Keys
The keys that can be included in records sent to the SIEM integration are:
| Key Name | Description |
|---|---|
| bytesReceived | Bytes received in response to the request |
| bytesSent | Bytes sent as part of the request |
| categoryNumber |
Integer representing the category assigned to the URL (see Category number reference) |
| categoryReasonCode |
The reason the URL was assigned to the listed category (see Category reason code) |
| ccaResultAttr | An ID from scanning results indicating which scanning process was used. |
| clientDestinationPort | Destination port of client connection; e.g., 8080 with Content Gateway explicit proxy |
| clientSourcePort | Source port of the client connection |
| cloudAppId | An internal ID assigned to the cloud application. |
| cloudAppName | Name of the requested cloud application. |
| cloudAppRiskLevel | Risk level (high, medium, or low) assigned to the cloud application. |
| cloudAppType | Type of cloud application requested (for example, Finance). |
| contentStripped |
When Content Gateway content stripping is enabled, a three- bit map of the content that was removed. Bit 0 indicates ActiveX Bit 1 indicates JavaScript Bit 2 indicates VBScript For example, “000” indicates that no content was stripped. On the other hand, “010” indicates only JavaScript is stripped, while “111” indicates that ActiveX, JavaScript, and VBScript data are all stripped. |
| contentType | The Content Type value from the request header (for example, image/gif) |
| customerId | ID provided to each customer who purchases the Forcepoint Web Security Hybrid Module. (hybrid data) |
| destination | Translated IPv4 or IPv6 address of the destination machine (resolved by DNS from the requested URL). |
| dispositionNumber | The numeric code associated with the action (e.g., category permitted, file type blocked) applied to the request (see Disposition reference) |
| dispositionString | Permitted or Blocked, based on the value of dispositionNumber |
| DSSexternalInciden- tID | The Forcepoint DLP ID number associated with an incident in the forensics repository |
| DSStimeStamp | The Forcepoint DLP timestamp for the forensic data |
| dynamicCategory | If non-zero, the category determined by real-time content analysis (e.g., Real-Time Security Scanning, Advanced File Analysis, etc.) |
| fileName | The name of the file associated with the request |
| fileTypeCode | The file type associated with the request (see File type code) |
| keyword | Keyword used to block a request. Empty if the request was not blocked by keyword. |
| loginID |
Login ID of the user to whom the policy was applied. NOTE: output can now be configured to replace the full LDAP user path with domain/userID. Contact Technical Support for assistance. |
| logRecordSource | The source of the log record. (Hybrid or on-premises (OnPrem)) |
| lookupDuration | How long it took to look up category or protocol information in the Forcepoint URL Database (milliseconds) |
| method | Method associated with the request (for example, GET, POST, PUT, and so on) |
| networkDirection | Inbound (0) or outbound (1) |
| policyNames | The name of the policy or policies that could be applied to the request. (Multiple policies may be found, for example, for a user who belongs to multiple groups.) |
| port | Integer representing the TCP port of the origin server |
| productVersion | Web protection product version, as determined by Multiplexer (for example, 8.2.0) |
| protocol | The protocol name (custom or defined in the URL Database) |
| protocolId | Signed protocol identifier. A negative number indicates a custom protocol. |
| protocolVersion | HTTP Version (Byte.Byte) |
| proxySourceAddress | The IP address of the proxy (on-premises data) or the SIEMConnector IP address (hybrid data) |
| proxySourcePort | Source port of proxy-server connection |
| proxyStatusCode | Proxy HTTP response code |
| refererUrl | URL of the referer site associated with the request |
| requestCount | The number of requests to a given site. |
| roleId | A number associated with the delegated administration role in which the policy applied to the request was created. The identifier for the Super Administrator role is 8. |
| scanDuration | If Content Gateway analysis was performed, how long it took (milliseconds) |
| scanReasonString | Scanning analytic result, if any; the string might look like: 0-1404-Threat.Malicious.Web.RealTime. |
| severity |
1 if permitted, 7 if blocked This severity entry does not relate to the severity levels assigned to incidents that appear on the Threats dashboard in Security Manager. |
| serverStatusCode | Origin server HTTP response code |
| source | IPv4 or IPv6 address of the client (requesting) machine |
| sourceServer* | IP address (in integer format) of the server that originated the message, either Content Gateway or Network Agent |
| time | A positive, long number representing the number of seconds (v8.5) or milliseconds (v8.5.3) since midnight Jan. 1, 1970 |
| url | Full requested URL. Does not include protocol or port. |
| urlHost | Host (domain) portion of the requested URL |
| userAgent | Contents of the User-Agent HTTP header, if present |
| userPath | Contains NameSpace, Domain, and UserName information for the user to whom the policy was applied. |
*SIEM server will identify the proper sourceServer/host only if the custom string starts with this header:
<159>%<:%b %d %H:%M:%S> %<-sourceServer>"
The keys that can be included in audit log records sent to the SIEM integration are:
| Key Name | Description |
|---|---|
| action value | Type of change made, such as log on, log off, add, delete, or change |
| details | Specific information about the change that was made. |
| productVersion | Web protection product version, as determined by Multiplexer (for example, 8.5.0) |
| sourceServer |
For changes that affect the Policy Server, such as changes made to Settings options, the IP address or name of machine running the Policy Server affected by the change. For changes made to policies or to global settings, the IP address of the primary Policy Broker. |
| userPath | User name of the administrator who made the change. |