Forcepoint Data Loss Prevention and Azure Sentinel

Table of contents
  1. Forcepoint Data Loss Prevention and Azure Sentinel
  2. Summary
    1. Demo
    2. Source Code
    3. Caveats
  3. Implementation
    1. Step 1 – Unpack DLP Incident Exporter and setup Azure Sentinel
    2. Step 2 – Installing the DLP Incident Exporter
    3. Config.json changes
    4. Note on the number of logs
    5. Note on reinstalling or upgrading the integration
  4. Appendix A - Description of config.json settings
  5. Appendix B – Service scripts
  6. Appendix C – Logs of DLP Incident Exporter
    1. Example message
    2. Log structure
  7. Appendix D – Create a Workbook into Azure Sentinel
  8. Troubleshooting
    1. Validate the prerequisites
    2. Check network connectivity
    3. Check all components are configured and running properly
License

These contents are licensed under Apache License, Version 2.0. http://www.apache.org/licenses/LICENSE-2.0

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE SITE AND ITS CONTENT IS PROVIDED TO YOU ON AN “AS IS,” “AS AVAILABLE” AND “WHERE-IS” BASIS. ALL CONDITIONS, REPRESENTATIONS AND WARRANTIES WITH RESPECT TO THE SITE OR ITS CONTENT, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT OF THIRD PARTY RIGHTS, ARE HEREBY DISCLAIMED

Document Revision
Version Date Author Notes
0.1 31 December 2019 Michael Nevin First draft
0.2 13 January 2020 Michael Nevin Update
0.3 21 January 2020 Mattia Maggioli Review
0.4 30 January 2020 Jonathan Knepher Review
0.5 23 March 2020 Neelima Rai Added troubleshooting chapter
0.6 15 December 2020 Michael Nevin, Neelima Rai Minor updates to Implementation chapter
0.7 28 January 2021 Michael Nevin, Neelima Rai Updated exporter version and log details
0.8 24 March 2021 Michael Nevin Updated version of the code

Summary

This guide provides step by step instructions to configure Forcepoint DLP and Azure Sentinel to export DLP incidents, transform data, and ingest them into Azure Sentinel.

The code and instructions provided enable system administrators to:

  • Export incident data from Forcepoint DLP automatically in real-time

  • Transform incident data into the format required by Azure Sentinel

  • Ingest the data as custom logs into Azure Sentinel and query events

This interoperability enables customers to use Azure Sentinel for incident data provided by Forcepoint DLP, and to correlate incident events with other Findings from multiple sources including Azure workloads.

A description of the workflow between the components involved in this POC is depicted in this diagram:

Demo

Source Code

fp-bd-dlp-aws

Caveats

The integration described in this document is tested with the following product versions:

  • Forcepoint DLP with Forcepoint Security Manager versions 8.5 and 8.6

  • Azure Monitor with the HTTP Data Collector API (public preview)

Implementation

The solution described in this chapter requires the latest version of the files available at this link:

https://github.com/Forcepoint/fp-bd-dlp-aws/releases

  • fp-dlp-exporter-aws-azure-v1-9-x.zip

The archive fp-dlp-exporter-aws-azure-v1-9-x.zip contains all files necessary to setup and run all the services which enable the integration between Forcepoint DLP and Azure Sentinel:

  • FSM DB connection: provides real-time export of DLP incidents, extracted from the database used by Forcepoint Security Manager

The solution allows for customizable levels of granularity (High, Medium, and Low severity levels) and performs the transformation and upload tasks, with minimal impact on the underlying storage.

We suggest deploying the solution on the machine which hosts Forcepoint Security Manager, the instructions provided in this document are based on this scenario. The instructions and hardware requirements for installing Forcepoint DLP with FSM can be found at this link https://www.websense.com/content/support/library/data/v871/install/install_dlp.pdf

The machine hosting the Forcepoint Security Manager will be referenced in the rest of this document with the name “FSM”.

The following software will be automatically installed by the install.bat script provided inside fp-dlp-exporter-aws-azure-v1.zip

  • Nssm 2.24

    using the following command

    START /WAIT powershell -command “[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest “https://nssm.cc/release/nssm-2.24.zip” -Method Get -OutFile .\Resources\nssm.zip”

Step 1 – Unpack DLP Incident Exporter and setup Azure Sentinel

Interoperability with Azure Sentinel requires the activation of the service within Azure and obtaining credentials that will be used to send data using the HTTP Data Collector API. If both requirements are already satisfied skip to Step 2.

  1. Install The ODBC Connector from this link: https://www.microsoft.com/en-us/download/details.aspx?id=56567

    If the installation of the connector prompts you to install the c++ redistributable, use this link: https://support.microsoft.com/en-us/topic/the-latest-supported-visual-c-downloads-2647da03-1eea-4433-9aff-95f26a218cc0

  2. Login to the FSM machine and unzip fp-dlp-exporter-aws-azure-v1.x.zip into C:\fp-dlp-exporter-aws-azure-v1\

  3. Login to your Microsoft Azure portal

  4. Using the search bar search for “Azure Sentinel”

  5. Click on +Add and in the new window that opens, click +Create a new workspace. Add details for Resource Group, Name and Region

  6. Click on Review + Create and then Create

  7. Once the new workspace is created, click Add to add Azure Sentinel to the created workspace

  8. Select the workspace from the workspace pane. On the next page go to Configuration > Settings then in the new pane click Workspace Settings

  9. Go to Settings > Agents management on the left pane. Store in a secure location the values of WORKSPACE ID and PRIMARY KEY

Step 2 – Installing the DLP Incident Exporter

  1. Install The ODBC Connector from this link: https://www.microsoft.com/en-us/download/details.aspx?id=56567
If the installation of the connector prompts you to install the c++ redistributable, use this link:
<https://support.microsoft.com/en-us/topic/the-latest-supported-visual-c-downloads-2647da03-1eea-4433-9aff-95f26a218cc0>
  1. On the FSM machine navigate to C:\fp-dlp-exporter-aws-azure-v1

    Open config.json with a text editor edit the settings needed by the DLP Incident Exporter.

    Explanation of all settings is in Appendix A of this document. Do not fill in you credentials for UID and PWD manually in this config.

      { 
        "file_location": "/XMLFileCopy ", 
        "HIGH": true, 
        "MEDIUM": false, 
        "LOW": false, 
        "Database_Connection":  
      { 
          "Server": "sqlserver-hostname", 
          "Database": "database-name", 
          "Trusted_Connection": "yes", 
          "UID": "username"
        },
        "AzureWorkspaceID": "3b754544t8-d4f8-4c96-894rfd-44t4f71d3c",
        "AzurePrimaryKey": "ededeyuyfuehfueehffIccvbbbzzzvrBVUiebfeufefag==",
        "LogName": "ForcepointDLPEvents"
      } 
    

    Once config.json is edited with all necessary values, follow the following steps:

    • Run command prompt (cmd) as administrator.

    • cd to the location C:\fp-dlp-exporter-aws-azure-v1

    • Run the command install.bat

    • The installer will display a few messages as it progresses through the installation steps.

  2. The installer will pause at Creating Service: DLPExporter and wait for user input:

  • Is this your first login? (y/n)

    • If it’s the first time the DLPExporter is installed then enter y you will be asked to enter credentials to the database server used by Forcepoint Security Manager. After a successful connection to the database a new file is created in C:\fp-dlpexporter-aws-azure-v1 called secret-key.txt . This must be stored in a safe location since it’s necessary to log in in the future: the database password will be stored in an encrypted format and the secret-key file is necessary for future login attempts.

    • If the DLPExporter was already installed enter n and provide the required credentials

  • Please enter your administrator username: enter the username of an account with administrator access to the FSM machine. Username must be entered according to the format

    DOMAIN\username if using a domain account

    .\username if using a local account

  • Please enter your administrator password: enter the password of the account with administrator access

Once both values are entered the installer will progress until a successful completion.

Once completed, the DLP Incident Exporter will run as a service on the FSM machine and DLP incidents will be exported to Azure Sentinel within 5 minutes of being triggered.

To check the logs in Azure Sentinel:

  1. Go to the created workspace.

  2. Click on Logs on the left pane. Then open Custom Logs.

  3. The user can click on the custom log ForcepointDLPEvents_CL to see the logs in detail.

    Note: Because this is a custom log, Azure appends a _CL to the log name.

    The column Id_s in the logs ForcepointDLPEvents_CL in Azure is a primary key. It is a combination of Incident id + rule id, as shown below:

    incident_Id-131080-rule_id-131081

    incident_Id-131080-rule_id-131083

    No two Id_s would be same.

Config.json changes

If you’re upgrading from older versions, please note the config.json Azure keys have changed. The new key names are “AzureWorkspaceID” and “AzurePrimaryKey”.

Note on the number of logs

Azure has records stored in a flat file format and these records cannot have nested data: if a DLP incident matches multiple policies configured into Forcepoint Security Manager, the user will multiple logs in Azure for the same DLP incident. It is then possible to have more events in Azure Custom Logs ForcepointDLPEvents_CL compared to the number of DLP incidents recorded and displayed into Forcepoint Security Manager.

Note on reinstalling or upgrading the integration

If the user is reinstalling or upgrading this integration, ensure a backup is made of the /Resources/azureDate.json to avoid any potential duplicate records. Sample azureDate.json file format: {“AzureUpdateDate”: “2022-05-24 10:26:11”}

Appendix A - Description of config.json settings

PARAMETER DESCRIPTION CHANGE REQUIRED
file_location Location used by the DLP Incident Exporter to store XML files with incident data before upload to Azure. Used when log export is done using the manual method based on remediation script NO

HIGH

MEDIUM

LOW

These parameters allow filtering of DLP incidents, upload only logs whose severity matches the levels set to TRUE. YES
Database_Connection

These parameters are needed to connect to the SQL database used by Forcepoint Security Manager to store data of DLP incidents.

Server: hostname or IP address of the SQL database

Database: name of the database hosting the FSM data

Trusted_Connection: only “yes” or “no” are possible

  • yes - if it is a trusted connection

  • no - if username and password will be used to connect

UID: username used to login to the database

YES
AzureWorkspaceID Obtained from step 1.1 WORKSPACE ID YES
AzurePrimaryKey Obtained from step 1.1 PRIMARY KEY YES
LogName

This will be the name of the log that Azure Sentinel will receive from DLP as “custom log”.

“_CL” will be appended automatically to the log name once the file is received by Azure Sentinel

e.g. “LogName_CL”

YES

Appendix B – Service scripts

The DLP Incident Exporter service is managed by the NSSM tool.

Navigate to C:\fp-dlp-exporter-aws-azure-v1\ServiceScripts. There are four scripts provided.

PARAMETER DESCRIPTION
changePassword This script opens the UI of NSSM to provide an easy way to change or update the password. The password is editable from the Log on tab of NSSM (see below)
removeService This script will remove the DLPExporter service from the server and stop it from running
restart Restarts the DLPExporter service
stopService Stops the DLPExporter service (Note this has not removed the service only stopped it from running)

Appendix C – Logs of DLP Incident Exporter

Logs of DLP Incident Exporter operations are stored into C:\fp-dlp-exporter-aws-azure-v1\logs\ForcepointDLPEvents.

Example message

2020-01-03 09:29:25 - DLPExporter - INFO - Azure is configured on

Log structure

Date and time Service Name Message Type message
2019-12-13 17:56:35 DLPExporter

INFO

DEBUG

CRITICAL

ERROR

WARNING

Azure is configured on

Appendix D – Create a Workbook into Azure Sentinel

Workbooks combine text, Analytics queries, Azure Metrics and parameters into rich interactive reports.

  1. Login to Azure Sentinel portal

  2. Select Workbooks from the left-hand menu, under Threat management section. This launches a workbook gallery

  3. Click on Add workbook, to open a new workbook

  4. Click on Edit, to edit workbook sections

  5. Click Add query, to launch a new Log Analytics workspace Logs Query

  6. Insert the following query

    ForcepointDLPEvents_CL 
    | where TimeGenerated > ago(3d) 
    | summarize count(RuleName_1_s) by RuleName_1_s, SourceIpV4_s
    

    The above query searches for rules triggered in the last three days. The query provides an output similar to this

  7. Click Done Editing

  8. Move to the next section of the workbook and click Edit

  9. Add the following query to display a Bar Chart which provides a visual overview for rules triggered in the last three days

    ForcepointDLPEvents_CL 
    | where TimeGenerated > ago(3d) 
    | summarize count(RuleName_1_s) by RuleName_1_s, SourceIpV4_s 
    | render barchart
    
  10. Click Done Editing. The result displayed will be similar to this

    Another query to display rules triggered over time (past 90 days) generated is

    ForcepointDLPEvents_CL 
    | where TimeGenerated > ago(90d) 
    | sort by CreatedAt_t asc nulls last  
    | summarize count(RuleName_1_s)  by  CreatedAt_t, RuleName_1_s 
    | render linechart 
    

    Another query to display counts of High, Medium and Low rules triggered over 90 days

    ForcepointDLPEvents_CL 
    | where TimeGenerated > ago(90d) 
    | sort by CreatedAt_t asc nulls last  
    | summarize count(Severity_s)  by  CreatedAt_t, Severity_s 
    | render barchart 
    

  11. Once finished editing queries click Done Editing on the top left corner and on the save icon to save the workbook

    Multiple queries can be used to populate a workbook with tables and chart, enabling powerful visualization of events and security related activities obtained from Forcepoint DLP.

Troubleshooting

Follow these steps to identify issues impacting the normal operation of the integration described in this document.

Validate the prerequisites

Make sure the prerequisites described in the Summary chapter are all satisfied:

  • Check the versions of Forcepoint DLP with Forcepoint Security Manager and 3rd party products/services in use are listed as compatible

    Forcepoint DLP with Forcepoint Security Manager 8.5.x
    Azure Monitor with the HTTP Data Collector API (public preview)
    
  • Verify the integration component is hosted on a Windows 10 or Windows Server machine

  • User must have administrator access to the Windows machine in order to run and complete the installation successfully. Username and password will be requested at the time of install.

  • The machine running the DLPExporter must have network connectivity to the SQL server

  • Check the user has permissions to Invoke-WebRequest and Expand-Archive in Powershell

Check network connectivity

Make sure firewalls or other security appliances are not impacting the network connectivity necessary for the operation of all components involved into this integration:

  • Check the windows machine has network connectivity to AWS:

    The user can check this from the logs created in C:\fp-dlp-exporter-aws-azure-v1\logs in the log file named ForcepointDLPEvents

and check the log file has a message similar to below:

2020-02-28 13:06:06 - DLPExporter - INFO - Azure is configured on
  • Check the windows machine has network connectivity to the SQL server:

    The user can check this from the logs created in C:\fp-dlp-exporter-aws-azure-v1\logs in the log file named ForcepointDLPEvents

and check the log file has a message similar to below:

2020-02-28 13:06:06 - DLPExporter - INFO - Database Connection established

Check all components are configured and running properly

Make sure the products and services involved into this integration are configured as expected and they are running:

  • Check SQL connectivity: If you get messages similar to below, that means you either have no SQL connectivity or are entering wrong credentials:

      2020-02-28 13:04:21 - DLPExporter - ERROR - [08001] [Microsoft][ODBC SQL Server Driver][DBNETLIB]SQL Server does not exist or access denied. (17) (SQLDriverConnect); [08001] [Microsoft][ODBC SQL Server Driver][DBNETLIB]ConnectionOpen (Connect()). (53)  
      Traceback (most recent call last):  
      File "DLPExporter.py", line 135, in <module>  
      KeyboardInterrupt  
      [18468] Failed to execute script DLPExporter 
      2020-02-28 13:09:35 - DLPExporter - ERROR - [28000] [Microsoft][ODBC SQL Server Driver][SQL Server]Login failed for user 'g'. (18456) (SQLDriverConnect); [28000] [Microsoft][ODBC SQL Server Driver][SQL Server]Login failed for user 'g'. (18456) 
    
  • In case the user provided wrong credentials for SQL server connection, you can follow the following steps:

    1. Go to C:\fp-dlp-exporter-aws-azure-v1 and edit the configs.json file to add the correct SQL Server connection credentials

    2. Run command prompt as administrator.

    3. cd to the C:\fp-dlp-exporter-aws-azure-v1\ServiceScripts

    4. Type command restart to restarrt the DLPExporter service.

    5. Check the ForcepointDLPEVents log in C:\fp-dlp-exporter-aws-azure-v1\logs and see if the database connection is established.

      • The install.bat file should only be run once. If anything goes wrong, you need to go back to the Service scripts to make changes.

      • If a wrong password for the administrator account was entered during the first run of the install.bat file to install DLPExporter, use the following steps to change it:

        1. Run command prompt as administrator.

        2. cd to C:\fp-dlp-exporter-aws-azure-v1\ServiceScripts

        3. Type command changePassword in the command prompt. A window will pop up where the user can enter the correct password

        4. Type command restart to restart the DLPExporter service.

  • If the install.bat file was run multiple times, the DLPExporter service might still be running in the background even if removeService script was run afterwards). Follow the steps below in order to remove the service completely:

    1. Run command prompt as administrator.

    2. Go to the C:\fp-dlp-exporter-aws-azure-v1\Resources folder

    3. Execute the command: nssm

    4. Execute the command: nssm stop DLPExporter

    5. Execute the command: nssm remove DLPExporter confirm

    6. Execute the command: nssm status DLPExporter