V 2.0 : Forcepoint Secure Web Gateway Event

Vendor Documentation

https://www.websense.com/content/support/library/web/v85/siem/siem.pdf

Classification

Rule Name	Rule Type	Common Event	Classification
V 2.0 Forcepoint Secure Web Gateway Event	Base Rule	Gateway Message	Information

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
N/A	<vendorinfo>	Text/String	Vendor
productVersion	<version>	Text/String	N/Web protection product version, as determined by Multiplexer (for example, 8.2.0)
categoryNumber	N/A	N/A	Integer representing the category assigned to the URL.
Transaction	N/A	N/A	Permitted or Blocked, based on the value of dispositionNumber.
severity	<severity>	Number	1 if permitted, 7 if blocked This severity entry does not relate to the severity levels assigned to incidents that appear on the Threats dashboard in Security Manager.
act	<action>	Text/String	Action
app	<protname>	Text/String	Protocol (The protocol name (custom or defined in the URL Database))
dvc	N/A	N/A	sourceServer (IP address (in integer format) of the server that originated the message, either Content Gateway or Network Agent)
dst	<dip>	IP Address	Destination (Translated IPv4 or IPv6 address of the destination machine) (resolved by DNS from the requested URL).
dhost	<domainorigin>	Text/String	urlHost (Host (domain) portion of the requested URL)
dpt	<dport>	Number	clientDestinationPort (Destination port of client connection; e.g., 8080 with Content Gateway explicit proxy)
src	<sip>	IP Address	source (IPv4 or IPv6 address of the client (requesting) machine)
spt	<sport>	Number	clientSourcePort (Source port of the client connection)
suser	N/A	N/A	userPath (Contains NameSpace, Domain, and UserName information for the user to whom the policy was applied.)
loginID	<login>	Text/String	loginID (Login ID of the user to whom the policy was applied.) (Output can now be configured to replace the full LDAP user path with domain/userID.)
destinationTranslatedPort	<snatport>	Number	proxySourcePort (Source port of proxy-server connection)
rt	N/A	N/A	Time (A positive, long number representing the number of seconds (v8.5) or milliseconds (v8.5.3) since midnight Jan. 1, 1970)
in	<bytesin>	Number	bytesReceived (Bytes received in response to the request)
out	<bytesout>	Number	bytesSent (Bytes sent as part of the request)
requestMethod	<command>	Text/String	method (Method associated with the request (for example, GET, POST, PUT, and so on))
requestClientApplication	<useragent>	Text/String	userAgent (Contents of the User-Agent HTTP header, if present)
reason	<reason>	Text/String	scanReasonString (Scanning analytic result, if any; the string might look like: 0-1404-Threat.Malicious.Web.RealTime.)
cs1Label	N/A	N/A	N/A
cs1	<policy>	Text/String	policyNames (The name of the policy or policies that could be applied to the request. (Multiple policies may be found, for example, for a user who belongs to multiple groups.))
cs2Label	N/A	N/A	N/A
cs2	N/A	N/A	dynamicCategory (If non-zero, the category determined by real-time content analysis (e.g., Real-Time Security Scanning, Advanced File Analysis, etc.))
cs3Label	N/A	N/A	N/A
cs3	<objecttype>	Text/String	contentType (The Content Type value from the request header (for example, image/gif))
cn1Label	N/A	N/A	N/A
cn1	<responsecode>	Number	dispositionNumber (The numeric code associated with the action (e.g., category permitted, file type blocked) applied to the request)
cn2Label	N/A	N/A	N/A
cn2	<milliseconds>	Number	scanDuration (If Content Gateway analysis was performed, how long it took (milliseconds))
request	<url>	Text/String	url (Full requested URL. Does not include protocol or port.)
logRecordSource	N/A	N/A	logRecordSource (The source of the log record. (Hybrid or on-premises (OnPrem)))
fileName	<objectname>	Text/String	The name of the file associated with the request.
fileTypeCode	<object>	Text/String	The file type associated with the request.
ccaResultAttr	<processid>	Number	An ID from scanning results indicating which scanning process was used.
cloudAppId	N/A	N/A	An internal ID assigned to the cloud application.
cloudAppName	N/A	N/A	Name of the requested cloud application.
cloudAppRiskLevel	N/A	N/A	Risk level (high, medium, or low) assigned to the cloud application.
cloudAppType	N/A	N/A	Type of cloud application requested (for example, Finance).
contentStripped	N/A	N/A	When Content Gateway content stripping is enabled, a threebit map of the content that was removed. Bit 0 indicates ActiveX Bit 1 indicates JavaScript Bit 2 indicates VBScript For example, “000” indicates that no content was stripped. On the other hand, “010” indicates only JavaScript is stripped, while “111” indicates that ActiveX, JavaScript, and VBScript data are all stripped.
customerId	N/A	N/A	ID provided to each customer who purchases the Forcepoint Web Security Hybrid Module. (hybrid data)
DSSexternalIncidentID	<threatid>	Text/String/Number	The Forcepoint DLP ID number associated with an incident in the forensics repository.
DSStimeStamp	N/A	N/A	The Forcepoint DLP timestamp for the forensic data.
keyword	N/A	N/A	Keyword used to block a request. Empty if the request was not blocked by keyword.
networkDirection	N/A	N/A	Inbound (0) or outbound (1)
protocolId	<protnum>	Text/String	Signed protocol identifier. A negative number indicates a custom protocol.
protocolVersion	N/A	N/A	HTTP Version (Byte.Byte)
proxySourceAddress	N/A	N/A	The IP address of the proxy (on-premises data) or the SIEMConnector IP address (hybrid data).
proxyStatusCode	N/A	N/A	Proxy HTTP response code.
refererUrl	N/A	N/A	URL of the referer site associated with the request.
requestCount	<quantity>	Number	The number of requests to a given site.
roleId	N/A	N/A	A number associated with the delegated administration role in which the policy applied to the request was created. The identifier for the Super Administrator role is 8.
serverStatusCode	N/A	N/A	Origin server HTTP response code.