Skip to main content
Skip table of contents

Incident Events

Vendor Documentation


Rule NameRule TypeClassificationCommon Event
Incident EventsBase RuleActivityGeneral Threat Message

Mapping with LogRhythm Schema

Device Key in Log MessageLogRhythm SchemaData TypeSchema Description
Device VendorN/AN/AN/A
Device ProductN/AN/AN/A
Device VersionN/AN/AN/A
Device Event Class IDN/AN/AA unique ID identifying the activity.
NameN/AN/AThe name of the action taken.
Severity<severity>NumberThe severity assigned with the Forcepoint CASB policy breached by the activity. If more than one policy was breached, the highest severity across these policies is displayed. This column is empty if no policy was breached.
6 = Info
7 = Low
8 = Medium
9 = High
10 = Critical
act<action>Text/StringThe mitigation action taken by Forcepoint CASB as a result of the policies breached by the incident.
cat<status>Text/StringThe status of the incident based on the workflow actions. The incident could be:
  • Active: The incident is active from the Forcepoint CASB administrator's perspective and still needs attention (default).
  • Acknowledged: The Forcepoint CASB administrator has acknowledged the incident through the workflow action. Existing violations of the policy will no longer be listed. The incident still impacts the user's risk score calculation.
  • Ignored: The Forcepoint CASB administrator set the incident to be ignored. The incident has been removed from the user's Account page and no longer impacts the user's risk score calculation.
cs1<policy>Text/StringThe rule name to which the incident relates.
destinationServiceNameN/AN/AThe asset name assigned with the cloud service.
dprivN/AN/AA flag indicating if the user performing the activity is an administrator (Admin) or a user (User).
duserN/AN/AThe account used to access the cloud service.
endN/AN/AThe date and time of the current last alert attached to the incident.
msgN/AN/AThe relevant rule's description.
rtN/AN/AThe date and time Forcepoint CASB detected the incident. This is the time Forcepoint CASB processed the data and can be days after the first activities.
sourceServiceNameN/AN/AThe activity audit type (i.e., Real Time or Service-logs).
startN/AN/AThe date and time of the first alert attached to the incident (i.e., the alert that created the incident).
suser<login>Text/StringThe SAM account name.
cs4N/AN/AThe full name of the user. This data is retrieved from the Active Directory if integration is in place; otherwise it is empty.
cs6<vendorinfo>Text/StringThe incident description.
flexString2<quantity>NumberThe number of alerts attached to the incident.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.