Remediation
Use the
page in the Data Security module of the Forcepoint Security Manager to define the location of the syslog server and mail release gateway used for remediation.- Under Syslog Settings, enter the IP address or hostname of the syslog server, and the logging Port.
- To set the origin of syslog messages, select Use syslog facility for these
messages, then use the drop-down menu to select
the type of message to appear in the syslog:
- User-level Messages (#1) logs generic user-level messages, such as “username/password expired”.
- Security/Authorization Messages (#4) logs authentication- and authorization-related commands, such as “authentication failed for admin user”.
- Security/Authorization Messages (#10) logs non-system authorization messages inside a protected file (for information of a sensitive nature, such as passwords).
- Local use 0-7 (#16-23) specifies unreserved facilities available for any local use. Processes and daemons that have not been explicitly assigned a facility can use any of the “local use” facilities. Configuration is done in the syslog.conf file.
To send incident data to the syslog, select
in the action plan for the policy.To send Audit log data to the syslog server, enable the check box Send syslog message from
.To send System log data to the syslog server, enable the check box Send syslog message from
. - Click Test Connection to send the syslog server a verification test message.
- Under Release Quarantined Emails, specify which gateway to use when releasing a quarantined email message.
- The default is Use the gateway that detected the incident. This gateway could be Forcepoint Email Security or the protector MTA, depending on your subscription.
- To define a specific gateway, select Use the following gateway, then enter the gateway IP address or hostname and Port.
- If only recipients of a message should be able to release it from quarantine, select Validate user before releasing message.
The system then ensures that the person attempting to release a message is a recipient of the message, and therefore authorized. Unauthorized users receive an email notification that they are not allowed release the message.
- Click OK to save your changes.
Syslog messages can be sent to an SIEM tool if desired. They are compatible with both ArcSight Common Event Format (CEF) and Audit Quality SIEM format.
The ArcSight CEF message includes the following information for each incident:
CEF:0|Forcepoint|Forcepoint DLP|8.3|{id}|DLP Syslog|{severity}| act={action} duser={destinations} fname={attachments} msg={details} suser={source} cat={policyCategories}
sourceServiceName={channel}analyzedBy={policyEngineName} loginName={name}sourceIp={ip}
- Signature ID = event ID
- act = action taken
- analyzedBy= sensor that detected traffic
- cat = policy categories
- suser = incident source
- duser = incident destinations
- loginName= login name or sAMAccount name
- msg = incident details
- fname = attachments
- sourcelp= source IP where data loss is occurring
- sourceServiceName = channel
The ArcSight Audit Quality SIEM message adds additional information for each incident:
severityType=MEDIUM sourceHost=MNG_ENDPOINT_1 productVersion=8.3 maxMatches=6 timeStamp=2015-03-11 16:33:48.333 destinationHosts=ACCOUNTS.GOOGLE.COM,10.0.17.2
apVersion=8.3
- severityType = incident severity (low, medium, high)
- sourceHost = hostname or IP address of incident source
- productVersion = version number of Forcepoint DLP product (e.g., 8.3)
- maxMatches = maximum number of violations triggered by any given rule in the incident.
- timeStamp = date and time of incident (e.g., 2015-04-30 16:33:48.333)
- destinationHosts = hostnames, IP addresses, or URLs of incident destinations
- apVersion = Forcepoint version number
Syslog structure for Audit Log message
Message Format:
CEF:0|Forcepoint|Forcepoint DLP|{apVersion}|{id}|DLP Audit
Log|{severity}|act={message} msg={details} timeStamp={time} suser={adminName}
role={roleName} cat={topic} modifiedItm={incidentId}
Example:
CEF:0|Forcepoint|Forcepoint DLP|10.2.0|18657|DLP Audit Log|6|act=Rule ''test'':
Updated msg=Before: DISABLED | After: ENABLED timeStamp=08 Dec. 2023, 01:00:35 PM
suser=admin role=Super Administrator cat=POLICY_MNG modifiedItm=458964
- id = Action ID
- severity = Audit log severity
Table 1. Severity Severity Code INFO 6 - act = Action Performed
- msg = Log details
- timeStamp = Date and Time
- suser = Administrator
- role = Role
- cat = Topic
- modifiedItm = Modified Item
Syslog structure for System Log message
Message Format:
CEF:0|Forcepoint|Forcepoint DLP|{apVersion}|DLP System Log|{severity}|
msg={message} timeStamp={insertionTime} cat={topicName} src={sourceName}
component={sourceSubType} code={code} srcType={SourceType}
localTime={generationTime}
Example:
CEF:0|Forcepoint|Forcepoint DLP|10.2.0|DLP System Log|6| msg=Cumulative DLP
database memory consumption is 0% timeStamp=08 Dec. 2023, 01:01:16 PM cat=System
src=10014610a component=Stateful DLP code=SDLP-002 srcType=POLICY_ENGINE localTime=08 Dec.
2023, 01:01:16 PM GMT+0200
- severity = System log severity
Table 2. Severity Severity Code INFO 6 WARNING 4 ERROR 3 FATAL 2 Note: In Forcepoint Security Manager, Critical is displayed as the name for FATAL. - msg = Log details
- timeStamp = Date and Time
- cat = Topic
- src = Reporter
- component = Component
- code = Server code
- srcType = Name of the server
- localTime = Local Date and Time
- status= Status