Link Search Menu Expand Document

Forcepoint Cloud Security Gateway and Azure Sentinel

Table of contents
  1. Summary
  2. Source Code
  3. Caveats
  4. Configure Forcepoint Cloud Security Gateway SIEM Integration
    1. Log Export permission
    2. Enable SIEM logging
  5. Create Log Analytics Workspace
  6. Implementation options
    1. Implementation – Docker
      1. Step 1: Find Syslog Agent (omsagent) Installation Command
      2. Step 2: Download Docker Compose files
      3. Step 3: Define required Environment variables
      4. Step 4: Start Services
    2. Implementation - Traditional
      1. Step 1: Syslog Agent (omsagent) Installation
      2. Step 2: Download the source code
      3. Step 3: Run installation script
      4. Step 4: Reboot the host-machine
  7. Troubleshooting
    1. Docker Implementation
      1. Validate the prerequisites
      2. Check network connectivity
      3. Check dependencies are installed
      4. Check all components are configured and running properly
    2. Traditional Implementation
      1. Validate the prerequisites
      2. Check network connectivity
      3. Check dependencies are installed
      4. Check all components are configured and running properly
  8. Appendix A – Mapping fields between Forcepoint Cloud Security Gateway Web log and CEF
  9. Appendix B – Mapping fields between Forcepoint Cloud Security Gateway Email log and CEF
  10. Appendix C – Create a Workbook into Azure Sentinel
License

These contents are licensed under Apache License, Version 2.0. http://www.apache.org/licenses/LICENSE-2.0

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE SITE AND ITS CONTENT IS PROVIDED TO YOU ON AN “AS IS,” “AS AVAILABLE” AND “WHERE-IS” BASIS. ALL CONDITIONS, REPRESENTATIONS AND WARRANTIES WITH RESPECT TO THE SITE OR ITS CONTENT, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT OF THIRD PARTY RIGHTS, ARE HEREBY DISCLAIMED

Document Revision
Version Date Author Notes
0.1 28 August 2020 Dlo Bagari First draft
0.2 8 September 2020 Neelima Rai Added Troubleshooting chapter
0.3 14 September 2020 Mattia Maggioli Review
0.4 15 December 2020 Dlo Bagari Added syslog installation command to config file
0.5 04 May 2021 Dlo Bagari Encrypt Forcepoint CSG Credentials
0.6 25 May 2021 Dlo Bagari Removed log analytics agent from installation script

Summary

This guide provides step by step instructions to configure an event-driven pipeline to export Forcepoint Cloud Security Gateway web and/or email logs into Azure Sentinel so that custom dashboards can be created using Azure Monitor Workbooks to visualize events and insights on activities of Forcepoint Cloud Security Gateway.

The code and instructions provided enable system administrators to automatically:

  • Export logs from Forcepoint Cloud Security Gateway into an intermediate Syslog service

  • Configure Syslog to CEF format and forward it to Azure Log Analytics Agent

  • Configure Azure Log Analytics Agent to receive data from Syslog and forward data to an Azure Workspace

A description of the workflow between the components involved in this POC is depicted in this diagram:

Source Code

fp-bd-csg-azure-sentinel

The integration uses compiled code, if you need to recompile the code an encryption key with size 16, 24 or 32 needs to be passed to the compile command. The encryption key is used to encrypt Forcepoint CSG credentials and save the encrypted credentials in the integration’s host-machine.

  • for docker implementation: open the Dockerfile, in the compile command, add your encryption key as value for main.encryptionKey parameter. for example:
   RUN CGO_ENABLED=0 GOOS=linux go build -mod=vendor -a -installsuffix cgo -ldflags "-X 'main.encryptionKey=MyEncryptionKey1' -extldflags '-static'" -o csg-sentinel .
  • for traditional implementation: add your encryption key as value for main.encryptionKey parameter to the compile command. for example:
  CGO_ENABLED=0 GOOS=linux go build -mod=vendor -a -installsuffix cgo -ldflags "-X 'main.encryptionKey=MyEncryptionKey1' -extldflags '-static'" -o csg-sentinel .

Caveats

The integration described in this document was developed and tested with the following products as of May 2021:

  • Forcepoint Cloud Security Gateway

  • Azure Sentinel

  • omsagent-1.13.7-0

The following activities are out of the scope of this document and therefore left to the system administrator, as part of ordinary maintenance procedures to be put in place within the existing infrastructure.

  • configuration of appropriate hygiene procedures to handle logs produced during any step of the solution workflow

  • monitoring of the scripts, services, and applications involved in the solution

Configure Forcepoint Cloud Security Gateway SIEM Integration

Log Export permission

Ensure your account has Log Export permission.

  1. Login to the Forcepoint Cloud Security Gateway portal

  2. Click ACCOUNT > Contacts

  3. Under the User Name column, find your username and click on it.

  4. In the Account Permissions section, ensure the Log Export box is clicked.

  5. Click Save

Enable SIEM logging

In your Security Portal, navigate to Reporting > SIEM Integration under ACCOUNT REPORTS

To export web/email logs do as follows:

  1. Select Web Security as a data type:

  2. Enable data export:

  3. From the Attributes section, drag and drop the following attributes into the columns section:

    • Risk Class

    • Action

    • User

    • Policy

    • Category

    • Domain

    • Protocol

    • URL – Full

    • Cloud App

    • Cloud App Category

    • Cloud App Risk Level

    • Connection IP

    • Connection IP City

    • Connection IP Country

    • Connection Name

    • Destination IP

    • Source IP

    • Analytic Name

    • File Sandbox Status

    • Severity

    • Threat Name

    • Threat Type

    • Date & Time

    • File Name

    • File Type

    • Operating System

    • User Agent

    • Authentication Method

    • Classification Type

    • Date Center

    • Filtering Source

    • HTTP Status Code

    • Request Method

    • Bytes Received

    • Bytes Sent

    Make sure all the above attributes are selected and DO NOT remove any of these attributes from the columns section: Azure Sentinel won’t be able to ingest events log if data are missing.

  4. Click Save

  5. Change Data type to Email Security

  6. Enable data export

  7. From the Attributes section, drag and drop the following attributes into the columns section:

    • Direction

    • From: Address

    • Policy

    • Recipient Address

    • Recipient Domain

    • Sender Domain

    • Sender Name

    • Subject

    • Action

    • Black/Whitelisted

    • Blocked Attachment Ext

    • Filtering Reason

    • Sender IP

    • Sender IP Country

    • Attachment File Type

    • Attachment Filename

    • Emb. URL Risk Class

    • Emb. URL Severity

    • Advanced Encryption

    • File Sandbox status

    • Virus Name

    • Date & Time

    • Message Size

    • Spam score

    • Attachment Size

    Make sure all the above attributes are selected and DO NOT remove any of these attributes from the columns section: Azure Sentinel won’t be able to ingest events log if data are missing.

  8. Click Save

Create Log Analytics Workspace

To send logs/events to Azure Sentinel we need to create an Azure workspace were all logs/events will be stored.

  1. Sign into Azure portal

  2. Click All services, select Azure Sentinel and click on it.

  3. Click Add

  4. Click Create a new workspace

  5. Give a name to this workspace, select the subscription type, the resource group (if none exists create a new one) and select the location where this workspace will be hosted.

  6. Click Review + Create button to create the workspace (this might take few minutes)

  7. Click Add Azure Sentinel.

Implementation options

Two implementation options are provided in this document

  • Docker – leverages docker images where the integration component is already installed with all necessary dependencies.

  • Traditional – requires the manual deployment of the integration component inside an Ubuntu server 18.x host-machine.

The docker images for this integration have been tested working with Docker 19.03.6 on a Centos 7.3 machine with at least 2 GB RAM and 20 GB of storage, while the traditional version of this integration has been tested working with the following requirements

  • Ubuntu server 18.x with at least 2 GB RAM and 20 GB of storage

  • Golang v1.14

  • Python

  • Azure Log Analytics Data Collector Agent (omsagent-1.13.7-0)

Implementation – Docker

The solution described in this chapter requires

  • A Linux machine (Centos 7.3 recommended) with at least 20GB free disk space and 2 GB RAM. This machine will be referenced in the rest of this document as the docker-host machine.

  • Docker Engine must be installed on the docker-host machine, visit docker-installation-docs to install Docker Engine on docker-host

  • Docker-compose must be installed on the docker-host machine, visit docker-compose-installation-docs to install docker-compose on docker-host machine

Login to your docker-host machine as root, and do the following steps.

Step 1: Find Syslog Agent (omsagent) Installation Command

  1. Login to Azure portal

  2. Search for Sentinel

  3. Under Configuration, click Data Connectors

  4. Search for Forcepoint Cloud Security Gateway and select it.

  5. Click Open Connector page

  6. In the Open Connector Page, you will find your Data Connector Syslog Agent command. This command is used in both implementation to install the Syslog Agent on the host-machine.

Step 2: Download Docker Compose files

  1. Download fp-csg-export-azure-sentinel-docker.tar.gz file from here

  2. Decompress the downloaded file with the following command:

    tar -zxvf fp-csg-export-azure-sentinel-docker.tar.gz
    

The output of the above command is a directory with name fp-csg-export-azure-sentinel-docker

Step 3: Define required Environment variables

  1. Change your current directory to fp-csg-export-azure-sentinel-docker

    cd fp-csg-export-azure-sentinel-docker
    
  2. Open .env file

    vi .env 
    
  3. Change the value of the environment variables inside .env. The following table explains each variable and defines if they need to be changed.

    Variable Name Description Requires to be changed
    SYSLOG_AGENT_INSTALLATION_COMMAND

    Syslog Agent Installation Command.

    Step 1 of this document explains where you can find it.

    YES
    CSG_WEB_LOGS_INCLUDE

    Web Logs include filter: if a parameter in Cloud Security Gateway web logs matches a specified parameter in CSG_WEB_LOGS_INCLUDE, then process that log.

    Example - To filter logs where PolicyName field is My Policy:

    CSG_WEB_LOGS_INCLUDE =”PolicyName=My Policy”

    Multiple parameters can be added to the CSG_WEB_LOGS_INCLUDE by separating them with a comma.

    CSG_WEB_LOGS_INCLUDE="Action=Blocked,PolicyName=My Policy"

    NO
    CSG_WEB_LOGS_EXCLUDE

    Exclude filter: if a parameter in Cloud Security Gateway web logs matches a specified parameter in CSG_WEB_LOGS_EXCLUDE, then that log message will NOT be processed.

    Example - To exclude all logs where Action is Allowed:

    CSG_WEB_LOGS_EXCLUDE="Action=Allowed”

    NO
    CSG_EMAIL_LOGS_INCLUDE

    Email Logs include filter: if a parameter in Cloud Security Gateway web logs matches a specified parameter in CSG_EMAIL_LOGS_INCLUDE, then process that log.

    Example - To filter logs where PolicyName field is My Policy:

    CSG_EMAIL_LOGS_INCLUDE =”PolicyName=My Policy”

    Multiple parameters can be added to the CSG_EMAIL_LOGS_INCLUDE by separating them with a comma.

    CSG_EMAIL_LOGS_INCLUDE="Action=Accepted,PolicyName=My Policy"

    NO
    CSG_EMAIL_LOGS_EXCLUDE

    Exclude filter: if a parameter in Cloud Security Gateway web logs matches a specified parameter in CSG_EMAIL_LOGS_EXCLUDE, then that log message will NOT be processed.

    Example - To exclude all logs where Action is Accepted:

    CSG_EMAIL_LOGS_EXCLUDE="Action=Accepted”

    NO
    SEND_WEB_LOGS Boolean value, if set to true the integration will send the Cloud Security Gateway web logs to Azure Sentinel NO
    SEND_EMAIL_LOGS Boolean value, if set to true the integration will send the Cloud Security Gateway email logs to Azure Sentinel NO
    WEB_LOGS_START_DATETIME

    Only process the web logs with creation datetime bigger or equal to the value specified in this parameter.

    The expected datetime format is: YYYY-MM-DD hh:mm:ss

    EMAIL_LOGS_START_DATETIME

    Only process the email logs with creation datetime bigger or equal to the value specified in this parameter.

    The expected datetime format is: YYYY-MM-DD hh:mm:ss

    INTERVAL_TIME_IN_MINUTES

    This parameter defines how frequently Forcepoint Cloud Security Gateway logs will be downloaded, processed and sent to Azure Sentinel.

    The default value is 10 minutes

    NO
    CSG_VERSION Forcepoint Cloud Security Gateway version. The default value for this parameter is 1.0 NO
    CSG_LOGS_URL URL for downloading Forcepoint Cloud Security Gateway web/email logs. The default URL is https://hlfs-web-d.mailcontrol.com/siem/logs NO
  4. Save and close .env

Step 4: Start Services

  1. Use the following command and credentials to login into the Docker registry hosting the containers needed for this integration

    root@linux:~# docker login docker.frcpnt.com
    Username: fp-integrations
    Password: t1knmAkn19s
    
  2. Run the following command to start services.

    docker-compose run csg-sentinel-service
    
  3. for first time you run the integration, you will be asked to enter Forcepoint CSG credentials. the credentials will be encrypted and stored on host-machine in /root/csg_encrypted/csg file.

    • enter your Forcepoint CSG username:
    • enter your Forcepoint CSG password:

It might take some time until all the logs are visible in Azure Sentinel: this depends on the number of logs being exported and the normal processing time on the Azure side.

Implementation - Traditional

The solution described in this chapter requires:

  • Ubuntu server 18.X machine with at least 20GB free disk space and 2 GB of RAM. This machine will be referenced in the rest of this document with the name host-machine.

Login to your Ubuntu host-machine as root and proceed according to the following steps.

Step 1: Syslog Agent (omsagent) Installation

If the Syslog Agent (omsagent) is already installed on the host-machine, then move to Step 2.

  1. If python is not installed on the host-machine, install it with the commands:
    #: sudo apt update
    #: sudo apt install python -y
    
  2. If wget is not installed on the host machine, install it with the command:
    #: sudo apt install wget -y
    
  3. If curl is not installed on the host machine, install it with the command:
    #: sudo apt -y install libcurl4 curl
    
  4. Login to Azure portal

  5. Search for Sentinel

  6. Under Configuration click Data Connectors

  7. Search for Forcepoint Cloud Security Gateway and select it.

  8. Click Open Connector page

  9. In the Open Connector Page, you will find your Data Connector Syslog Agent command, copy this command.

  10. Start the rsyslog service:
     #: sudo systemctl start rsyslog.service
    
  11. on the host-machine, open a new terminal, paste the copied command and press enter. once the agent installation is done, move to the next step.

Step 2: Download the source code

The source code contains the following files:

  • fp-csg-sentinel: a service to send Forcepoint CSG web/email logs to Azure Sentinel

  • fp-csg-sentinel.yml: the config file for fp-csg-sentinel service

  • fp-csg-sentinel.service: a systemd service file for fp-csg-sentinel service

  • fp-csg-export-azure-sentinel-installer.sh: a bash script that installs fp-csg-sentinel and creates a systemd service for it.

Step 3: Run installation script

  1. Decompress the source code file: this will create a directory named fp-csg-export-azure-sentinel-tr which contains all required files for this implementation.

    tar -zxvf fp-csg-export-azure-sentinel-tr.tar.gz
    
  2. Change your current directory to fp-csg-export-azure-sentinel-tr

    cd fp-csg-export-azure-sentinel-tr
    
  3. Edit fp-csg-sentinel.yml config file

    vi fp-csg-sentinel.yml 
    
  4. Change the value of parameters inside fp-csg-sentinel.yml. The following table explains each parameter and defines if they need to be changed.

    Variable Name Description Requires to be changed
    CSG_WEB_LOGS_INCLUDE

    Web Logs include filter: if a parameter in Cloud Security Gateway web logs matches a specified parameter in CSG_WEB_LOGS_INCLUDE, then process that log.

    Example - To filter logs where PolicyName field is My Policy:

    CSG_WEB_LOGS_INCLUDE =”PolicyName=My Policy”

    Multiple parameters can be added to the CSG_WEB_LOGS_INCLUDE by separating them with a comma.

    CSG_WEB_LOGS_INCLUDE="Action=Blocked,PolicyName=My Policy"

    NO
    CSG_WEB_LOGS_EXCLUDE

    Exclude filter: if a parameter in Cloud Security Gateway web logs matches a specified parameter in CSG_WEB_LOGS_EXCLUDE, then that log message will NOT be processed.

    Example - To exclude all logs where Action is Allowed:

    CSG_WEB_LOGS_EXCLUDE="Action=Allowed”

    NO
    CSG_EMAIL_LOGS_INCLUDE

    Email Logs include filter: if a parameter in Cloud Security Gateway web logs matches a specified parameter in CSG_EMAIL_LOGS_INCLUDE, then process that log.

    Example - To filter logs where PolicyName field is My Policy:

    CSG_EMAIL_LOGS_INCLUDE =”PolicyName=My Policy”

    Multiple parameters can be added to the CSG_EMAIL_LOGS_INCLUDE by separating them with a comma.

    CSG_EMAIL_LOGS_INCLUDE="Action=Accepted,PolicyName=My Policy"

    NO
    CSG_EMAIL_LOGS_EXCLUDE

    Exclude filter: if a parameter in Cloud Security Gateway web logs matches a specified parameter in CSG_EMAIL_LOGS_EXCLUDE, then that log message will NOT be processed.

    Example - To exclude all logs where Action is Accepted:

    CSG_EMAIL_LOGS_EXCLUDE="Action=Accepted”

    NO
    SEND_WEB_LOGS Boolean value, if set to true the integration will send the Cloud Security Gateway web logs to Azure Sentinel NO
    SEND_EMAIL_LOGS Boolean value, if set to true the integration will send the Cloud Security Gateway email logs to Azure Sentinel NO
    WEB_LOGS_START_DATETIME

    Only process the web logs with creation datetime bigger or equal to the value specified in this parameter.

    The expected datetime format is: YYYY-MM-DD hh:mm:ss

    YES
    EMAIL_LOGS_START_DATETIME

    Only process the email logs with creation datetime bigger or equal to the value specified in this parameter.

    The expected datetime format is: YYYY-MM-DD hh:mm:ss

    YES
    INTERVAL_TIME_IN_MINUTES

    This parameter defines how frequently Forcepoint Cloud Security Gateway logs will be downloaded, processed and sent to Azure Sentinel.

    The default value is 10 minutes

    NO
    CSG_VERSION Forcepoint Cloud Security Gateway version. The default value for this parameter is 1.0 NO
    CSG_LOGS_URL URL for downloading Forcepoint Cloud Security Gateway web/email logs. The default URL is https://hlfs-web-d.mailcontrol.com/siem/logs NO
  5. Save fp-csg-sentinel.yml

  6. Make fp-csg-export-azure-sentinel-installer.sh executable

    chmod +x fp-csg-export-azure-sentinel-installer.sh
    
  7. Execute the fp-csg-export-azure-sentinel-installer.sh script

    sudo ./fp-csg-export-azure-sentinel-installer.sh 
    
  8. Once fp-csg-export-azure-sentinel-installer.sh installs all required dependencies, it will ask you to enter Forcepoint CSG credentials. Credentials will be encrypted and stored on the host-machine in /var/forpcepoint-csg/csg file.

    • enter your Forcepoint CSG username:
    • enter your Forcepoint CSG password:

NOTE: if you need to change the CSG credentials stored in the host-machine:

  • run:
     /var/forpcepoint-csg/fp-csg-sentinel run -c --config /var/forpcepoint-csg/fp-csg-sentinel.yml
    
  • enter the new credentials
  • restart fp-csg-sentinel service
     sudo systemctl restart fp-csg-sentinel.service
    

Step 4: Reboot the host-machine

Reboot the host-machine and ensure the service fp-csg-sentinelis running by executing the following command:

#: systemctl list-units | grep fp-csg-sentinel
fp-csg-sentinel.service loaded active running Send Forcepoint CSG web/email logs to Azure Sentinel

to ensure rSyslog and omsagent are running and listening to the correct ports

  • install lsof package on the host-machine if not installed:
     #: sudo apt install lsof -y
    
  • execute the following command to find the status of rSyslog and omsagent
    $ lsof -i | grep -e omsagent -e rsyslog
      rsyslogd  4241          syslog    5u  IPv4  34384      0t0  UDP *:syslog 
      rsyslogd  4241          syslog    6u  IPv6  34385      0t0  UDP *:syslog 
      rsyslogd  4241          syslog    7u  IPv4  34388      0t0  TCP *:shell (LISTEN)
      rsyslogd  4241          syslog    8u  IPv6  34389      0t0  TCP *:shell (LISTEN)
      omsagent  5474        omsagent    9u  IPv4  38582      0t0  TCP *:25324 (LISTEN)
      omsagent  5474        omsagent   16u  IPv4  38583      0t0  TCP localhost:25226 (LISTEN)
      omsagent  5474        omsagent   18u  IPv4  38584      0t0  UDP localhost:25224 
        
    

Note: it might take some time until all the logs are visible in Azure Sentinel. This depends on the number of logs being exported and the normal processing time on the Azure side.

Troubleshooting

Follow these steps to identify issues impacting the normal operation of the integration described in this document.

Docker Implementation

Validate the prerequisites

Make sure the prerequisites described in the Summary chapter are all satisfied:

  • Check the versions of Microsoft omsagent in use is listed as compatible:

omsagent-1.13.7-0

  • Docker images for this integration have been tested with

Docker 19.03.6

  • The docker implementation has been tested on a CentOS 7.3 machine with docker engine and docker-compose installed, 2GB RAM and a free disk space of at least 20GB

  • User needs sudo permissions in the docker host machine

Check network connectivity

Make sure firewalls or other security appliances are not impacting the network connectivity necessary for the operation of all components involved in this integration:

  • Check the host machine has connectivity to the internet: execute the following command on the docker host machine:

ping -c 2 www.azure.com

Once done check the result is similar to below:

PING www.azure.com (10.10.120.12) 56(84) bytes of data.

64 bytes from 10.10.120.12 (10.10.120.12): icmp_seq=1 ttl=128 time=179 ms

64 bytes from 10.10.120.12 (10.10.120.12): icmp_seq=1 ttl=128 time=181 ms

Check dependencies are installed

Make sure the software dependencies needed by the components involved in this integration are installed:

  • Check the host machine has docker installed: Execute the following command on the host machine:

docker info

Check the first few lines of the output are similar to below:

Client:

Debug Mode: false

Server:

Containers: 3

Running: 2

Paused: 0

Stopped: 1

Images: 3

Server Version: 19.03.6

  • Check the host machine has docker-compose installed: Execute the following command on the host machine:

docker-compose –version

Check the docker-compose version is 1.25.4 or higher

Check all components are configured and running properly

Make sure the products and services involved in this integration are configured as expected and they are running:

  • Verify the integration completed with no errors: When the below command is run:

docker-compose run csg-sentinel-service

Check there are no errors. When this command is run for the first time, the user will be prompted to enter a username and password for CSG.

Traditional Implementation

Validate the prerequisites

Make sure the prerequisites described in the Summary chapter are all satisfied:

  • Check the versions of Microsoft omsagent in use is listed as compatible:

omsagent-1.13.7-0

  • Verify the integration is correctly operating on an Ubuntu Server 18.x machine with at least 2GB RAM and 20GB of free disk space

  • User needs to be root to install dependencies

Check network connectivity

Make sure firewalls or other security appliances are not impacting the network connectivity necessary for the operation of all components involved in this integration:

  • Check the host machine has connectivity to the internet: execute the following command on the Docker host machine:

ping -c 2 www.azure.com

Once done check the result is similar to below:

PING www.azure.com (10.10.120.12) 56(84) bytes of data.

64 bytes from 10.10.120.12 (10.10.120.12): icmp_seq=1 ttl=128 time=179 ms

64 bytes from 10.10.120.12 (10.10.120.12): icmp_seq=1 ttl=128 time=181 ms

Check dependencies are installed

Make sure the software dependencies needed by the components involved in this integration are installed:

  • Check python is installed: Execute the following command on the host machine:

python –version

Check the output is similar to below:

Python 2.7.x

  • Check omsagent and rsyslog are installed and running execute the following command on the host machine:

lsof -i | grep -e omsagent -e rsyslog

Check the output is similar to below:

$ lsof -i | grep -e omsagent -e rsyslog
  rsyslogd  4241          syslog    5u  IPv4  34384      0t0  UDP *:syslog 
  rsyslogd  4241          syslog    6u  IPv6  34385      0t0  UDP *:syslog 
  rsyslogd  4241          syslog    7u  IPv4  34388      0t0  TCP *:shell (LISTEN)
  rsyslogd  4241          syslog    8u  IPv6  34389      0t0  TCP *:shell (LISTEN)
  omsagent  5474        omsagent    9u  IPv4  38582      0t0  TCP *:25324 (LISTEN)
  omsagent  5474        omsagent   16u  IPv4  38583      0t0  TCP localhost:25226 (LISTEN)
  omsagent  5474        omsagent   18u  IPv4  38584      0t0  UDP localhost:25224 

Check all components are configured and running properly

Make sure the products and services involved in this integration are configured as expected and they are running:

  • Check all the services are running by executing the following command:

systemctl list-units | grep fp-csg-sentinel

Check the output is similar to below:

fp-csg-sentinel.service loaded active running Send Forcepoint CSG web/email logs to Azure Sentinel

Appendix A – Mapping fields between Forcepoint Cloud Security Gateway Web log and CEF

Cloud Security Gateway Web log CEF Fixed value
  Version 0
  Device Vendor Forcepoint CSG
  Device Product Web
  Device Version Forcepoint CSG Version. Default 1.0
Risk Class Device Event Class ID  
Action act  
Severity Severity  
Cloud App Name Name  
Protocol app  
Bytes Sent out  
Bytes Received in  
Category Name cs1  
  cs1Label Category Name
Domain cs2  
  cs2Label Domain name of the destination site
Policy Name cs3  
  cs3Label Policy Name
Destination IP dst  
URL Full request  
File Name fname  
Connection IP cs4  
  cs4Label The IP address of the connection to the cloud service.
DataCenter sflexString1  
  flexString1Label The cloud service data center that processed the request
Source IP src if the source IP is not available, this field will be populated with the value of “Connection IP”
Cloud App Risk Level cs5  
  cs5Label Cloud App Risk Level
Request Method requestMethod  
User Agent requestClientApplication  
FileType fileType  
User suid  
Date & Time deviceCustomDate1  
  deviceCustomDate1Label Log Created Time

Appendix B – Mapping fields between Forcepoint Cloud Security Gateway Email log and CEF

Cloud Security Gateway E-mail log CEF Fixed value
  Version 0
  Device Vendor Forcepoint CSG
  Device Product Email
  Device Version Forcepoint CSG Version. Default 1.0
Emb URL Risk Class Device Event Class ID  
Action act  
Emb URL Severity Severity  
Recipient Address duser  
From Address suser  
Direction deviceDirection  
Subject msg  
Black White listed cs1  
  cs1Label Black/white listed
Virus Name cs2  
  cs2Label Virus Name
Policy Name cs3  
  cs3Label Policy Name
Spam Score cfp1  
  cfp1Label Spam Score
Message Size cn1  
  cn1Label Message Size
Attachment Size fsize  
Attachment Filename fname  
Attachment File Type fileType  
Advanced Encryption cs4  
  cs4Label Advanced Encryption
Filtering Reason flexString1 Filtering Reason
Sender IP src  
Sender Name suid  
Date & Time deviceCustomDate1  
  deviceCustomDate1Label Log Created Time

Appendix C – Create a Workbook into Azure Sentinel

Workbooks combine text, analytics queries, Azure Metrics, and parameters into rich interactive reports.

  1. Login to Azure Sentinel portal
  1. Select Workbooks from the left-hand menu, under the Threat management section. This launches a workbook gallery

  2. Click Add workbook, this will open a new workbook

  3. Click Edit, this will make workbook sections editable

  4. Click the Advanced Editor icon

  5. Click Gallery Template

  6. Remove everything inside the Gallery Template

  7. Copy the following into Gallery Template

  8. Click Apply

  9. Save your workbook