Collect Forcepoint DLP logs
This document describes how you can collect Forcepoint Data Loss Prevention (DLP) logs by using a Google Security Operations forwarder.
For more information, see Data ingestion to Google Security Operations overview.
An ingestion label identifies the parser which normalizes raw log data to structured
UDM format. The information in this document applies to the parser with the
FORCEPOINT_DLP
ingestion label.
Configure Forcepoint DLP
- Sign in to the Forcepoint Security Manager console.
- In the Additional actions section, select the Send syslog message checkbox.
- In the Data security module, select Settings > General > Remediation.
- In the Syslog settings section, specify the following:
- In the IP address or hostname field, enter the IP address or hostname of the Google Security Operations forwarder.
- In the Port field, enter the port number.
- Clear the Use syslog facility for these messages checkbox.
- To send the syslog server a verification test message, click Test connection.
- To save your changes, click Ok.
Configure the Google Security Operations forwarder to ingest Forcepoint DLP logs
- In the Google Security Operations menu, select Settings > Forwarders > Add new forwarder.
- In the Forwarder name field, enter a unique name for the forwarder.
- Click Submit. The forwarder is added and the Add collector configuration window appears.
- In the Collector name field, enter a unique name for the collector.
- In the Log type field, specify
Forcepoint DLP
. - Select Syslog as the Collector type.
- Configure the following input parameters:
- Protocol: specify the connection protocol that the collector uses to listen for syslog data.
- Address: specify the target IP address or hostname where the collector resides and listens for syslog data.
- Port: specify the target port where the collector resides and listens for syslog data.
- Click Submit.
For more information about the Google Security Operations forwarders, see Manage forwarder configurations through the Google Security Operations UI.
If you encounter issues when you create forwarders, contact Google Security Operations support.
Field mapping reference
This parser extracts key-value pairs from Forcepoint DLP CEF formatted logs, normalizing and mapping them to the UDM. It handles various CEF fields, including sender, recipient, actions, and severity, enriching the UDM with details like user information, affected files, and security results.
UDM Mapping Table
Log Field | UDM Mapping | Logic |
---|---|---|
act | security_result.description | If actionPerformed is empty, the value of act is assigned to security_result.description . |
actionID | metadata.product_log_id | The value of actionID is assigned to metadata.product_log_id . |
actionPerformed | security_result.description | The value of actionPerformed is assigned to security_result.description . |
administrator | principal.user.userid | The value of administrator is assigned to principal.user.userid . |
analyzedBy | additional.fields.key | The string "analyzedBy" is assigned to additional.fields.key . |
analyzedBy | additional.fields.value.string_value | The value of analyzedBy is assigned to additional.fields.value.string_value . |
cat | security_result.category_details | The values of cat are merged into the security_result.category_details field as a list. |
destinationHosts | target.hostname | The value of destinationHosts is assigned to target.hostname . |
destinationHosts | target.asset.hostname | The value of destinationHosts is assigned to target.asset.hostname . |
details | security_result.description | If both actionPerformed and act are empty, the value of details is assigned to security_result.description . |
duser | target.user.userid | The value of duser is used to populate target.user.userid . Multiple values separated by "; " are split and assigned as individual email addresses if they match the email regex, otherwise they are treated as user IDs. |
eventId | metadata.product_log_id | If actionID is empty, the value of eventId is assigned to metadata.product_log_id . |
fname | target.file.full_path | The value of fname is assigned to target.file.full_path . |
logTime | metadata.event_timestamp | The value of logTime is parsed and used to populate metadata.event_timestamp . |
loginName | principal.user.user_display_name | The value of loginName is assigned to principal.user.user_display_name . |
msg | metadata.description | The value of msg is assigned to metadata.description . |
productVersion | additional.fields.key | The string "productVersion" is assigned to additional.fields.key . |
productVersion | additional.fields.value.string_value | The value of productVersion is assigned to additional.fields.value.string_value . |
role | principal.user.attribute.roles.name | The value of role is assigned to principal.user.attribute.roles.name . |
severityType | security_result.severity | The value of severityType is mapped to security_result.severity . "high" maps to "HIGH", "med" maps to "MEDIUM", and "low" maps to "LOW" (case-insensitive). |
sourceHost | principal.hostname | The value of sourceHost is assigned to principal.hostname . |
sourceHost | principal.asset.hostname | The value of sourceHost is assigned to principal.asset.hostname . |
sourceIp | principal.ip | The value of sourceIp is added to the principal.ip field. |
sourceIp | principal.asset.ip | The value of sourceIp is added to the principal.asset.ip field. |
sourceServiceName | principal.application | The value of sourceServiceName is assigned to principal.application . |
suser | principal.user.userid | If administrator is empty, the value of suser is assigned to principal.user.userid . |
timestamp | metadata.event_timestamp | The value of timestamp is used to populate metadata.event_timestamp . |
topic | security_result.rule_name | The value of topic is assigned to security_result.rule_name after commas are removed. Hardcoded to "FORCEPOINT_DLP". Hardcoded to "Forcepoint". Extracted from the CEF message. Can be "Forcepoint DLP" or "Forcepoint DLP Audit". Extracted from the CEF message. Concatenation of device_event_class_id and event_name , formatted as "[device_event_class_id] - event_name". Initialized to "GENERIC_EVENT". Changed to "USER_UNCATEGORIZED" if is_principal_user_present is "true". |
Changes
2024-05-20
- Mapped "fname" to "target.file.full_path".
- Mapped "destinationHosts" to "target.hostname" and "target.asset.hostname".
- Mapped "productVersion" and "analyzedBy" to "additional.fields".
2024-03-25
- Bug-fix:
- Added support for new format logs.
- Mapped "timeStamp" to "metadata.event_timestamp".
- Mapped "act" to "security_result.description".
- Mapped "cat" to "security_result.category_details".
- Mapped "severityType" to "security_result.severity".
- Mapped "msg" to "metadata.description".
- Mapped "eventId" to "metadata.product_log_id".
- Mapped "sourceServiceName" to "principal.application".
- Mapped "sourceHost" to "principal.hostname" and "principal.asset.hostname".
- Mapped "sourceIp" to "principal.ip" and "principal.asset.ip".
- Mapped "suser" to "principal.user.userid".
- Mapped "loginName" to "principal.user.user_display_name".
2022-11-07
- Newly Created Parser.