Activity and Alert Events
Vendor Documentation
Classification
Rule Name | Rule Type | Classification | Common Event |
|---|---|---|---|
| Activity and Alert Events | Base Rule | Activity | General Activity |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| Device Vendor | N/A | N/A | N/A |
| Device Product | N/A | N/A | N/A |
| Device Version | N/A | N/A | N/A |
| Device Event Class ID | N/A | N/A | A unique ID identifying the activity. |
| Name | N/A | N/A | The name of the action taken. |
| Severity | <severity> | Number | The severity assigned with the Forcepoint CASB policy breached by the activity. If more than one policy was breached, the highest severity across these policies is displayed. This column is empty if no policy was breached. 6 = Info 7 = Low 8 = Medium 9 = High 10 = Critical |
| act | <action> | Text/String | The mitigation action taken by Forcepoint CASB as a result of the policies breached by the activity. |
| app | N/A | N/A | Application level protocol (https, http, imap, etc). |
| cat | N/A | N/A | The data object category (i.e., logical group based on the cloud service modules). |
| cs1 | <policy> | Text/String | The policy rules breached by the activity. |
| destinationServiceName | N/A | N/A | The asset name assigned with the cloud service (e.g., My Office365). |
| deviceExternalId | N/A | N/A | The endpoint client assigned ID. |
| deviceFacility | N/A | N/A | If the IP address is external, this displays "True." |
| deviceProcessName | N/A | N/A | The cloud service object accessed. |
| dhost | N/A | N/A | N/A |
| dpriv | N/A | N/A | A flag indicating if the user performing the activity is an administrator (Admin) or a user (User). |
| dst | <dip> | IP Address | The IP address of the cloud service. |
| duser | <account> | Text/String | Target user SAM account name. |
| dvc | N/A | N/A | N/A |
| dvchost | N/A | N/A | N/A |
| end | N/A | N/A | The date the activity took place in Epoch. |
| externalId | <session> | Text/String | Session ID. |
| fsize | <size> | Number | File size. |
| msg | N/A | N/A | Title / Department / sourceCountry / destCountry. |
| outcome | <status> | Text/String | The activity status (Success / Failure / Unknown). |
| proto | N/A | N/A | The sub-service used (e.g., Outlook Web Access or SharePoint Online for Office 365). |
| reason | <subject> | Text/String | The activity performed by the user (e.g., view page, delete file). |
| request | <url> | Text/String | URL. |
| requestClientApplication | <useragent> | Text/String | Endpoint type / Endpoint OS / UserAgent. |
| rt | N/A | N/A | Activity date in Epoch. |
| sourceServiceName | N/A | N/A | A flag indicating if the device used to access the service is “Managed” or “Unmanaged” by Forcepoint CASB. |
| src | <sip> | IP Address | The source IP address for the activity. |
| start | N/A | N/A | Activity date in Epoch. |
| suser | <login> | Text/String | SAM account name. |
| cs2 | N/A | N/A | The data types detected in the activity. |
| cs3 | <objecttype> | Text/String | The type of the file related to the activity. |
| cs5 | N/A | N/A | A flag indicating whether the data detected in the activity is sensitive (TRUE) or not sensitive (FALSE). |
| cs6 | N/A | N/A | The data types detected in the activity. |
| dproc | N/A | N/A | Authentication type. |
| destinationProcessName | N/A | N/A | N/A |
| record | <object> | Text/String | The record type depends on the action type. For example, when the user action is File Upload, the record contains the file name. |
| cs4 | N/A | N/A | The full name of the user. This data is retrieved from the Active Directory if integration is in place; otherwise it is empty. |
| suid | N/A | N/A | Username. |
| duid | N/A | N/A | The activity's destination subject (e.g., the email destination, the person/group a file is shared with, the user account when an admin changes permissions) |
| fname | N/A | N/A | The ID assigned to the data object. |
| oldFileName | N/A | N/A | The activity subject (e.g., the email subject, chat message, or searched content). |
| cn1 | N/A | N/A | The monetary value of the activity. |
| cn2 | N/A | N/A | The impact score given to the activity by Forcepoint CASB. |
| oldFileId | N/A | N/A | General properties relevant to the type of activity. |
| flexString2 | N/A | N/A | The mitigation actions taken after the activity is detected (e.g., Remove sharing permissions). |
| AD.IPReputationCategory | N/A | N/A | IP reputation category name. |
| AD.TORNetworks | N/A | N/A | The IP addresses of the Tor networks detected in the activity. |
| AD.SuspiciousIPs | N/A | N/A | The suspicious IP addresses of the Tor networks detected in the activity. |
| AD.AnonymousProxies | N/A | N/A | The anonymous proxy IP addresses of the Tor networks detected in the activity. |
| AD.IPChain | N/A | N/A | The IP chain of the client in the activity. |
| AD.IPOrigin | N/A | N/A | A flag indicating whether the endpoint client IP address is considered an external location (External) or an internal location (Internal). This is based on your organization's internal IP ranges settings. If the location cannot be determined, this flag displays "Unknown". |
| AD.samAccountName | N/A | N/A | Account name. |