Forcepoint Cloud Security Gateway and AWS Security Hub

Table of contents
  1. Forcepoint Cloud Security Gateway and AWS Security Hub
  2. Summary
  3. Source Code
  4. Caveats
  5. Requirements
  6. Register a user in AWS and retrieve credentials
  7. Configure SIEM Integration inside Forcepoint Cloud Security Gateway
    1. Log Export permissions
    2. Enable SIEM logging
  8. Enable AWS Config
  9. Implementation options
    1. Implementation – Docker
      1. Step 1: Download Docker Compose files
      2. Step 2: Define the required environment variables
      3. Step 3: Start Services
    2. Implementation - Traditional
      1. Step 1: Download the source code
      2. Step 2: Run installation script
      3. Step 3: Reboot the host-machine
  10. Troubleshooting
    1. Validate the prerequisites
    2. Check network connectivity
    3. Check dependencies are installed
    4. Validate the prerequisites
    5. Check network connectivity
    6. Check dependencies are installed
    7. Check all components are configured and running properly
  11. Appendix A – Mapping fields between Forcepoint Cloud Security Gateway Email log and ASFF
  12. Appendix B – Mapping fields between Forcepoint Cloud Security Gateway Web log and ASFF
  13. Appendix C – Creating custom Insights into AWS Security Hub
    1. Example 1 – Blocked Web activities by Severity
    2. Example 2 – Blocked Email activities by Severity
License

These contents are licensed under Apache License, Version 2.0. http://www.apache.org/licenses/LICENSE-2.0

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE SITE AND ITS CONTENT IS PROVIDED TO YOU ON AN “AS IS,” “AS AVAILABLE” AND “WHERE-IS” BASIS. ALL CONDITIONS, REPRESENTATIONS AND WARRANTIES WITH RESPECT TO THE SITE OR ITS CONTENT, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT OF THIRD PARTY RIGHTS, ARE HEREBY DISCLAIMED

Document Revision
Version Date Author Notes
0.1 07 September 2020 Dlo Bagari First draft
0.2 11 September 2020 Neelima Rai Added Troubleshooting chapter
0.3 14 September 2020 Mattia Maggioli Review
0.4 31 March 2021 Dlo Bagari Implemented new export method with retry logic in case of outages
0.5 07 April 2021 Neelima Rai Updated Troubleshooting chapter

Summary

This guide provides step by step instructions to configure an event-driven pipeline to export Forcepoint Cloud Security Gateway web/email logs to AWS Security Hub.

The code and instructions provided enable system administrators to automatically:

  • Export selected web/email logs from Forcepoint Cloud Security Gateway into AWS Security Hub
  • Process on-the-fly and import logs as “Findings” inside AWS Security Hub.

A description of the workflow between the components involved in this POC is depicted in this diagram:

Source Code

https://github.com/Forcepoint/fp-bd-csg-security-hub

Caveats

The integration described in this document was developed and tested with the following products as of March 2021:

  • Forcepoint Cloud Security Gateway
  • AWS Security Hub – ASFF format as of 2020-04-13
  • Golang 1.14
  • Docker version 19.03.12

The following activities are out of the scope of this document and therefore left to the system administrator, as part of ordinary maintenance procedures to be put in place within the existing infrastructure.

  • configuration of appropriate hygiene procedures to handle logs produced during any step of the solution workflow
  • monitoring of the scripts, services, and applications involved in the solution

Requirements

Two implementation options are provided in this document

  • Docker – leverages docker images where the integration component is already installed with all necessary dependencies.
  • Traditional – requires the manual deployment of the integration component inside a CentOS 7.3 host-machine.

Register a user in AWS and retrieve credentials

To create a user, set required polices, and retrieve the user’s credentials do the following steps:

  1. Sign into the AWS Management Console and open the Amazon IAM console

  2. Open the Users section and click Add User in the top left

  3. Enter a name for the new user and select Programmatic access in the Access type section

  4. Click on Next: Permissions

  5. Select Attach existing policies directly and search for AdministratorAccess

  6. Select AdministratorAccess and click Next

  7. Add tags if required by your organization policies (tags are not required by this integration)

  8. Review the details and then click Create user

  9. In the next screen you will be presented with your new user along with your Access key ID and Secret access key: save these or the CSV file in a secure location. This is the only time the Secret access key will be available.

Configure SIEM Integration inside Forcepoint Cloud Security Gateway

Log Export permissions

Ensure your account has Log Export permission.

  1. Login to the Forcepoint Cloud Security Gateway portal

  2. Click ACCOUNT > Contacts

  3. Under the User Name column, find your username and click on it.

  4. In the Account Permissions section, ensure the Log Export box is clicked.

  5. Click Save

Enable SIEM logging

  1. In your Security Portal, navigate to Reporting > Account Reports > SIEM Integration

  2. Select Web Security as a data type:

  3. Enable data export:

  4. From the Attributes section, drag and drop the following attributes into the columns section:
    • Risk Class

    • Action

    • User

    • Policy

    • Category

    • Domain

    • Protocol

    • URL – Full

    • Cloud App

    • Cloud App Category

    • Cloud App Risk Level

    • Connection IP

    • Connection IP City

    • Connection IP Country

    • Connection Name

    • Destination IP

    • Source IP

    • Analytic Name

    • File Sandbox Status

    • Severity

    • Threat Name

    • Threat Type

    • Date & Time

    • File Name

    • File Type

    • Operating System

    • User Agent

    • Authentication Method

    • Classification Type

    • Date Center

    • Filtering Source

    • HTTP Status Code

    • Request Method

    • Bytes Received

    • Bytes Sent

    Make sure all the above attributes are selected and DO NOT remove any of these attributes from the columns section: AWS Security Hub won’t be able to ingest events log if data are missing.

  5. Click Save

  6. Change Data type to Email Security

  7. Enable data export

  8. From the Attributes section, drag and drop the following attributes into the columns section:

    • Direction

    • From: Address

    • Policy

    • Recipient Address

    • Recipient Domain

    • Sender Domain

    • Sender Name

    • Subject

    • Action

    • Black/Whitelisted

    • Blocked Attachment Ext

    • Filtering Reason

    • Sender IP

    • Sender IP Country

    • Attachment File Type

    • Attachment Filename

    • Emb. URL Risk Class

    • Emb. URL Severity

    • Advanced Encryption

    • File Sandbox status

    • Virus Name

    • Date & Time

    • Message Size

    • Spam score

    • Attachment Size

    Make sure all the above attributes are selected and DO NOT remove any of these attributes from the columns section: AWS Security Hub won’t be able to ingest events log if data are missing.

  9. Click Save

Enable AWS Config

AWS Security Hub requires AWS Config to be enabled. AWS Config is a web service that performs configuration management of supported AWS resources in your account and delivers log files to you.

To configure AWS Config settings:

  1. Open the AWS Config console at https://console.aws.amazon.com/config/
  2. Select the Region to configure AWS Config in.

If the AWS Config is NOT configured in the selected region, do the following steps:

  1. Choose 1-click setup

  2. click Confirm

Implementation options

Two implementation options are provided in this document

  • Docker – leverages a docker image where the integration component is already installed with all necessary dependencies: the user must only edit the configuration files and run the container on an existing docker setup

  • Traditional – requires manual deployment of the integration component inside a clean host machine (recommended) or an existing one, provided all requirements are satisfied.

Implementation – Docker

The solution described in this chapter requires

  • A Linux machine (CentOS 7.3 recommended) with at least 20GB free disk space and 2 GB RAM. This machine will be referenced in the rest of this document as the docker-host.

  • Docker Engine must be installed on the docker-host, visit docker-installation-docs to install Docker Engine on docker-host

  • Docker-compose must be installed on the docker-host , visit docker-compose-installation-docs to install docker-compose on docker-host

Login to your docker-host as root and perform the following steps.

Step 1: Download Docker Compose files

  1. Download fp-csg-export-aws-security-hub-docker.tar.gz

  2. Decompress the fp-csg-export-aws-security-hub-docker.tar.gz file with the following command:

    tar -zxvf fp-csg-export-aws-security-hub-docker.tar.gz

The output of the above command is a directory named fp-csg-export-aws-security-hub-docker

Step 2: Define the required environment variables

  1. Change your current directory to fp-csg-export-aws-security-hub-docker

    cd fp-csg-export-aws-security-hub-docker
  2. Open .env file

    vi .env
  3. Change the value of the environment variables inside .env. The following table explains each variable and defines if they need to be changed

    Variable Name Description Requires to be changed
    AWS_REGION_CODE

    Aws region code, for example, if your region is US East (Ohio) the value for this parameter will be us-east-2.

    To find your region code visit: https://docs.aws.amazon.com/general/latest/gr/rande.html

    YES
    AWS_ACCESS_KEY_ID The ID for the AWS user created in the chapter Register a user in AWS and retrieve credentials YES
    AWS_SECRET_ACCESS_KEY The secret associated to the AWS user created in the chapter Register a user in AWS and retrieve credentials YES
    CSG_USERNAME Username for Forcepoint Cloud Security Gateway YES
    CSG_PASSWORD Password for Forcepoint Cloud Security Gateway YES
    CSG_WEB_LOGS_INCLUDE

    Include filter: if a parameter in the web log matches a specified parameter in CSG_WEB_LOGS_INCLUDE then process that log.

    Example: to process web logs where the Action field of the log contains blocked:

    CSG_WEB_LOGS_INCLUDE=”Action=Blocked”

    To filter by multiple parameters, separate the parameter by a comma. Example:

    CSG_WEB_LOGS_INCLUDE="Action=Blocked,PolicyName=My Web Policy"

    NO
    CSG_WEB_LOGS_EXCLUDE

    Exclude filter: if a parameter in the web log matches a specified parameter in CSG_WEB_LOGS_EXCLUDE, then log will NOT be processed.

    Example: exclude all web logs where the Action field contains Accepted:

    CSG_WEB_LOGS_EXCLUDE=”Action=Accepted”

    NO
    CSG_EMAIL_LOGS_INCLUDE

    Include filter: if a parameter in the email log matches a specified parameter in CSG_EMAIL_LOGS_INCLUDE then process that log.

    Example: to filter email logs where the value of Sender IP Country is United States: CSG_EMAIL_LOGS_INCLUDE=”SenderIpCountry=United States”

    To filter by multiple parameters, separate the parameter by a comma. Example:

    CSG_EMAIL_LOGS_INCLUDE=" SenderIpCountry=United States,PolicyName=My Email Policy"

    NO
    CSG_EMAIL_LOGS_EXCLUDE

    Exclude filter: if a parameter in the email log matches a specified parameter in CSG_EMAIL_LOGS_EXCLUDE, then log will NOT be processed.

    Example: exclude all email logs where value of Action field is Accepted

    CSG_EMAIL_LOGS_EXCLUDE =”Action=Accepted”

    NO
    SEND_WEB_LOGS

    Boolean value, if true then the integration will send Forcepoint Cloud Security Gateway web logs to AWS Security Hub. The default value is true.

    If you do not want to send Forcepoint Cloud Security Gateway web logs to AWS Security Hub, then set the value of this parameter to false.

    NO
    SEND_EMAIL_LOGS

    Boolean value, if true then the integration will send Forcepoint Cloud Security Gateway email logs to AWS Security Hub. The default value is true.

    If you do not want to send Forcepoint Cloud Security Gateway email logs to AWS Security Hub, then set the value of this parameter to false.

    NO
    WEB_LOGS_START_DATETIME

    Only process the web logs with creation datetime bigger or equal to the value specified in this parameter.

    The expected datetime format is: YYYY-MM-DD hh:mm:ss

    NO
    EMAIL_LOGS_START_DATETIME

    Only process the email logs with creation datetime bigger or equal to the value specified in this parameter.

    The expected datetime format is: YYYY-MM-DD hh:mm:ss

    NO
    CSG_LOGS_URL URL for downloading Forcepoint Cloud Security Gateway web/email logs. The default URL is https://hlfs-web-d.mailcontrol.com/siem/logs NO
    INTERVAL_TIME_IN_MINUTES

    This parameter defines how frequently Forcepoint Cloud Security Gateway logs will be downloaded, processed and sent to AWS Security Hub.

    The default value is 10 minutes

    NO
  4. Save and close .env

Step 3: Start Services

  1. Use the following command and credentials to login into the Docker registry hosting the containers needed for this integration

    root@linux:~# docker login docker.frcpnt.com
    Username: fp-integrations
    Password: t1knmAkn19s
  2. Run the following command to start the docker container and run the integration service

    docker-compose run fp-csg-security-hub /app/csg-security-hub run

Once the service has started it will download CSG logs (if any) and process them.

Note: the docker-compose service will create the following directories in the root directory of the docker-host:

  • csg-timer: this directory will store the datetime for the latest downloaded CSG logs

  • web: this directory will be used as a buffer directory for CSG web logs

  • email: this directory will be used as buffer directory for CSG email logs

IMPORTANT: THESE 3 DIRECTORIES MUST NO BE REMOVED

Implementation - Traditional

The solution described in this chapter requires:

  • CentOS 7.3 machine with at least 20GB free disk space and 2 GB of RAM. This machine will be referenced in the rest of this document with the name host-machine.

Login to your host-machine as root and proceed according to the following steps.

Step 1: Download the source code

Download fp-csg-export-security-hub-tr.tar.gz file which contains the following file:

  • fp-csg-security-hub: a service to send Forcepoint CSG web/email logs to AWS Security Hub

  • fp-csg-security-hub.yml: the config file for fp-csg-security-hub service

  • fp-csg-security-hub.service: a systemd service file for fp-csg-security-hub service

  • fp-csg-export-azure-security-hub-installer.sh: bash script which configures the host-machine for this integration.

The following packages will be installed into the host-machine:

  • Golang V1.14

Step 2: Run installation script

  1. Decompress the source code file: this will create a directory with the name fp-csg-export-security-hub-tr which contains all required files for this implementation

    tar -zxvf fp-csg-export-security-hub-tr.tar.gz
  2. Change your current directory to fp-csg-export-security-hub-tr

    cd fp-csg-export-security-hub-tr
  3. Edit fp-csg-security-hub.yml config file

    vi fp-csg-security-hub.yml
  4. Change the value of parameters inside fp-csg-security-hub.yml. The following table explains each parameter and defines if they need to be changed.
    Variable Name Description Requires to be changed
    AWS_REGION_CODE

    Aws region code, for example, if your region is US East (Ohio) the value for this parameter will be us-east-2.

    To find your region code visit: https://docs.aws.amazon.com/general/latest/gr/rande.html

    YES
    AWS_ACCESS_KEY_ID The ID for the AWS user created in the chapter Register a user in AWS and retrieve credentials YES
    AWS_SECRET_ACCESS_KEY The secret associated to the AWS user created in the chapter Register a user in AWS and retrieve credentials YES
    CSG_USERNAME Username for Forcepoint Cloud Security Gateway YES
    CSG_PASSWORD Password for Forcepoint Cloud Security Gateway YES
    CSG_WEB_LOGS_INCLUDE

    Include filter: if a parameter in the web log matches a specified parameter in CSG_WEB_LOGS_INCLUDE then process that log.

    Example: to process web logs where the Action field of the log contains blocked:

    CSG_WEB_LOGS_INCLUDE=”Action=Blocked”

    To filter by multiple parameters, separate the parameter by a comma. Example:

    CSG_WEB_LOGS_INCLUDE="Action=Blocked,PolicyName=My Web Policy"

    NO
    CSG_WEB_LOGS_EXCLUDE

    Exclude filter: if a parameter in the web log matches a specified parameter in CSG_WEB_LOGS_EXCLUDE, then log will NOT be processed.

    Example: exclude all web logs where the Action field contains Accepted:

    CSG_WEB_LOGS_EXCLUDE=”Action=Accepted”

    NO
    CSG_EMAIL_LOGS_INCLUDE

    Include filter: if a parameter in the email log matches a specified parameter in CSG_EMAIL_LOGS_INCLUDE then process that log.

    Example: to filter email logs where the value of Sender IP Country is United States: CSG_EMAIL_LOGS_INCLUDE=”SenderIpCountry=United States”

    To filter by multiple parameters, separate the parameter by a comma. Example:

    CSG_EMAIL_LOGS_INCLUDE=" SenderIpCountry=United States,PolicyName=My Email Policy"

    NO
    CSG_EMAIL_LOGS_EXCLUDE

    Exclude filter: if a parameter in the email log matches a specified parameter in CSG_EMAIL_LOGS_EXCLUDE, then log will NOT be processed.

    Example: exclude all email logs where value of Action field is Accepted

    CSG_EMAIL_LOGS_EXCLUDE =”Action=Accepted”

    NO
    SEND_WEB_LOGS

    Boolean value, if true then the integration will send Forcepoint Cloud Security Gateway web logs to AWS Security Hub. The default value is true.

    If you do not want to![](./media/image15.png) send Forcepoint Cloud Security Gateway web logs to AWS Security Hub, then set the value of this parameter to false.

    NO
    SEND_EMAIL_LOGS

    Boolean value, if true then the integration will send Forcepoint Cloud Security Gateway email logs to AWS Security Hub. The default value is true.

    If you do not want to send Forcepoint Cloud Security Gateway email logs to AWS Security Hub, then set the value of this parameter to false.

    NO
    WEB_LOGS_START_DATETIME

    Only process the web logs with creation datetime bigger or equal to the value specified in this parameter.

    The expected datetime format is: YYYY-MM-DD hh:mm:ss

    NO
    EMAIL_LOGS_START_DATETIME

    Only process the email logs with creation datetime bigger or equal to the value specified in this parameter.

    The expected datetime format is: YYYY-MM-DD hh:mm:ss

    NO
    CSG_LOGS_URL URL for downloading Forcepoint Cloud Security Gateway web/email logs. The default URL is https://hlfs-web-d.mailcontrol.com/siem/logs NO
    INTERVAL_TIME_IN_MINUTES

    This parameter defines how frequently Forcepoint Cloud Security Gateway logs will be downloaded, processed and sent to AWS Security Hub.

    The default value is 10 minutes

    NO
  5. Save fp-csg-security-hub.yml

  6. Make fp-csg-export-security-hub-installer.sh executable

    chmod +x fp-csg-export-security-hub-installer.sh
  7. Execute the fp-csg-export-security-hub-installer.sh script

    sudo ./fp-csg-export-security-hub-installer.sh

Step 3: Reboot the host-machine

Reboot the host-machine and the integration will start as soon as the reboot is completed.

Note: it might take some time until all the logs are visible in AWS Security Hub: this depends on the number of logs being exported and the normal processing time on the AWS side.

Troubleshooting

Follow these steps to identify issues impacting the normal operation of the integration described in this document.

Docker Implementation

Validate the prerequisites

Make sure the prerequisites described in the Summary chapter are all satisfied:

  • Check the versions of software in use are listed as compatible:

      AWS Security Hub – ASFF format as of 2020-04-1 
      Golang v1.14 
    
  • Docker images for this integration have been tested with

      Docker 19.03.6 
    
  • The host machine must have at least 2 GB RAM and 20 GB of free space, CentOS 7.3 is recommended.

  • User needs to be root in the docker host machine for deploying this integration

  • Check the user can download the file with the below command:

wget –content-disposition https://frcpnt.com/fp-csg-security-hub-docker-latest

Check network connectivity

Make sure firewalls or other security appliances are not impacting the network connectivity necessary for the operation of all components involved in this integration:

  • Check the host machine has connectivity to the internet: execute the following command on the Docker host machine

    ping -c 2 www.aws.com

Once done check the result is similar to below:

    PING www.aws.com (10.10.120.12) 56(84) bytes of data. 
    64 bytes from 10.10.120.12 (10.10.120.12): icmp_seq=1 ttl=128 time=179 ms 
    64 bytes from 10.10.120.12 (10.10.120.12): icmp_seq=1 ttl=128 time=181 ms 

Check dependencies are installed

Make sure the software dependencies needed by the components involved in this integration are installed:

  • Check the host machine has docker installed. Execute the following command on the host machine:

    docker info

Check the first few lines of the output are similar to below:

    Client: 
    Debug Mode: false 

    Server: 
    Containers: 3 
    Running: 2 
    Paused: 0 
    Stopped: 1 
    Images: 3 
    Server Version: 19.03.6 
  • Check the host machine has docker-compose installed. Execute the following command on the host machine:

    docker-compose –version

  • Check the docker-compose version is 1.25.4 or higher

  • Check the folders csg-timer, web and email are still present inside the root folder of the docker-host

Traditional Implementation

Validate the prerequisites

Make sure the prerequisites described in the Summary chapter are all satisfied:

  • Check the versions of software in use are listed as compatible:

      AWS Security Hub – ASFF format as of 2020-04-1 
      Golang v1.14 
    
  • The host machine must have at least 2 GB RAM and 20 GB of free space, CentOS 7.3 is recommended.

  • User needs to be root in the host machine for deploying this integration

  • Check the user can download the file with the below command:

wget –content-disposition https://frcpnt.com/fp-csg-security-hub-tr-latest

Check network connectivity

Make sure firewalls or other security appliances are not impacting the network connectivity necessary for the operation of all components involved in this integration:

  • Check the host machine has connectivity to the internet: execute the following command on the Docker host machine

    ping -c 2 www.aws.com

Once done check the result is similar to below:

    PING www.aws.com (10.10.120.12) 56(84) bytes of data. 
    64 bytes from 10.10.120.12 (10.10.120.12): icmp_seq=1 ttl=128 time=179 ms 
    64 bytes from 10.10.120.12 (10.10.120.12): icmp_seq=1 ttl=128 time=181 ms 

Check dependencies are installed

Make sure the software dependencies needed by the components involved in this integration are installed:

  • Check the host machine has goland installed: run the below command in the Centos 7.3 host machine:

    go version

Check the ouput is similar to below:

    go version go1.14.1 linux/amd64

Check all components are configured and running properly

Make sure the products and services involved in this integration are configured as expected and they are running:

  • Run the below command on the host machine:

    systemctl status fp-csg-security-hub.service

The output should look similar to below:

    ● fp-csg-security-hub.service - Send Forcepoint CSG web/email logs to Security HUb
    Loaded: loaded (/etc/systemd/system/fp-csg-security-hub.service; enabled; vendor preset: disabled)
    Active: active (running) since Wed 2021-04-07 10:49:35 UTC; 1h 21min ago
    Main PID: 784 (csg-security-hu)
    CGroup: /system.slice/fp-csg-security-hub.service
            └─784 /var/forcepoint-csg-hub/csg-security-hub run --config /var/f...

    Apr 07 11:53:36 localhost.localdomain csg-security-hub[784]: successfully sen...
    Apr 07 11:53:36 localhost.localdomain csg-security-hub[784]: Processed number...
    Apr 07 11:53:41 localhost.localdomain csg-security-hub[784]: successfully sen...

Appendix A – Mapping fields between Forcepoint Cloud Security Gateway Email log and ASFF

ASFF Forcepoint Cloud Security Gateway Email Log Fixed Value
AwsAccountId   The value for this field is found using the Go SDK.
CreatedAt Date & Time  
Description   Forcepoint CSG Email Log
GeneratorId   Email
Id   Random UUID is generated for each log
ProductArn   Default ARN is used
network.SourceDomain From Address  
network.DestinationDomain Recipient Address  
network.SourceIpV4 SenderIP  
network.Direction Direction  
Resources.Id   the value of ProductArn
Resources.Type   Forcepoint Cloud Security Gateway
SchemaVersion   08/10/2018
Severity Emb URL Severity  
Title Subject  
Types   Unusual Behaviors/Network Flow/ForcepointCSG
UpdatedAt   Current Date when the ASFF is been sent to AWS Security Heb
ProductFields.BlackWhitelisted Black/White listed  
ProductFields.Action Action  
ProductFields.BlockedAttachmentExt Blocked Attachment Ext  
ProductFields.PolicyName Policy Name  
ProductFields.SenderIPCountry Sender IP Country  
ProductFields.AdvancedEncryption Advanced Encryption  
ProductFields.VirusName Virus Name  
ProductFields.RecipientDomain Recipient Domain  
ProductFields.SenderName Sender Name  
ProductFields.FilteringReason Filtering Reason  
ProductFields.AttachmentFilename Attachment Filename  
ProductFields.AttachmentFileType Attachment File Type  
ProductFields.EmbURLRiskClass Emb URL Risk Class  
ProductFields.SpamScore Spam Score  
ProductFields.MessageSize Message Size  
ProductFields.AttachmentSize Attachment Size  

Appendix B – Mapping fields between Forcepoint Cloud Security Gateway Web log and ASFF

ASFF Forcepoint Cloud Security Gateway Web Log Fixed Value
AwsAccountId   The value for this field is found using the Go SDK.
CreatedAt Date & Time  
Description   Forcepoint CSG Web Log
GeneratorId   Web
Id   Random UUID is generated for each log
ProductArn   Default ARN is used
network.DestinationIpV4 Destination IP  
network.Protocol Protocol  
network.SourceDomain Domain  
network.SourceIpV4 Source IP  
Resources.Id   the value of ProductArn
Resources.Type   Forcepoint Cloud Security Gateway
SchemaVersion   08/10/2018
Severity Severity  
Title Category Name  
Types   Unusual Behaviors/Network Flow/ForcepointCSG
UpdatedAt   Current Date when the ASFF is been sent to AWS Security Heb
ProductFields.RiskClass Risk Class  
ProductFields.Action Action  
ProductFields.User User  
ProductFields.PolicyName Policy Name  
ProductFields.URLFull URL Full  
ProductFields.CloudAppName Cloud App Name  
ProductFields.CloudAppRiskLevel Cloud App Risk Level  
ProductFields.ConnectionIPCountry Connection IP Country  
ProductFields.AnalyticName Analytic Name  
ProductFields.FileSandboxStatus File Sandbox Status  
ProductFields.ThreatType Threat Type  
ProductFields.ReferrerURLFull Referrer URL Full  
ProductFields.AuthenticationMethod Authentication Method  
ProductFields.FilteringSource Filtering Source  
ProductFields.HTTPStatusCode HTTP Status Code  
ProductFields.BytesReceived Bytes Received  
ProductFields.BytesSent Bytes Sent  
ProductFields.RequestMethod Request Method  
ProductFields.DataCenter Data Center  

Appendix C – Creating custom Insights into AWS Security Hub

Example 1 – Blocked Web activities by Severity

Creating a custom Insight that will display Forcepoint Cloud Security Gateway web logs grouped by Severity where the action on the logs is blocked.

  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/

  2. In the navigation pane, choose Insights.

  3. Choose Create insight.

  4. Choose the search box to display the filter options.

  5. Choose Filter by > Resource Type and insert Forcepoint Cloud Security Gateway as a value for this filter and click Apply

  6. Choose the search box again to display the filter options, select Filter by > Generator ID and insert Web as a value for this filter and click Apply

  7. Choose the search box again to display the filter options, select Filter by > Product fields, insert Action as a key, Blocked as value for this filter and click Apply

  8. Choose the search box again to display the filter options, select Group by > Severity Label and click Apply.

  9. Choose Create insight.

  10. Enter an Insight name, then choose Create insight.

Example 2 – Blocked Email activities by Severity

Creating a custom Insight that will display Forcepoint Cloud Security Gateway email logs grouped by Severity where the action on the logs is blocked.

  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/

  2. In the navigation pane, choose Insights.

  3. Choose Create insight.

  4. Choose the search box to display the filter options.

  5. Choose Filter by > Resource Type and insert Forcepoint Cloud Security Gateway as a value for this filter and click Apply

  6. Choose the search box again to display the filter options, select Filter by > Generator ID and insert email as value for this filter and click Apply

  7. Choose the search box again to display the filter options, select Filter by > Product fields, insert Action as key, Blocked as a value for this filter and click Apply

  8. Choose the search box again to display the filter options, select Group by > Severity Label and click on apply.

  9. Choose Create insight.

  10. Enter an Insight name, then choose Create insight.

To create more insights, repeat the above steps, and select the grouping logic based on the most relevant value to your use case.