Incident Events
Vendor Documentation
Classification
Rule Name | Rule Type | Classification | Common Event |
---|---|---|---|
Incident Events | Base Rule | Activity | General Threat Message |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
---|---|---|---|
Device Vendor | N/A | N/A | N/A |
Device Product | N/A | N/A | N/A |
Device Version | N/A | N/A | N/A |
Device Event Class ID | N/A | N/A | A unique ID identifying the activity. |
Name | N/A | N/A | The name of the action taken. |
Severity | <severity> | Number | The severity assigned with the Forcepoint CASB policy breached by the activity. If more than one policy was breached, the highest severity across these policies is displayed. This column is empty if no policy was breached. 6 = Info 7 = Low 8 = Medium 9 = High 10 = Critical |
act | <action> | Text/String | The mitigation action taken by Forcepoint CASB as a result of the policies breached by the incident. |
cat | <status> | Text/String | The status of the incident based on the workflow actions. The incident could be:
|
cs1 | <policy> | Text/String | The rule name to which the incident relates. |
destinationServiceName | N/A | N/A | The asset name assigned with the cloud service. |
dpriv | N/A | N/A | A flag indicating if the user performing the activity is an administrator (Admin) or a user (User). |
duser | N/A | N/A | The account used to access the cloud service. |
end | N/A | N/A | The date and time of the current last alert attached to the incident. |
msg | N/A | N/A | The relevant rule's description. |
rt | N/A | N/A | The date and time Forcepoint CASB detected the incident. This is the time Forcepoint CASB processed the data and can be days after the first activities. |
sourceServiceName | N/A | N/A | The activity audit type (i.e., Real Time or Service-logs). |
start | N/A | N/A | The date and time of the first alert attached to the incident (i.e., the alert that created the incident). |
suser | <login> | Text/String | The SAM account name. |
cs4 | N/A | N/A | The full name of the user. This data is retrieved from the Active Directory if integration is in place; otherwise it is empty. |
cs6 | <vendorinfo> | Text/String | The incident description. |
flexString2 | <quantity> | Number | The number of alerts attached to the incident. |