Remediation

Use the Settings > General > Remediation page in the Data Security module of the Forcepoint Security Manager to define the location of the syslog server and mail release gateway used for remediation.

  1. Under Syslog Settings, enter the IP address or hostname of the syslog server, and the logging Port.
  2. To set the origin of syslog messages, select Use syslog facility for these messages, then use the drop-down menu to select the type of message to appear in the syslog:
    • User-level Messages (#1) logs generic user-level messages, such as “username/password expired”.
    • Security/Authorization Messages (#4) logs authentication- and authorization-related commands, such as “authentication failed for admin user”.
    • Security/Authorization Messages (#10) logs non-system authorization messages inside a protected file (for information of a sensitive nature, such as passwords).
    • Local use 0-7 (#16-23) specifies unreserved facilities available for any local use. Processes and daemons that have not been explicitly assigned a facility can use any of the “local use” facilities. Configuration is done in the syslog.conf file.

    To send incident data to the syslog, select Audit Incident > Send Syslog Message in the action plan for the policy.

    To send Audit log data to the syslog server, enable the check box Send syslog message from Logs > Audit log.

    To send System log data to the syslog server, enable the check box Send syslog message from Logs > System log.

  3. Click Test Connection to send the syslog server a verification test message.
  4. Under Release Quarantined Emails, specify which gateway to use when releasing a quarantined email message.
    • The default is Use the gateway that detected the incident. This gateway could be Forcepoint Email Security or the protector MTA, depending on your subscription.
    • To define a specific gateway, select Use the following gateway, then enter the gateway IP address or hostname and Port.
  5. If only recipients of a message should be able to release it from quarantine, select Validate user before releasing message.

    The system then ensures that the person attempting to release a message is a recipient of the message, and therefore authorized. Unauthorized users receive an email notification that they are not allowed release the message.

  6. Click OK to save your changes.

Syslog messages can be sent to an SIEM tool if desired. They are compatible with both ArcSight Common Event Format (CEF) and Audit Quality SIEM format.

The ArcSight CEF message includes the following information for each incident:

CEF:0|Forcepoint|Forcepoint DLP|8.3|{id}|DLP Syslog|{severity}| act={action} duser={destinations} fname={attachments} msg={details} suser={source} cat={policyCategories} sourceServiceName={channel}analyzedBy={policyEngineName} loginName={name}sourceIp={ip}

Here:
  • Signature ID = event ID
  • act = action taken
  • analyzedBy= sensor that detected traffic
  • cat = policy categories
  • suser = incident source
  • duser = incident destinations
  • loginName= login name or sAMAccount name
  • msg = incident details
  • fname = attachments
  • sourcelp= source IP where data loss is occurring
  • sourceServiceName = channel

The ArcSight Audit Quality SIEM message adds additional information for each incident:

severityType=MEDIUM sourceHost=MNG_ENDPOINT_1 productVersion=8.3 maxMatches=6 timeStamp=2015-03-11 16:33:48.333 destinationHosts=ACCOUNTS.GOOGLE.COM,10.0.17.2 apVersion=8.3

Here:
  • severityType = incident severity (low, medium, high)
  • sourceHost = hostname or IP address of incident source
  • productVersion = version number of Forcepoint DLP product (e.g., 8.3)
  • maxMatches = maximum number of violations triggered by any given rule in the incident.
  • timeStamp = date and time of incident (e.g., 2015-04-30 16:33:48.333)
  • destinationHosts = hostnames, IP addresses, or URLs of incident destinations
  • apVersion = Forcepoint version number

Syslog structure for Audit Log message

Message Format:

CEF:0|Forcepoint|Forcepoint DLP|{apVersion}|{id}|DLP Audit Log|{severity}|act={message} msg={details} timeStamp={time} suser={adminName} role={roleName} cat={topic} modifiedItm={incidentId}

Example:

CEF:0|Forcepoint|Forcepoint DLP|10.2.0|18657|DLP Audit Log|6|act=Rule ''test'': Updated msg=Before: DISABLED | After: ENABLED timeStamp=08 Dec. 2023, 01:00:35 PM suser=admin role=Super Administrator cat=POLICY_MNG modifiedItm=458964

Details about the fields:
  • id = Action ID
  • severity = Audit log severity
    Table 1.
    Severity Severity Code
    INFO 6
  • act = Action Performed
  • msg = Log details
  • timeStamp = Date and Time
  • suser = Administrator
  • role = Role
  • cat = Topic
  • modifiedItm = Modified Item

Syslog structure for System Log message

Message Format:

CEF:0|Forcepoint|Forcepoint DLP|{apVersion}|DLP System Log|{severity}| msg={message} timeStamp={insertionTime} cat={topicName} src={sourceName} component={sourceSubType} code={code} srcType={SourceType} localTime={generationTime}

Example:

CEF:0|Forcepoint|Forcepoint DLP|10.2.0|DLP System Log|6| msg=Cumulative DLP database memory consumption is 0% timeStamp=08 Dec. 2023, 01:01:16 PM cat=System src=10014610a component=Stateful DLP code=SDLP-002 srcType=POLICY_ENGINE localTime=08 Dec. 2023, 01:01:16 PM GMT+0200

Details about the fields:
  • severity = System log severity
    Table 2.
    Severity Severity Code
    INFO 6
    WARNING 4
    ERROR 3
    FATAL 2
    Note: In Forcepoint Security Manager, Critical is displayed as the name for FATAL.
  • msg = Log details
  • timeStamp = Date and Time
  • cat = Topic
  • src = Reporter
  • component = Component
  • code = Server code
  • srcType = Name of the server
  • localTime = Local Date and Time
  • status= Status