Forcepoint Cloud Security Gateway and Azure Sentinel
Table of contents
- Summary
- Source Code
- Caveats
- Configure Forcepoint Cloud Security Gateway SIEM Integration
- Create Log Analytics Workspace
- Implementation options
- Troubleshooting
- Appendix A – Mapping fields between Forcepoint Cloud Security Gateway Web log and CEF
- Appendix B – Mapping fields between Forcepoint Cloud Security Gateway Email log and CEF
- Appendix C – Create a Workbook into Azure Sentinel
License
These contents are licensed under Apache License, Version 2.0. http://www.apache.org/licenses/LICENSE-2.0
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE SITE AND ITS CONTENT IS PROVIDED TO YOU ON AN “AS IS,” “AS AVAILABLE” AND “WHERE-IS” BASIS. ALL CONDITIONS, REPRESENTATIONS AND WARRANTIES WITH RESPECT TO THE SITE OR ITS CONTENT, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT OF THIRD PARTY RIGHTS, ARE HEREBY DISCLAIMED
Document Revision
Version | Date | Author | Notes |
---|---|---|---|
0.1 | 28 August 2020 | Dlo Bagari | First draft |
0.2 | 8 September 2020 | Neelima Rai | Added Troubleshooting chapter |
0.3 | 14 September 2020 | Mattia Maggioli | Review |
0.4 | 15 December 2020 | Dlo Bagari | Added syslog installation command to config file |
0.5 | 04 May 2021 | Dlo Bagari | Encrypt Forcepoint CSG Credentials |
0.6 | 25 May 2021 | Dlo Bagari | Removed log analytics agent from installation script |
Summary
This guide provides step by step instructions to configure an event-driven pipeline to export Forcepoint Cloud Security Gateway web and/or email logs into Azure Sentinel so that custom dashboards can be created using Azure Monitor Workbooks to visualize events and insights on activities of Forcepoint Cloud Security Gateway.
The code and instructions provided enable system administrators to automatically:
-
Export logs from Forcepoint Cloud Security Gateway into an intermediate Syslog service
-
Configure Syslog to CEF format and forward it to Azure Log Analytics Agent
-
Configure Azure Log Analytics Agent to receive data from Syslog and forward data to an Azure Workspace
A description of the workflow between the components involved in this POC is depicted in this diagram:
Source Code
The integration uses compiled code, if you need to recompile the code an encryption key with size 16, 24 or 32 needs to be passed to the compile command. The encryption key is used to encrypt Forcepoint CSG credentials and save the encrypted credentials in the integration’s host-machine.
- for docker implementation: open the Dockerfile, in the compile command, add your encryption key as value for main.encryptionKey parameter. for example:
RUN CGO_ENABLED=0 GOOS=linux go build -mod=vendor -a -installsuffix cgo -ldflags "-X 'main.encryptionKey=MyEncryptionKey1' -extldflags '-static'" -o csg-sentinel .
- for traditional implementation: add your encryption key as value for main.encryptionKey parameter to the compile command. for example:
CGO_ENABLED=0 GOOS=linux go build -mod=vendor -a -installsuffix cgo -ldflags "-X 'main.encryptionKey=MyEncryptionKey1' -extldflags '-static'" -o csg-sentinel .
Caveats
The integration described in this document was developed and tested with the following products as of May 2021:
-
Forcepoint Cloud Security Gateway
-
Azure Sentinel
-
omsagent-1.13.7-0
The following activities are out of the scope of this document and therefore left to the system administrator, as part of ordinary maintenance procedures to be put in place within the existing infrastructure.
-
configuration of appropriate hygiene procedures to handle logs produced during any step of the solution workflow
-
monitoring of the scripts, services, and applications involved in the solution
Configure Forcepoint Cloud Security Gateway SIEM Integration
Log Export permission
Ensure your account has Log Export permission.
-
Login to the Forcepoint Cloud Security Gateway portal
-
Click ACCOUNT > Contacts
-
Under the User Name column, find your username and click on it.
-
In the Account Permissions section, ensure the Log Export box is clicked.
-
Click Save
Enable SIEM logging
In your Security Portal, navigate to Reporting > SIEM Integration under ACCOUNT REPORTS
To export web/email logs do as follows:
-
Select Web Security as a data type:
-
Enable data export:
-
From the Attributes section, drag and drop the following attributes into the columns section:
-
Risk Class
-
Action
-
User
-
Policy
-
Category
-
Domain
-
Protocol
-
URL – Full
-
Cloud App
-
Cloud App Category
-
Cloud App Risk Level
-
Connection IP
-
Connection IP City
-
Connection IP Country
-
Connection Name
-
Destination IP
-
Source IP
-
Analytic Name
-
File Sandbox Status
-
Severity
-
Threat Name
-
Threat Type
-
Date & Time
-
File Name
-
File Type
-
Operating System
-
User Agent
-
Authentication Method
-
Classification Type
-
Date Center
-
Filtering Source
-
HTTP Status Code
-
Request Method
-
Bytes Received
-
Bytes Sent
Make sure all the above attributes are selected and DO NOT remove any of these attributes from the columns section: Azure Sentinel won’t be able to ingest events log if data are missing.
-
-
Click Save
-
Change Data type to Email Security
-
Enable data export
-
From the Attributes section, drag and drop the following attributes into the columns section:
-
Direction
-
From: Address
-
Policy
-
Recipient Address
-
Recipient Domain
-
Sender Domain
-
Sender Name
-
Subject
-
Action
-
Black/Whitelisted
-
Blocked Attachment Ext
-
Filtering Reason
-
Sender IP
-
Sender IP Country
-
Attachment File Type
-
Attachment Filename
-
Emb. URL Risk Class
-
Emb. URL Severity
-
Advanced Encryption
-
File Sandbox status
-
Virus Name
-
Date & Time
-
Message Size
-
Spam score
-
Attachment Size
Make sure all the above attributes are selected and DO NOT remove any of these attributes from the columns section: Azure Sentinel won’t be able to ingest events log if data are missing.
-
-
Click Save
Create Log Analytics Workspace
To send logs/events to Azure Sentinel we need to create an Azure workspace were all logs/events will be stored.
-
Sign into Azure portal
-
Click All services, select Azure Sentinel and click on it.
-
Click Add
-
Click Create a new workspace
-
Give a name to this workspace, select the subscription type, the resource group (if none exists create a new one) and select the location where this workspace will be hosted.
-
Click Review + Create button to create the workspace (this might take few minutes)
-
Click Add Azure Sentinel.
Implementation options
Two implementation options are provided in this document
-
Docker – leverages docker images where the integration component is already installed with all necessary dependencies.
-
Traditional – requires the manual deployment of the integration component inside an Ubuntu server 18.x host-machine.
The docker images for this integration have been tested working with Docker 19.03.6 on a Centos 7.3 machine with at least 2 GB RAM and 20 GB of storage, while the traditional version of this integration has been tested working with the following requirements
-
Ubuntu server 18.x with at least 2 GB RAM and 20 GB of storage
-
Golang v1.14
-
Python
-
Azure Log Analytics Data Collector Agent (omsagent-1.13.7-0)
Implementation – Docker
The solution described in this chapter requires
-
A Linux machine (Centos 7.3 recommended) with at least 20GB free disk space and 2 GB RAM. This machine will be referenced in the rest of this document as the docker-host machine.
-
Docker Engine must be installed on the docker-host machine, visit docker-installation-docs to install Docker Engine on docker-host
-
Docker-compose must be installed on the docker-host machine, visit docker-compose-installation-docs to install docker-compose on docker-host machine
Login to your docker-host machine as root, and do the following steps.
Step 1: Find Syslog Agent (omsagent) Installation Command
-
Login to Azure portal
-
Search for Sentinel
-
Under Configuration, click Data Connectors
-
Search for Forcepoint Cloud Security Gateway and select it.
-
Click Open Connector page
-
In the Open Connector Page, you will find your Data Connector Syslog Agent command. This command is used in both implementation to install the Syslog Agent on the host-machine.
Step 2: Download Docker Compose files
-
Download fp-csg-export-azure-sentinel-docker.tar.gz file from here
-
Decompress the downloaded file with the following command:
tar -zxvf fp-csg-export-azure-sentinel-docker.tar.gz
The output of the above command is a directory with name fp-csg-export-azure-sentinel-docker
Step 3: Define required Environment variables
-
Change your current directory to fp-csg-export-azure-sentinel-docker
cd fp-csg-export-azure-sentinel-docker
-
Open .env file
vi .env
-
Change the value of the environment variables inside .env. The following table explains each variable and defines if they need to be changed.
Variable Name Description Requires to be changed SYSLOG_AGENT_INSTALLATION_COMMAND Syslog Agent Installation Command.
Step 1 of this document explains where you can find it.
YES CSG_WEB_LOGS_INCLUDE Web Logs include filter: if a parameter in Cloud Security Gateway web logs matches a specified parameter in CSG_WEB_LOGS_INCLUDE, then process that log.
Example - To filter logs where PolicyName field is My Policy:
CSG_WEB_LOGS_INCLUDE =”PolicyName=My Policy”
Multiple parameters can be added to the CSG_WEB_LOGS_INCLUDE by separating them with a comma.
CSG_WEB_LOGS_INCLUDE="Action=Blocked,PolicyName=My Policy"
NO CSG_WEB_LOGS_EXCLUDE Exclude filter: if a parameter in Cloud Security Gateway web logs matches a specified parameter in CSG_WEB_LOGS_EXCLUDE, then that log message will NOT be processed.
Example - To exclude all logs where Action is Allowed:
CSG_WEB_LOGS_EXCLUDE="Action=Allowed”
NO CSG_EMAIL_LOGS_INCLUDE Email Logs include filter: if a parameter in Cloud Security Gateway web logs matches a specified parameter in CSG_EMAIL_LOGS_INCLUDE, then process that log.
Example - To filter logs where PolicyName field is My Policy:
CSG_EMAIL_LOGS_INCLUDE =”PolicyName=My Policy”
Multiple parameters can be added to the CSG_EMAIL_LOGS_INCLUDE by separating them with a comma.
CSG_EMAIL_LOGS_INCLUDE="Action=Accepted,PolicyName=My Policy"
NO CSG_EMAIL_LOGS_EXCLUDE Exclude filter: if a parameter in Cloud Security Gateway web logs matches a specified parameter in CSG_EMAIL_LOGS_EXCLUDE, then that log message will NOT be processed.
Example - To exclude all logs where Action is Accepted:
CSG_EMAIL_LOGS_EXCLUDE="Action=Accepted”
NO SEND_WEB_LOGS Boolean value, if set to true the integration will send the Cloud Security Gateway web logs to Azure Sentinel NO SEND_EMAIL_LOGS Boolean value, if set to true the integration will send the Cloud Security Gateway email logs to Azure Sentinel NO WEB_LOGS_START_DATETIME Only process the web logs with creation datetime bigger or equal to the value specified in this parameter.
The expected datetime format is: YYYY-MM-DD hh:mm:ss
EMAIL_LOGS_START_DATETIME Only process the email logs with creation datetime bigger or equal to the value specified in this parameter.
The expected datetime format is: YYYY-MM-DD hh:mm:ss
INTERVAL_TIME_IN_MINUTES This parameter defines how frequently Forcepoint Cloud Security Gateway logs will be downloaded, processed and sent to Azure Sentinel.
The default value is 10 minutes
NO CSG_VERSION Forcepoint Cloud Security Gateway version. The default value for this parameter is 1.0 NO CSG_LOGS_URL URL for downloading Forcepoint Cloud Security Gateway web/email logs. The default URL is https://hlfs-web-d.mailcontrol.com/siem/logs NO -
Save and close .env
Step 4: Start Services
-
Use the following command and credentials to login into the Docker registry hosting the containers needed for this integration
root@linux:~# docker login docker.frcpnt.com Username: fp-integrations Password: t1knmAkn19s
-
Run the following command to start services.
docker-compose run csg-sentinel-service
-
for first time you run the integration, you will be asked to enter Forcepoint CSG credentials. the credentials will be encrypted and stored on host-machine in /root/csg_encrypted/csg file.
- enter your Forcepoint CSG username:
- enter your Forcepoint CSG password:
It might take some time until all the logs are visible in Azure Sentinel: this depends on the number of logs being exported and the normal processing time on the Azure side.
Implementation - Traditional
The solution described in this chapter requires:
- Ubuntu server 18.X machine with at least 20GB free disk space and 2 GB of RAM. This machine will be referenced in the rest of this document with the name host-machine.
Login to your Ubuntu host-machine as root and proceed according to the following steps.
Step 1: Syslog Agent (omsagent) Installation
If the Syslog Agent (omsagent) is already installed on the host-machine, then move to Step 2.
- If python is not installed on the host-machine, install it with the commands:
#: sudo apt update #: sudo apt install python -y
- If wget is not installed on the host machine, install it with the command:
#: sudo apt install wget -y
- If curl is not installed on the host machine, install it with the command:
#: sudo apt -y install libcurl4 curl
-
Login to Azure portal
-
Search for Sentinel
-
Under Configuration click Data Connectors
-
Search for Forcepoint Cloud Security Gateway and select it.
-
Click Open Connector page
-
In the Open Connector Page, you will find your Data Connector Syslog Agent command, copy this command.
- Start the rsyslog service:
#: sudo systemctl start rsyslog.service
- on the host-machine, open a new terminal, paste the copied command and press enter. once the agent installation is done, move to the next step.
Step 2: Download the source code
- Download fp-csg-export-azure-sentinel-tr.tar.gz from this GitHub repo
The source code contains the following files:
-
fp-csg-sentinel: a service to send Forcepoint CSG web/email logs to Azure Sentinel
-
fp-csg-sentinel.yml: the config file for fp-csg-sentinel service
-
fp-csg-sentinel.service: a systemd service file for fp-csg-sentinel service
-
fp-csg-export-azure-sentinel-installer.sh: a bash script that installs fp-csg-sentinel and creates a systemd service for it.
Step 3: Run installation script
-
Decompress the source code file: this will create a directory named fp-csg-export-azure-sentinel-tr which contains all required files for this implementation.
tar -zxvf fp-csg-export-azure-sentinel-tr.tar.gz
-
Change your current directory to fp-csg-export-azure-sentinel-tr
cd fp-csg-export-azure-sentinel-tr
-
Edit fp-csg-sentinel.yml config file
vi fp-csg-sentinel.yml
-
Change the value of parameters inside fp-csg-sentinel.yml. The following table explains each parameter and defines if they need to be changed.
Variable Name Description Requires to be changed CSG_WEB_LOGS_INCLUDE Web Logs include filter: if a parameter in Cloud Security Gateway web logs matches a specified parameter in CSG_WEB_LOGS_INCLUDE, then process that log.
Example - To filter logs where PolicyName field is My Policy:
CSG_WEB_LOGS_INCLUDE =”PolicyName=My Policy”
Multiple parameters can be added to the CSG_WEB_LOGS_INCLUDE by separating them with a comma.
CSG_WEB_LOGS_INCLUDE="Action=Blocked,PolicyName=My Policy"
NO CSG_WEB_LOGS_EXCLUDE Exclude filter: if a parameter in Cloud Security Gateway web logs matches a specified parameter in CSG_WEB_LOGS_EXCLUDE, then that log message will NOT be processed.
Example - To exclude all logs where Action is Allowed:
CSG_WEB_LOGS_EXCLUDE="Action=Allowed”
NO CSG_EMAIL_LOGS_INCLUDE Email Logs include filter: if a parameter in Cloud Security Gateway web logs matches a specified parameter in CSG_EMAIL_LOGS_INCLUDE, then process that log.
Example - To filter logs where PolicyName field is My Policy:
CSG_EMAIL_LOGS_INCLUDE =”PolicyName=My Policy”
Multiple parameters can be added to the CSG_EMAIL_LOGS_INCLUDE by separating them with a comma.
CSG_EMAIL_LOGS_INCLUDE="Action=Accepted,PolicyName=My Policy"
NO CSG_EMAIL_LOGS_EXCLUDE Exclude filter: if a parameter in Cloud Security Gateway web logs matches a specified parameter in CSG_EMAIL_LOGS_EXCLUDE, then that log message will NOT be processed.
Example - To exclude all logs where Action is Accepted:
CSG_EMAIL_LOGS_EXCLUDE="Action=Accepted”
NO SEND_WEB_LOGS Boolean value, if set to true the integration will send the Cloud Security Gateway web logs to Azure Sentinel NO SEND_EMAIL_LOGS Boolean value, if set to true the integration will send the Cloud Security Gateway email logs to Azure Sentinel NO WEB_LOGS_START_DATETIME Only process the web logs with creation datetime bigger or equal to the value specified in this parameter.
The expected datetime format is: YYYY-MM-DD hh:mm:ss
YES EMAIL_LOGS_START_DATETIME Only process the email logs with creation datetime bigger or equal to the value specified in this parameter.
The expected datetime format is: YYYY-MM-DD hh:mm:ss
YES INTERVAL_TIME_IN_MINUTES This parameter defines how frequently Forcepoint Cloud Security Gateway logs will be downloaded, processed and sent to Azure Sentinel.
The default value is 10 minutes
NO CSG_VERSION Forcepoint Cloud Security Gateway version. The default value for this parameter is 1.0 NO CSG_LOGS_URL URL for downloading Forcepoint Cloud Security Gateway web/email logs. The default URL is https://hlfs-web-d.mailcontrol.com/siem/logs NO -
Save fp-csg-sentinel.yml
-
Make fp-csg-export-azure-sentinel-installer.sh executable
chmod +x fp-csg-export-azure-sentinel-installer.sh
-
Execute the fp-csg-export-azure-sentinel-installer.sh script
sudo ./fp-csg-export-azure-sentinel-installer.sh
-
Once fp-csg-export-azure-sentinel-installer.sh installs all required dependencies, it will ask you to enter Forcepoint CSG credentials. Credentials will be encrypted and stored on the host-machine in /var/forpcepoint-csg/csg file.
- enter your Forcepoint CSG username:
- enter your Forcepoint CSG password:
NOTE: if you need to change the CSG credentials stored in the host-machine:
- run:
/var/forpcepoint-csg/fp-csg-sentinel run -c --config /var/forpcepoint-csg/fp-csg-sentinel.yml
- enter the new credentials
- restart fp-csg-sentinel service
sudo systemctl restart fp-csg-sentinel.service
Step 4: Reboot the host-machine
Reboot the host-machine and ensure the service fp-csg-sentinelis running by executing the following command:
#: systemctl list-units | grep fp-csg-sentinel
fp-csg-sentinel.service loaded active running Send Forcepoint CSG web/email logs to Azure Sentinel
to ensure rSyslog and omsagent are running and listening to the correct ports
- install lsof package on the host-machine if not installed:
#: sudo apt install lsof -y
- execute the following command to find the status of rSyslog and omsagent
$ lsof -i | grep -e omsagent -e rsyslog rsyslogd 4241 syslog 5u IPv4 34384 0t0 UDP *:syslog rsyslogd 4241 syslog 6u IPv6 34385 0t0 UDP *:syslog rsyslogd 4241 syslog 7u IPv4 34388 0t0 TCP *:shell (LISTEN) rsyslogd 4241 syslog 8u IPv6 34389 0t0 TCP *:shell (LISTEN) omsagent 5474 omsagent 9u IPv4 38582 0t0 TCP *:25324 (LISTEN) omsagent 5474 omsagent 16u IPv4 38583 0t0 TCP localhost:25226 (LISTEN) omsagent 5474 omsagent 18u IPv4 38584 0t0 UDP localhost:25224
Note: it might take some time until all the logs are visible in Azure Sentinel. This depends on the number of logs being exported and the normal processing time on the Azure side.
Troubleshooting
Follow these steps to identify issues impacting the normal operation of the integration described in this document.
Docker Implementation
Validate the prerequisites
Make sure the prerequisites described in the Summary chapter are all satisfied:
- Check the versions of Microsoft omsagent in use is listed as compatible:
omsagent-1.13.7-0
- Docker images for this integration have been tested with
Docker 19.03.6
-
The docker implementation has been tested on a CentOS 7.3 machine with docker engine and docker-compose installed, 2GB RAM and a free disk space of at least 20GB
-
User needs sudo permissions in the docker host machine
Check network connectivity
Make sure firewalls or other security appliances are not impacting the network connectivity necessary for the operation of all components involved in this integration:
- Check the host machine has connectivity to the internet: execute the following command on the docker host machine:
ping -c 2 www.azure.com
Once done check the result is similar to below:
PING www.azure.com (10.10.120.12) 56(84) bytes of data.
64 bytes from 10.10.120.12 (10.10.120.12): icmp_seq=1 ttl=128 time=179 ms
64 bytes from 10.10.120.12 (10.10.120.12): icmp_seq=1 ttl=128 time=181 ms
Check dependencies are installed
Make sure the software dependencies needed by the components involved in this integration are installed:
- Check the host machine has docker installed: Execute the following command on the host machine:
docker info
Check the first few lines of the output are similar to below:
Client:
Debug Mode: false
Server:
Containers: 3
Running: 2
Paused: 0
Stopped: 1
Images: 3
Server Version: 19.03.6
- Check the host machine has docker-compose installed: Execute the following command on the host machine:
docker-compose –version
Check the docker-compose version is 1.25.4 or higher
Check all components are configured and running properly
Make sure the products and services involved in this integration are configured as expected and they are running:
- Verify the integration completed with no errors: When the below command is run:
docker-compose run csg-sentinel-service
Check there are no errors. When this command is run for the first time, the user will be prompted to enter a username and password for CSG.
Traditional Implementation
Validate the prerequisites
Make sure the prerequisites described in the Summary chapter are all satisfied:
- Check the versions of Microsoft omsagent in use is listed as compatible:
omsagent-1.13.7-0
-
Verify the integration is correctly operating on an Ubuntu Server 18.x machine with at least 2GB RAM and 20GB of free disk space
-
User needs to be root to install dependencies
Check network connectivity
Make sure firewalls or other security appliances are not impacting the network connectivity necessary for the operation of all components involved in this integration:
- Check the host machine has connectivity to the internet: execute the following command on the Docker host machine:
ping -c 2 www.azure.com
Once done check the result is similar to below:
PING www.azure.com (10.10.120.12) 56(84) bytes of data.
64 bytes from 10.10.120.12 (10.10.120.12): icmp_seq=1 ttl=128 time=179 ms
64 bytes from 10.10.120.12 (10.10.120.12): icmp_seq=1 ttl=128 time=181 ms
Check dependencies are installed
Make sure the software dependencies needed by the components involved in this integration are installed:
- Check python is installed: Execute the following command on the host machine:
python –version
Check the output is similar to below:
Python 2.7.x
- Check omsagent and rsyslog are installed and running execute the following command on the host machine:
lsof -i | grep -e omsagent -e rsyslog
Check the output is similar to below:
$ lsof -i | grep -e omsagent -e rsyslog
rsyslogd 4241 syslog 5u IPv4 34384 0t0 UDP *:syslog
rsyslogd 4241 syslog 6u IPv6 34385 0t0 UDP *:syslog
rsyslogd 4241 syslog 7u IPv4 34388 0t0 TCP *:shell (LISTEN)
rsyslogd 4241 syslog 8u IPv6 34389 0t0 TCP *:shell (LISTEN)
omsagent 5474 omsagent 9u IPv4 38582 0t0 TCP *:25324 (LISTEN)
omsagent 5474 omsagent 16u IPv4 38583 0t0 TCP localhost:25226 (LISTEN)
omsagent 5474 omsagent 18u IPv4 38584 0t0 UDP localhost:25224
Check all components are configured and running properly
Make sure the products and services involved in this integration are configured as expected and they are running:
- Check all the services are running by executing the following command:
systemctl list-units | grep fp-csg-sentinel
Check the output is similar to below:
fp-csg-sentinel.service loaded active running Send Forcepoint CSG web/email logs to Azure Sentinel
Appendix A – Mapping fields between Forcepoint Cloud Security Gateway Web log and CEF
Cloud Security Gateway Web log | CEF | Fixed value |
---|---|---|
Version | 0 | |
Device Vendor | Forcepoint CSG | |
Device Product | Web | |
Device Version | Forcepoint CSG Version. Default 1.0 | |
Risk Class | Device Event Class ID | |
Action | act | |
Severity | Severity | |
Cloud App Name | Name | |
Protocol | app | |
Bytes Sent | out | |
Bytes Received | in | |
Category Name | cs1 | |
cs1Label | Category Name | |
Domain | cs2 | |
cs2Label | Domain name of the destination site | |
Policy Name | cs3 | |
cs3Label | Policy Name | |
Destination IP | dst | |
URL Full | request | |
File Name | fname | |
Connection IP | cs4 | |
cs4Label | The IP address of the connection to the cloud service. | |
DataCenter | sflexString1 | |
flexString1Label | The cloud service data center that processed the request | |
Source IP | src | if the source IP is not available, this field will be populated with the value of “Connection IP” |
Cloud App Risk Level | cs5 | |
cs5Label | Cloud App Risk Level | |
Request Method | requestMethod | |
User Agent | requestClientApplication | |
FileType | fileType | |
User | suid | |
Date & Time | deviceCustomDate1 | |
deviceCustomDate1Label | Log Created Time |
Appendix B – Mapping fields between Forcepoint Cloud Security Gateway Email log and CEF
Cloud Security Gateway E-mail log | CEF | Fixed value |
---|---|---|
Version | 0 | |
Device Vendor | Forcepoint CSG | |
Device Product | ||
Device Version | Forcepoint CSG Version. Default 1.0 | |
Emb URL Risk Class | Device Event Class ID | |
Action | act | |
Emb URL Severity | Severity | |
Recipient Address | duser | |
From Address | suser | |
Direction | deviceDirection | |
Subject | msg | |
Black White listed | cs1 | |
cs1Label | Black/white listed | |
Virus Name | cs2 | |
cs2Label | Virus Name | |
Policy Name | cs3 | |
cs3Label | Policy Name | |
Spam Score | cfp1 | |
cfp1Label | Spam Score | |
Message Size | cn1 | |
cn1Label | Message Size | |
Attachment Size | fsize | |
Attachment Filename | fname | |
Attachment File Type | fileType | |
Advanced Encryption | cs4 | |
cs4Label | Advanced Encryption | |
Filtering Reason | flexString1 | Filtering Reason |
Sender IP | src | |
Sender Name | suid | |
Date & Time | deviceCustomDate1 | |
deviceCustomDate1Label | Log Created Time |
Appendix C – Create a Workbook into Azure Sentinel
Workbooks combine text, analytics queries, Azure Metrics, and parameters into rich interactive reports.
- Login to Azure Sentinel portal
-
Select Workbooks from the left-hand menu, under the Threat management section. This launches a workbook gallery
-
Click Add workbook, this will open a new workbook
-
Click Edit, this will make workbook sections editable
-
Click the Advanced Editor icon
-
Click Gallery Template
-
Remove everything inside the Gallery Template
-
Copy the following into Gallery Template
-
Click Apply
-
Save your workbook