Incident Events

Vendor Documentation

https://www.websense.com/content/support/library/casb/admin_guide/casb_admin_guide.pdf

Classification

Rule Name	Rule Type	Classification	Common Event
Incident Events	Base Rule	Activity	General Threat Message

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
Device Vendor	N/A	N/A	N/A
Device Product	N/A	N/A	N/A
Device Version	N/A	N/A	N/A
Device Event Class ID	N/A	N/A	A unique ID identifying the activity.
Name	N/A	N/A	The name of the action taken.
Severity	<severity>	Number	The severity assigned with the Forcepoint CASB policy breached by the activity. If more than one policy was breached, the highest severity across these policies is displayed. This column is empty if no policy was breached. 6 = Info 7 = Low 8 = Medium 9 = High 10 = Critical
act	<action>	Text/String	The mitigation action taken by Forcepoint CASB as a result of the policies breached by the incident.
cat	<status>	Text/String	The status of the incident based on the workflow actions. The incident could be: Active: The incident is active from the Forcepoint CASB administrator's perspective and still needs attention (default). Acknowledged: The Forcepoint CASB administrator has acknowledged the incident through the workflow action. Existing violations of the policy will no longer be listed. The incident still impacts the user's risk score calculation. Ignored: The Forcepoint CASB administrator set the incident to be ignored. The incident has been removed from the user's Account page and no longer impacts the user's risk score calculation.
cs1	<policy>	Text/String	The rule name to which the incident relates.
destinationServiceName	N/A	N/A	The asset name assigned with the cloud service.
dpriv	N/A	N/A	A flag indicating if the user performing the activity is an administrator (Admin) or a user (User).
duser	N/A	N/A	The account used to access the cloud service.
end	N/A	N/A	The date and time of the current last alert attached to the incident.
msg	N/A	N/A	The relevant rule's description.
rt	N/A	N/A	The date and time Forcepoint CASB detected the incident. This is the time Forcepoint CASB processed the data and can be days after the first activities.
sourceServiceName	N/A	N/A	The activity audit type (i.e., Real Time or Service-logs).
start	N/A	N/A	The date and time of the first alert attached to the incident (i.e., the alert that created the incident).
suser	<login>	Text/String	The SAM account name.
cs4	N/A	N/A	The full name of the user. This data is retrieved from the Active Directory if integration is in place; otherwise it is empty.
cs6	<vendorinfo>	Text/String	The incident description.
flexString2	<quantity>	Number	The number of alerts attached to the incident.