Incident risk ranking cases
When incident risk ranking cases are sent to syslog, the message includes case information. For example:
CEF:0|Forcepoint|Forcepoint DLP|8.3.0.1184836|983645|DLP Syslog|1| riskScore=1.4 caseDescription=High-severity breach content and a suspected false-positive event caseDateAndTime=07 Jul. 2016, 9:33:18 AM caseClassification=Unknown caseSummary=Low risk content;Number of files in case (46);Destination is unusual;PII breach (1 match);Possible false positive (23%) numberOfIncidents=2 eventIDs=14359168827488891711,3765310750806591754
Here:
- riskScore = risk score assigned to the case
- caseDescription = case description
- caseDateAndTime = date and time case was created
- caseClassification = case classification: suspected data theft or uncategorized/ unknown
- caseSummary = case summary
- numberOfIncidents = number of incidents in the case. Cases can contain several incidents, so this number varies from the number of eventIDs.
- eventIDs = IDs for up to 20 incidents in the case or 1024 characters. If there are more incidents in the case, it is indicated by an ellipses.