be processed. Example: exclude all web logs where the Action field contains Accepted: CSG_WEB_LOGS_EXCLUDE=”Action=Accepted”	NO
CSG_EMAIL_LOGS_INCLUDE	Include filter: if a parameter in the email log matches a specified parameter in CSG_EMAIL_LOGS_INCLUDE then process that log. Example: to filter email logs where the value of Sender IP Country is United States: CSG_EMAIL_LOGS_INCLUDE=”SenderIpCountry=United States” To filter by multiple parameters, separate the parameter by a comma. Example: CSG_EMAIL_LOGS_INCLUDE=" SenderIpCountry=United States,PolicyName=My Email Policy"	NO
CSG_EMAIL_LOGS_EXCLUDE	Exclude filter: if a parameter in the email log matches a specified parameter in CSG_EMAIL_LOGS_EXCLUDE, then log will NOT be processed. Example: exclude all email logs where value of Action field is Accepted CSG_EMAIL_LOGS_EXCLUDE =”Action=Accepted”	NO
SEND_WEB_LOGS	Boolean value, if true then the integration will send Forcepoint Cloud Security Gateway web logs to AWS Security Hub. The default value is true. If you do not want to send Forcepoint Cloud Security Gateway web logs to AWS Security Hub, then set the value of this parameter to false.	NO
SEND_EMAIL_LOGS	Boolean value, if true then the integration will send Forcepoint Cloud Security Gateway email logs to AWS Security Hub. The default value is true. If you do not want to send Forcepoint Cloud Security Gateway email logs to AWS Security Hub, then set the value of this parameter to false.	NO
WEB_LOGS_START_DATETIME	Only process the web logs with creation datetime bigger or equal to the value specified in this parameter. The expected datetime format is: YYYY-MM-DD hh:mm:ss	NO
EMAIL_LOGS_START_DATETIME	Only process the email logs with creation datetime bigger or equal to the value specified in this parameter. The expected datetime format is: YYYY-MM-DD hh:mm:ss	NO
CSG_LOGS_URL	URL for downloading Forcepoint Cloud Security Gateway web/email logs. The default URL is https://hlfs-web-d.mailcontrol.com/siem/logs	NO
INTERVAL_TIME_IN_MINUTES	This parameter defines how frequently Forcepoint Cloud Security Gateway logs will be downloaded, processed and sent to AWS Security Hub. The default value is 10 minutes	NO

Save and close .env

Step 3: Start Services

Use the following command and credentials to login into the Docker registry hosting the containers needed for this integration

root@linux:~# docker login docker.frcpnt.com
Username: fp-integrations
Password: t1knmAkn19s
Run the following command to start the docker container and run the integration service

docker-compose run fp-csg-security-hub /app/csg-security-hub run

Once the service has started it will download CSG logs (if any) and process them.

Note: the docker-compose service will create the following directories in the root directory of the docker-host:

csg-timer: this directory will store the datetime for the latest downloaded CSG logs

web: this directory will be used as a buffer directory for CSG web logs

email: this directory will be used as buffer directory for CSG email logs

IMPORTANT: THESE 3 DIRECTORIES MUST NO BE REMOVED

Implementation - Traditional

The solution described in this chapter requires:

CentOS 7.3 machine with at least 20GB free disk space and 2 GB of RAM. This machine will be referenced in the rest of this document with the name host-machine.

Step 1: Download the source code

Download fp-csg-export-security-hub-tr.tar.gz file which contains the following file:

fp-csg-security-hub: a service to send Forcepoint CSG web/email logs to AWS Security Hub
fp-csg-security-hub.yml: the config file for fp-csg-security-hub service
fp-csg-security-hub.service: a systemd service file for fp-csg-security-hub service
fp-csg-export-azure-security-hub-installer.sh: bash script which configures the host-machine for this integration.

The following packages will be installed into the host-machine:

Golang V1.14

Step 2: Run installation script

Decompress the source code file: this will create a directory with the name fp-csg-export-security-hub-tr which contains all required files for this implementation

tar -zxvf fp-csg-export-security-hub-tr.tar.gz
Change your current directory to fp-csg-export-security-hub-tr

cd fp-csg-export-security-hub-tr
Edit fp-csg-security-hub.yml config file

vi fp-csg-security-hub.yml

Change the value of parameters inside fp-csg-security-hub.yml. The following table explains each parameter and defines if they need to be changed.

Variable Name	Description	Requires to be changed
AWS_REGION_CODE	Aws region code, for example, if your region is US East (Ohio) the value for this parameter will be us-east-2. To find your region code visit: https://docs.aws.amazon.com/general/latest/gr/rande.html	YES
AWS_ACCESS_KEY_ID	The ID for the AWS user created in the chapter Register a user in AWS and retrieve credentials	YES
AWS_SECRET_ACCESS_KEY	The secret associated to the AWS user created in the chapter Register a user in AWS and retrieve credentials	YES
CSG_USERNAME	Username for Forcepoint Cloud Security Gateway	YES
CSG_PASSWORD	Password for Forcepoint Cloud Security Gateway	YES
CSG_WEB_LOGS_INCLUDE	Include filter: if a parameter in the web log matches a specified parameter in CSG_WEB_LOGS_INCLUDE then process that log. Example: to process web logs where the Action field of the log contains blocked: CSG_WEB_LOGS_INCLUDE=”Action=Blocked” To filter by multiple parameters, separate the parameter by a comma. Example: CSG_WEB_LOGS_INCLUDE="Action=Blocked,PolicyName=My Web Policy"	NO
CSG_WEB_LOGS_EXCLUDE	Exclude filter: if a parameter in the web log matches a specified parameter in CSG_WEB_LOGS_EXCLUDE, then log will NOT be processed. Example: exclude all web logs where the Action field contains Accepted: CSG_WEB_LOGS_EXCLUDE=”Action=Accepted”	NO
CSG_EMAIL_LOGS_INCLUDE	Include filter: if a parameter in the email log matches a specified parameter in CSG_EMAIL_LOGS_INCLUDE then process that log. Example: to filter email logs where the value of Sender IP Country is United States: CSG_EMAIL_LOGS_INCLUDE=”SenderIpCountry=United States” To filter by multiple parameters, separate the parameter by a comma. Example: CSG_EMAIL_LOGS_INCLUDE=" SenderIpCountry=United States,PolicyName=My Email Policy"	NO
CSG_EMAIL_LOGS_EXCLUDE	Exclude filter: if a parameter in the email log matches a specified parameter in CSG_EMAIL_LOGS_EXCLUDE, then log will NOT be processed. Example: exclude all email logs where value of Action field is Accepted CSG_EMAIL_LOGS_EXCLUDE =”Action=Accepted”	NO
SEND_WEB_LOGS	Boolean value, if true then the integration will send Forcepoint Cloud Security Gateway web logs to AWS Security Hub. The default value is true. If you do not want to![](./media/image15.png) send Forcepoint Cloud Security Gateway web logs to AWS Security Hub, then set the value of this parameter to false.	NO
SEND_EMAIL_LOGS	Boolean value, if true then the integration will send Forcepoint Cloud Security Gateway email logs to AWS Security Hub. The default value is true. If you do not want to send Forcepoint Cloud Security Gateway email logs to AWS Security Hub, then set the value of this parameter to false.	NO
WEB_LOGS_START_DATETIME	Only process the web logs with creation datetime bigger or equal to the value specified in this parameter. The expected datetime format is: YYYY-MM-DD hh:mm:ss	NO
EMAIL_LOGS_START_DATETIME	Only process the email logs with creation datetime bigger or equal to the value specified in this parameter. The expected datetime format is: YYYY-MM-DD hh:mm:ss	NO
CSG_LOGS_URL	URL for downloading Forcepoint Cloud Security Gateway web/email logs. The default URL is https://hlfs-web-d.mailcontrol.com/siem/logs	NO
INTERVAL_TIME_IN_MINUTES	This parameter defines how frequently Forcepoint Cloud Security Gateway logs will be downloaded, processed and sent to AWS Security Hub. The default value is 10 minutes	NO

Save fp-csg-security-hub.yml
Make fp-csg-export-security-hub-installer.sh executable

chmod +x fp-csg-export-security-hub-installer.sh
Execute the fp-csg-export-security-hub-installer.sh script

sudo ./fp-csg-export-security-hub-installer.sh

Step 3: Reboot the host-machine

Reboot the host-machine and the integration will start as soon as the reboot is completed.

Note: it might take some time until all the logs are visible in AWS Security Hub: this depends on the number of logs being exported and the normal processing time on the AWS side.

Troubleshooting

Follow these steps to identify issues impacting the normal operation of the integration described in this document.

Docker Implementation

Validate the prerequisites

Make sure the prerequisites described in the Summary chapter are all satisfied:

Check the versions of software in use are listed as compatible:

  AWS Security Hub – ASFF format as of 2020-04-1 
  Golang v1.14 

Docker images for this integration have been tested with
```
  Docker 19.03.6 
```
The host machine must have at least 2 GB RAM and 20 GB of free space, CentOS 7.3 is recommended.
User needs to be root in the docker host machine for deploying this integration
Check the user can download the file with the below command:

wget –content-disposition https://frcpnt.com/fp-csg-security-hub-docker-latest

Check network connectivity

Make sure firewalls or other security appliances are not impacting the network connectivity necessary for the operation of all components involved in this integration:

Check the host machine has connectivity to the internet: execute the following command on the Docker host machine

ping -c 2 www.aws.com

Once done check the result is similar to below:

    PING www.aws.com (10.10.120.12) 56(84) bytes of data. 
    64 bytes from 10.10.120.12 (10.10.120.12): icmp_seq=1 ttl=128 time=179 ms 
    64 bytes from 10.10.120.12 (10.10.120.12): icmp_seq=1 ttl=128 time=181 ms 

Check dependencies are installed

Make sure the software dependencies needed by the components involved in this integration are installed:

Check the host machine has docker installed. Execute the following command on the host machine:

docker info

Check the first few lines of the output are similar to below:

    Client: 
    Debug Mode: false 

    Server: 
    Containers: 3 
    Running: 2 
    Paused: 0 
    Stopped: 1 
    Images: 3 
    Server Version: 19.03.6 

Check the host machine has docker-compose installed. Execute the following command on the host machine:

docker-compose –version
Check the docker-compose version is 1.25.4 or higher
Check the folders csg-timer, web and email are still present inside the root folder of the docker-host

Traditional Implementation

Validate the prerequisites

Make sure the prerequisites described in the Summary chapter are all satisfied:

Check the versions of software in use are listed as compatible:

  AWS Security Hub – ASFF format as of 2020-04-1 
  Golang v1.14 

The host machine must have at least 2 GB RAM and 20 GB of free space, CentOS 7.3 is recommended.
User needs to be root in the host machine for deploying this integration
Check the user can download the file with the below command:

wget –content-disposition https://frcpnt.com/fp-csg-security-hub-tr-latest

Check network connectivity

Make sure firewalls or other security appliances are not impacting the network connectivity necessary for the operation of all components involved in this integration:

Check the host machine has connectivity to the internet: execute the following command on the Docker host machine

ping -c 2 www.aws.com

Once done check the result is similar to below:

    PING www.aws.com (10.10.120.12) 56(84) bytes of data. 
    64 bytes from 10.10.120.12 (10.10.120.12): icmp_seq=1 ttl=128 time=179 ms 
    64 bytes from 10.10.120.12 (10.10.120.12): icmp_seq=1 ttl=128 time=181 ms 

Check dependencies are installed

Make sure the software dependencies needed by the components involved in this integration are installed:

Check the host machine has goland installed: run the below command in the Centos 7.3 host machine:

go version

Check the ouput is similar to below:

    go version go1.14.1 linux/amd64

Check all components are configured and running properly

Make sure the products and services involved in this integration are configured as expected and they are running:

Run the below command on the host machine:

systemctl status fp-csg-security-hub.service

The output should look similar to below:

    ● fp-csg-security-hub.service - Send Forcepoint CSG web/email logs to Security HUb
    Loaded: loaded (/etc/systemd/system/fp-csg-security-hub.service; enabled; vendor preset: disabled)
    Active: active (running) since Wed 2021-04-07 10:49:35 UTC; 1h 21min ago
    Main PID: 784 (csg-security-hu)
    CGroup: /system.slice/fp-csg-security-hub.service
            └─784 /var/forcepoint-csg-hub/csg-security-hub run --config /var/f...

    Apr 07 11:53:36 localhost.localdomain csg-security-hub[784]: successfully sen...
    Apr 07 11:53:36 localhost.localdomain csg-security-hub[784]: Processed number...
    Apr 07 11:53:41 localhost.localdomain csg-security-hub[784]: successfully sen...

Appendix A – Mapping fields between Forcepoint Cloud Security Gateway Email log and ASFF

ASFF	Forcepoint Cloud Security Gateway Email Log	Fixed Value
AwsAccountId		The value for this field is found using the Go SDK.
CreatedAt	Date & Time
Description		Forcepoint CSG Email Log
GeneratorId		Email
Id		Random UUID is generated for each log
ProductArn		Default ARN is used
network.SourceDomain	From Address
network.DestinationDomain	Recipient Address
network.SourceIpV4	SenderIP
network.Direction	Direction
Resources.Id		the value of ProductArn
Resources.Type		Forcepoint Cloud Security Gateway
SchemaVersion		08/10/2018
Severity	Emb URL Severity
Title	Subject
Types		Unusual Behaviors/Network Flow/ForcepointCSG
UpdatedAt		Current Date when the ASFF is been sent to AWS Security Heb
ProductFields.BlackWhitelisted	Black/White listed
ProductFields.Action	Action
ProductFields.BlockedAttachmentExt	Blocked Attachment Ext
ProductFields.PolicyName	Policy Name
ProductFields.SenderIPCountry	Sender IP Country
ProductFields.AdvancedEncryption	Advanced Encryption
ProductFields.VirusName	Virus Name
ProductFields.RecipientDomain	Recipient Domain
ProductFields.SenderName	Sender Name
ProductFields.FilteringReason	Filtering Reason
ProductFields.AttachmentFilename	Attachment Filename
ProductFields.AttachmentFileType	Attachment File Type
ProductFields.EmbURLRiskClass	Emb URL Risk Class
ProductFields.SpamScore	Spam Score
ProductFields.MessageSize	Message Size
ProductFields.AttachmentSize	Attachment Size

Appendix B – Mapping fields between Forcepoint Cloud Security Gateway Web log and ASFF

ASFF	Forcepoint Cloud Security Gateway Web Log	Fixed Value
AwsAccountId		The value for this field is found using the Go SDK.
CreatedAt	Date & Time
Description		Forcepoint CSG Web Log
GeneratorId		Web
Id		Random UUID is generated for each log
ProductArn		Default ARN is used
network.DestinationIpV4	Destination IP
network.Protocol	Protocol
network.SourceDomain	Domain
network.SourceIpV4	Source IP
Resources.Id		the value of ProductArn
Resources.Type		Forcepoint Cloud Security Gateway
SchemaVersion		08/10/2018
Severity	Severity
Title	Category Name
Types		Unusual Behaviors/Network Flow/ForcepointCSG
UpdatedAt		Current Date when the ASFF is been sent to AWS Security Heb
ProductFields.RiskClass	Risk Class
ProductFields.Action	Action
ProductFields.User	User
ProductFields.PolicyName	Policy Name
ProductFields.URLFull	URL Full
ProductFields.CloudAppName	Cloud App Name
ProductFields.CloudAppRiskLevel	Cloud App Risk Level
ProductFields.ConnectionIPCountry	Connection IP Country
ProductFields.AnalyticName	Analytic Name
ProductFields.FileSandboxStatus	File Sandbox Status
ProductFields.ThreatType	Threat Type
ProductFields.ReferrerURLFull	Referrer URL Full
ProductFields.AuthenticationMethod	Authentication Method
ProductFields.FilteringSource	Filtering Source
ProductFields.HTTPStatusCode	HTTP Status Code
ProductFields.BytesReceived	Bytes Received
ProductFields.BytesSent	Bytes Sent
ProductFields.RequestMethod	Request Method
ProductFields.DataCenter	Data Center

Appendix C – Creating custom Insights into AWS Security Hub

Example 1 – Blocked Web activities by Severity

Creating a custom Insight that will display Forcepoint Cloud Security Gateway web logs grouped by Severity where the action on the logs is blocked.

Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/
In the navigation pane, choose Insights.
Choose Create insight.
Choose the search box to display the filter options.
Choose Filter by > Resource Type and insert Forcepoint Cloud Security Gateway as a value for this filter and click Apply
Choose the search box again to display the filter options, select Filter by > Generator ID and insert Web as a value for this filter and click Apply
Choose the search box again to display the filter options, select Filter by > Product fields, insert Action as a key, Blocked as value for this filter and click Apply
Choose the search box again to display the filter options, select Group by > Severity Label and click Apply.
Choose Create insight.
Enter an Insight name, then choose Create insight.

Example 2 – Blocked Email activities by Severity

Creating a custom Insight that will display Forcepoint Cloud Security Gateway email logs grouped by Severity where the action on the logs is blocked.

Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/
In the navigation pane, choose Insights.
Choose Create insight.
Choose the search box to display the filter options.
Choose Filter by > Resource Type and insert Forcepoint Cloud Security Gateway as a value for this filter and click Apply
Choose the search box again to display the filter options, select Filter by > Generator ID and insert email as value for this filter and click Apply
Choose the search box again to display the filter options, select Filter by > Product fields, insert Action as key, Blocked as a value for this filter and click Apply
Choose the search box again to display the filter options, select Group by > Severity Label and click on apply.
Choose Create insight.
Enter an Insight name, then choose Create insight.

To create more insights, repeat the above steps, and select the grouping logic based on the most relevant value to your use case.