Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
V 2.0 Forcepoint Secure Web Gateway Event |
Base Rule |
Gateway Message |
Information |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
N/A |
<vendorinfo> |
Text/String |
Vendor |
|
productVersion |
<version> |
Text/String |
N/Web protection product version, as determined by Multiplexer (for example, 8.2.0) |
|
categoryNumber |
N/A |
N/A |
Integer representing the category assigned to the URL. |
|
Transaction |
N/A |
N/A |
Permitted or Blocked, based on the value of dispositionNumber. |
|
severity |
<severity> |
Number |
1 if permitted, 7 if blocked
|
|
act |
<action> |
Text/String |
Action |
|
app |
<protname> |
Text/String |
Protocol (The protocol name (custom or defined in the URL Database)) |
|
dvc |
N/A |
N/A |
sourceServer (IP address (in integer format) of the server that originated the message, either Content Gateway or Network Agent) |
|
dst |
<dip> |
IP Address |
Destination (Translated IPv4 or IPv6 address of the destination machine)
|
|
dhost |
<domainorigin> |
Text/String |
urlHost (Host (domain) portion of the requested URL) |
|
dpt |
<dport> |
Number |
clientDestinationPort (Destination port of client connection; e.g., 8080 with Content Gateway explicit proxy) |
|
src |
<sip> |
IP Address |
source (IPv4 or IPv6 address of the client (requesting) machine) |
|
spt |
<sport> |
Number |
clientSourcePort (Source port of the client connection) |
|
suser |
<login> |
Text/String |
userPath (Contains NameSpace, Domain, and UserName information for the user to whom the policy was applied.) |
|
loginID |
<login> |
Text/String |
loginID (Login ID of the user to whom the policy was applied.) (Output can now be configured to replace the full LDAP user path with domain/userID.) |
|
destinationTranslatedPort |
<snatport> |
Number |
proxySourcePort (Source port of proxy-server connection) |
|
rt |
N/A |
N/A |
Time (A positive, long number representing the number of seconds (v8.5) or milliseconds (v8.5.3) since midnight Jan. 1, 1970) |
|
in |
<bytesin> |
Number |
bytesReceived (Bytes received in response to the request) |
|
out |
<bytesout> |
Number |
bytesSent (Bytes sent as part of the request) |
|
requestMethod |
<command> |
Text/String |
method (Method associated with the request (for example, GET, POST, PUT, and so on)) |
|
requestClientApplication |
<useragent> |
Text/String |
userAgent (Contents of the User-Agent HTTP header, if present) |
|
reason |
<reason> |
Text/String |
scanReasonString (Scanning analytic result, if any; the string might look like: 0-1404-Threat.Malicious.Web.RealTime.) |
|
cs1Label |
N/A |
N/A |
N/A |
|
cs1 |
<policy> |
Text/String |
policyNames (The name of the policy or policies that could be applied to the request. (Multiple policies may be found, for example, for a user who belongs to multiple groups.)) |
|
cs2Label |
N/A |
N/A |
N/A |
|
cs2 |
N/A |
N/A |
dynamicCategory (If non-zero, the category determined by real-time content analysis (e.g., Real-Time Security Scanning, Advanced File Analysis, etc.)) |
|
cs3Label |
N/A |
N/A |
N/A |
|
cs3 |
<objecttype> |
Text/String |
contentType (The Content Type value from the request header (for example, image/gif)) |
|
cn1Label |
N/A |
N/A |
N/A |
|
cn1 |
<responsecode> |
Number |
dispositionNumber (The numeric code associated with the action (e.g., category permitted, file type blocked) applied to the request) |
|
cn2Label |
N/A |
N/A |
N/A |
|
cn2 |
<milliseconds> |
Number |
scanDuration (If Content Gateway analysis was performed, how long it took (milliseconds)) |
|
request |
<url> |
Text/String |
url (Full requested URL. Does not include protocol or port.) |
|
logRecordSource |
N/A |
N/A |
logRecordSource (The source of the log record. (Hybrid or on-premises (OnPrem))) |
|
fileName |
<objectname> |
Text/String |
The name of the file associated with the request. |
|
fileTypeCode |
<object> |
Text/String |
The file type associated with the request. |
|
ccaResultAttr |
<processid> |
Number |
An ID from scanning results indicating which scanning process was used. |
|
cloudAppId |
N/A |
N/A |
An internal ID assigned to the cloud application. |
|
cloudAppName |
N/A |
N/A |
Name of the requested cloud application. |
|
cloudAppRiskLevel |
N/A |
N/A |
Risk level (high, medium, or low) assigned to the cloud application. |
|
cloudAppType |
N/A |
N/A |
Type of cloud application requested (for example, Finance). |
|
contentStripped |
N/A |
N/A |
When Content Gateway content stripping is enabled, a threebit map of the content that was removed.
|
|
customerId |
N/A |
N/A |
ID provided to each customer who purchases the Forcepoint Web Security Hybrid Module. (hybrid data) |
|
DSSexternalIncidentID |
<threatid> |
Text/String/Number |
The Forcepoint DLP ID number associated with an incident in the forensics repository. |
|
DSStimeStamp |
N/A |
N/A |
The Forcepoint DLP timestamp for the forensic data. |
|
keyword |
N/A |
N/A |
Keyword used to block a request. Empty if the request was not blocked by keyword. |
|
networkDirection |
N/A |
N/A |
Inbound (0) or outbound (1) |
|
protocolId |
<protnum> |
Text/String |
Signed protocol identifier. A negative number indicates a custom protocol. |
|
protocolVersion |
N/A |
N/A |
HTTP Version (Byte.Byte) |
|
proxySourceAddress |
N/A |
N/A |
The IP address of the proxy (on-premises data) or the SIEMConnector IP address (hybrid data). |
|
proxyStatusCode |
N/A |
N/A |
Proxy HTTP response code. |
|
refererUrl |
N/A |
N/A |
URL of the referer site associated with the request. |
|
requestCount |
<quantity> |
Number |
The number of requests to a given site. |
|
roleId |
N/A |
N/A |
A number associated with the delegated administration role in which the policy applied to the request was created. The identifier for the Super Administrator role is 8. |
|
serverStatusCode |
N/A |
N/A |
Origin server HTTP response code. |