Collect Forcepoint DLP logs

Supported in:

This document describes how you can collect Forcepoint Data Loss Prevention (DLP) logs by using a Google Security Operations forwarder.

For more information, see Data ingestion to Google Security Operations overview.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the FORCEPOINT_DLP ingestion label.

Configure Forcepoint DLP

  1. Sign in to the Forcepoint Security Manager console.
  2. In the Additional actions section, select the Send syslog message checkbox.
  3. In the Data security module, select Settings > General > Remediation.
  4. In the Syslog settings section, specify the following:
    • In the IP address or hostname field, enter the IP address or hostname of the Google Security Operations forwarder.
    • In the Port field, enter the port number.
    • Clear the Use syslog facility for these messages checkbox.
  5. To send the syslog server a verification test message, click Test connection.
  6. To save your changes, click Ok.

Configure the Google Security Operations forwarder to ingest Forcepoint DLP logs

  1. In the Google Security Operations menu, select Settings > Forwarders > Add new forwarder.
  2. In the Forwarder name field, enter a unique name for the forwarder.
  3. Click Submit. The forwarder is added and the Add collector configuration window appears.
  4. In the Collector name field, enter a unique name for the collector.
  5. In the Log type field, specify Forcepoint DLP.
  6. Select Syslog as the Collector type.
  7. Configure the following input parameters:
    • Protocol: specify the connection protocol that the collector uses to listen for syslog data.
    • Address: specify the target IP address or hostname where the collector resides and listens for syslog data.
    • Port: specify the target port where the collector resides and listens for syslog data.
  8. Click Submit.

For more information about the Google Security Operations forwarders, see Manage forwarder configurations through the Google Security Operations UI.

If you encounter issues when you create forwarders, contact Google Security Operations support.

Field mapping reference

This parser extracts key-value pairs from Forcepoint DLP CEF formatted logs, normalizing and mapping them to the UDM. It handles various CEF fields, including sender, recipient, actions, and severity, enriching the UDM with details like user information, affected files, and security results.

UDM Mapping Table

Log Field UDM Mapping Logic
act security_result.description If actionPerformed is empty, the value of act is assigned to security_result.description.
actionID metadata.product_log_id The value of actionID is assigned to metadata.product_log_id.
actionPerformed security_result.description The value of actionPerformed is assigned to security_result.description.
administrator principal.user.userid The value of administrator is assigned to principal.user.userid.
analyzedBy additional.fields.key The string "analyzedBy" is assigned to additional.fields.key.
analyzedBy additional.fields.value.string_value The value of analyzedBy is assigned to additional.fields.value.string_value.
cat security_result.category_details The values of cat are merged into the security_result.category_details field as a list.
destinationHosts target.hostname The value of destinationHosts is assigned to target.hostname.
destinationHosts target.asset.hostname The value of destinationHosts is assigned to target.asset.hostname.
details security_result.description If both actionPerformed and act are empty, the value of details is assigned to security_result.description.
duser target.user.userid The value of duser is used to populate target.user.userid. Multiple values separated by "; " are split and assigned as individual email addresses if they match the email regex, otherwise they are treated as user IDs.
eventId metadata.product_log_id If actionID is empty, the value of eventId is assigned to metadata.product_log_id.
fname target.file.full_path The value of fname is assigned to target.file.full_path.
logTime metadata.event_timestamp The value of logTime is parsed and used to populate metadata.event_timestamp.
loginName principal.user.user_display_name The value of loginName is assigned to principal.user.user_display_name.
msg metadata.description The value of msg is assigned to metadata.description.
productVersion additional.fields.key The string "productVersion" is assigned to additional.fields.key.
productVersion additional.fields.value.string_value The value of productVersion is assigned to additional.fields.value.string_value.
role principal.user.attribute.roles.name The value of role is assigned to principal.user.attribute.roles.name.
severityType security_result.severity The value of severityType is mapped to security_result.severity. "high" maps to "HIGH", "med" maps to "MEDIUM", and "low" maps to "LOW" (case-insensitive).
sourceHost principal.hostname The value of sourceHost is assigned to principal.hostname.
sourceHost principal.asset.hostname The value of sourceHost is assigned to principal.asset.hostname.
sourceIp principal.ip The value of sourceIp is added to the principal.ip field.
sourceIp principal.asset.ip The value of sourceIp is added to the principal.asset.ip field.
sourceServiceName principal.application The value of sourceServiceName is assigned to principal.application.
suser principal.user.userid If administrator is empty, the value of suser is assigned to principal.user.userid.
timestamp metadata.event_timestamp The value of timestamp is used to populate metadata.event_timestamp.
topic security_result.rule_name The value of topic is assigned to security_result.rule_name after commas are removed. Hardcoded to "FORCEPOINT_DLP". Hardcoded to "Forcepoint". Extracted from the CEF message. Can be "Forcepoint DLP" or "Forcepoint DLP Audit". Extracted from the CEF message. Concatenation of device_event_class_id and event_name, formatted as "[device_event_class_id] - event_name". Initialized to "GENERIC_EVENT". Changed to "USER_UNCATEGORIZED" if is_principal_user_present is "true".

Changes

2024-05-20

  • Mapped "fname" to "target.file.full_path".
  • Mapped "destinationHosts" to "target.hostname" and "target.asset.hostname".
  • Mapped "productVersion" and "analyzedBy" to "additional.fields".

2024-03-25

  • Bug-fix:
  • Added support for new format logs.
  • Mapped "timeStamp" to "metadata.event_timestamp".
  • Mapped "act" to "security_result.description".
  • Mapped "cat" to "security_result.category_details".
  • Mapped "severityType" to "security_result.severity".
  • Mapped "msg" to "metadata.description".
  • Mapped "eventId" to "metadata.product_log_id".
  • Mapped "sourceServiceName" to "principal.application".
  • Mapped "sourceHost" to "principal.hostname" and "principal.asset.hostname".
  • Mapped "sourceIp" to "principal.ip" and "principal.asset.ip".
  • Mapped "suser" to "principal.user.userid".
  • Mapped "loginName" to "principal.user.user_display_name".

2022-11-07

  • Newly Created Parser.