Forcepoint Cloud Security Gateway and Azure Sentinel

Table of contents

1. Summary
2. Source Code
3. Caveats
4. Configure Forcepoint Cloud Security Gateway SIEM Integration
   1. Log Export permission
   2. Enable SIEM logging
5. Create Log Analytics Workspace
6. Implementation options
   1. Implementation – Docker
      1. Step 1: Find Syslog Agent (omsagent) Installation Command
      2. Step 2: Download Docker Compose files
      3. Step 3: Define required Environment variables
      4. Step 4: Start Services
   2. Implementation - Traditional
      1. Step 1: Syslog Agent (omsagent) Installation
      2. Step 2: Download the source code
      3. Step 3: Run installation script
      4. Step 4: Reboot the host-machine
7. Troubleshooting
   1. Docker Implementation
      1. Validate the prerequisites
      2. Check network connectivity
      3. Check dependencies are installed
      4. Check all components are configured and running properly
   2. Traditional Implementation
      1. Validate the prerequisites
      2. Check network connectivity
      3. Check dependencies are installed
      4. Check all components are configured and running properly
8. Appendix A – Mapping fields between Forcepoint Cloud Security Gateway Web log and CEF
9. Appendix B – Mapping fields between Forcepoint Cloud Security Gateway Email log and CEF
10. Appendix C – Create a Workbook into Azure Sentinel

License

These contents are licensed under Apache License, Version 2.0. http://www.apache.org/licenses/LICENSE-2.0

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE SITE AND ITS CONTENT IS PROVIDED TO YOU ON AN “AS IS,” “AS AVAILABLE” AND “WHERE-IS” BASIS. ALL CONDITIONS, REPRESENTATIONS AND WARRANTIES WITH RESPECT TO THE SITE OR ITS CONTENT, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT OF THIRD PARTY RIGHTS, ARE HEREBY DISCLAIMED

Document Revision

Version	Date	Author	Notes
0.1	28 August 2020	Dlo Bagari	First draft
0.2	8 September 2020	Neelima Rai	Added Troubleshooting chapter
0.3	14 September 2020	Mattia Maggioli	Review
0.4	15 December 2020	Dlo Bagari	Added syslog installation command to config file
0.5	04 May 2021	Dlo Bagari	Encrypt Forcepoint CSG Credentials
0.6	25 May 2021	Dlo Bagari	Removed log analytics agent from installation script

Summary

This guide provides step by step instructions to configure an event-driven pipeline to export Forcepoint Cloud Security Gateway web and/or email logs into Azure Sentinel so that custom dashboards can be created using Azure Monitor Workbooks to visualize events and insights on activities of Forcepoint Cloud Security Gateway.

The code and instructions provided enable system administrators to automatically:

• Export logs from Forcepoint Cloud Security Gateway into an intermediate Syslog service

• Configure Syslog to CEF format and forward it to Azure Log Analytics Agent

• Configure Azure Log Analytics Agent to receive data from Syslog and forward data to an Azure Workspace

A description of the workflow between the components involved in this POC is depicted in this diagram:

Source Code

fp-bd-csg-azure-sentinel

The integration uses compiled code, if you need to recompile the code an encryption key with size 16, 24 or 32 needs to be passed to the compile command. The encryption key is used to encrypt Forcepoint CSG credentials and save the encrypted credentials in the integration’s host-machine.

• for docker implementation: open the Dockerfile, in the compile command, add your encryption key as value for main.encryptionKey parameter. for example:

   RUN CGO_ENABLED=0 GOOS=linux go build -mod=vendor -a -installsuffix cgo -ldflags "-X 'main.encryptionKey=MyEncryptionKey1' -extldflags '-static'" -o csg-sentinel .

• for traditional implementation: add your encryption key as value for main.encryptionKey parameter to the compile command. for example:

  CGO_ENABLED=0 GOOS=linux go build -mod=vendor -a -installsuffix cgo -ldflags "-X 'main.encryptionKey=MyEncryptionKey1' -extldflags '-static'" -o csg-sentinel .

Caveats

The integration described in this document was developed and tested with the following products as of May 2021:

• Forcepoint Cloud Security Gateway

• Azure Sentinel

• omsagent-1.13.7-0

The following activities are out of the scope of this document and therefore left to the system administrator, as part of ordinary maintenance procedures to be put in place within the existing infrastructure.

• configuration of appropriate hygiene procedures to handle logs produced during any step of the solution workflow

• monitoring of the scripts, services, and applications involved in the solution

Configure Forcepoint Cloud Security Gateway SIEM Integration

Log Export permission

Ensure your account has Log Export permission.

1. Login to the Forcepoint Cloud Security Gateway portal

2. Click ACCOUNT > Contacts

   

3. Under the User Name column, find your username and click on it.

4. In the Account Permissions section, ensure the Log Export box is clicked.

   

5. Click Save

Enable SIEM logging

In your Security Portal, navigate to Reporting > SIEM Integration under ACCOUNT REPORTS

To export web/email logs do as follows:

1. Select Web Security as a data type:

   

2. Enable data export:

   

3. From the Attributes section, drag and drop the following attributes into the columns section:

   • Risk Class

   • Action

   • User

   • Policy

   • Category

   • Domain

   • Protocol

   • URL – Full

   • Cloud App

   • Cloud App Category

   • Cloud App Risk Level

   • Connection IP

   • Connection IP City

   • Connection IP Country

   • Connection Name

   • Destination IP

   • Source IP

   • Analytic Name

   • File Sandbox Status

   • Severity

   • Threat Name

   • Threat Type

   • Date & Time

   • File Name

   • File Type

   • Operating System

   • User Agent

   • Authentication Method

   • Classification Type

   • Date Center

   • Filtering Source

   • HTTP Status Code

   • Request Method

   • Bytes Received

   • Bytes Sent

   Make sure all the above attributes are selected and DO NOT remove any of these attributes from the columns section: Azure Sentinel won’t be able to ingest events log if data are missing.

4. Click Save

5. Change Data type to Email Security

   

6. Enable data export

   

7. From the Attributes section, drag and drop the following attributes into the columns section:

   • Direction

   • From: Address

   • Policy

   • Recipient Address

   • Recipient Domain

   • Sender Domain

   • Sender Name

   • Subject

   • Action

   • Black/Whitelisted

   • Blocked Attachment Ext

   • Filtering Reason

   • Sender IP

   • Sender IP Country

   • Attachment File Type

   • Attachment Filename

   • Emb. URL Risk Class

   • Emb. URL Severity

   • Advanced Encryption

   • File Sandbox status

   • Virus Name

   • Date & Time

   • Message Size

   • Spam score

   • Attachment Size

   Make sure all the above attributes are selected and DO NOT remove any of these attributes from the columns section: Azure Sentinel won’t be able to ingest events log if data are missing.

8. Click Save

Create Log Analytics Workspace

To send logs/events to Azure Sentinel we need to create an Azure workspace were all logs/events will be stored.

1. Sign into Azure portal

2. Click All services, select Azure Sentinel and click on it.

3. Click Add

   

4. Click Create a new workspace

   

5. Give a name to this workspace, select the subscription type, the resource group (if none exists create a new one) and select the location where this workspace will be hosted.

6. Click Review + Create button to create the workspace (this might take few minutes)

7. Click Add Azure Sentinel.

Implementation options

Two implementation options are provided in this document

• Docker – leverages docker images where the integration component is already installed with all necessary dependencies.

• Traditional – requires the manual deployment of the integration component inside an Ubuntu server 18.x host-machine.

The docker images for this integration have been tested working with Docker 19.03.6 on a Centos 7.3 machine with at least 2 GB RAM and 20 GB of storage, while the traditional version of this integration has been tested working with the following requirements

• Ubuntu server 18.x with at least 2 GB RAM and 20 GB of storage

• Golang v1.14

• Python

• Azure Log Analytics Data Collector Agent (omsagent-1.13.7-0)

Implementation – Docker

The solution described in this chapter requires

• A Linux machine (Centos 7.3 recommended) with at least 20GB free disk space and 2 GB RAM. This machine will be referenced in the rest of this document as the docker-host machine.

• Docker Engine must be installed on the docker-host machine, visit docker-installation-docs to install Docker Engine on docker-host

• Docker-compose must be installed on the docker-host machine, visit docker-compose-installation-docs to install docker-compose on docker-host machine

Login to your docker-host machine as root, and do the following steps.

Step 1: Find Syslog Agent (omsagent) Installation Command

1. Login to Azure portal

2. Search for Sentinel

3. Under Configuration, click Data Connectors

4. Search for Forcepoint Cloud Security Gateway and select it.

5. Click Open Connector page

   

6. In the Open Connector Page, you will find your Data Connector Syslog Agent command. This command is used in both implementation to install the Syslog Agent on the host-machine.

   

Step 2: Download Docker Compose files

1. Download fp-csg-export-azure-sentinel-docker.tar.gz file from here

2. Decompress the downloaded file with the following command:

   tar -zxvf fp-csg-export-azure-sentinel-docker.tar.gz
   

The output of the above command is a directory with name fp-csg-export-azure-sentinel-docker

Step 3: Define required Environment variables

1. Change your current directory to fp-csg-export-azure-sentinel-docker

   cd fp-csg-export-azure-sentinel-docker
   

2. Open .env file

   vi .env 
   

3. Change the value of the environment variables inside .env. The following table explains each variable and defines if they need to be changed.

   Variable Name	Description	Requires to be changed
   SYSLOG_AGENT_INSTALLATION_COMMAND	Syslog Agent Installation Command. Step 1 of this document explains where you can find it.	YES
   CSG_WEB_LOGS_INCLUDE	Web Logs include filter: if a parameter in Cloud Security Gateway web logs matches a specified parameter in CSG_WEB_LOGS_INCLUDE, then process that log. Example - To filter logs where PolicyName field is My Policy: CSG_WEB_LOGS_INCLUDE =”PolicyName=My Policy” Multiple parameters can be added to the CSG_WEB_LOGS_INCLUDE by separating them with a comma. CSG_WEB_LOGS_INCLUDE="Action=Blocked,PolicyName=My Policy"	NO
   CSG_WEB_LOGS_EXCLUDE	Exclude filter: if a parameter in Cloud Security Gateway web logs matches a specified parameter in CSG_WEB_LOGS_EXCLUDE, then that log message will NOT be processed. Example - To exclude all logs where Action is Allowed: CSG_WEB_LOGS_EXCLUDE="Action=Allowed”	NO
   CSG_EMAIL_LOGS_INCLUDE	Email Logs include filter: if a parameter in Cloud Security Gateway web logs matches a specified parameter in CSG_EMAIL_LOGS_INCLUDE, then process that log. Example - To filter logs where PolicyName field is My Policy: CSG_EMAIL_LOGS_INCLUDE =”PolicyName=My Policy” Multiple parameters can be added to the CSG_EMAIL_LOGS_INCLUDE by separating them with a comma. CSG_EMAIL_LOGS_INCLUDE="Action=Accepted,PolicyName=My Policy"	NO
   CSG_EMAIL_LOGS_EXCLUDE	Exclude filter: if a parameter in Cloud Security Gateway web logs matches a specified parameter in CSG_EMAIL_LOGS_EXCLUDE, then that log message will NOT be processed. Example - To exclude all logs where Action is Accepted: CSG_EMAIL_LOGS_EXCLUDE="Action=Accepted”	NO
   SEND_WEB_LOGS	Boolean value, if set to true the integration will send the Cloud Security Gateway web logs to Azure Sentinel	NO
   SEND_EMAIL_LOGS	Boolean value, if set to true the integration will send the Cloud Security Gateway email logs to Azure Sentinel	NO
   WEB_LOGS_START_DATETIME	Only process the web logs with creation datetime bigger or equal to the value specified in this parameter. The expected datetime format is: YYYY-MM-DD hh:mm:ss
   EMAIL_LOGS_START_DATETIME	Only process the email logs with creation datetime bigger or equal to the value specified in this parameter. The expected datetime format is: YYYY-MM-DD hh:mm:ss
   INTERVAL_TIME_IN_MINUTES	This parameter defines how frequently Forcepoint Cloud Security Gateway logs will be downloaded, processed and sent to Azure Sentinel. The default value is 10 minutes	NO
   CSG_VERSION	Forcepoint Cloud Security Gateway version. The default value for this parameter is 1.0	NO
   CSG_LOGS_URL	URL for downloading Forcepoint Cloud Security Gateway web/email logs. The default URL is https://hlfs-web-d.mailcontrol.com/siem/logs	NO

4. Save and close .env

Step 4: Start Services

1. Use the following command and credentials to login into the Docker registry hosting the containers needed for this integration

   root@linux:~# docker login docker.frcpnt.com
   Username: fp-integrations
   Password: t1knmAkn19s
   

2. Run the following command to start services.

   docker-compose run csg-sentinel-service
   

3. for first time you run the integration, you will be asked to enter Forcepoint CSG credentials. the credentials will be encrypted and stored on host-machine in /root/csg_encrypted/csg file.

   • enter your Forcepoint CSG username:
   • enter your Forcepoint CSG password:

It might take some time until all the logs are visible in Azure Sentinel: this depends on the number of logs being exported and the normal processing time on the Azure side.

Implementation - Traditional

The solution described in this chapter requires:

• Ubuntu server 18.X machine with at least 20GB free disk space and 2 GB of RAM. This machine will be referenced in the rest of this document with the name host-machine.

Login to your Ubuntu host-machine as root and proceed according to the following steps.

Step 1: Syslog Agent (omsagent) Installation

If the Syslog Agent (omsagent) is already installed on the host-machine, then move to Step 2.

1. If python is not installed on the host-machine, install it with the commands:

   #: sudo apt update
   #: sudo apt install python -y
   

2. If wget is not installed on the host machine, install it with the command:

   #: sudo apt install wget -y
   

3. If curl is not installed on the host machine, install it with the command:

   #: sudo apt -y install libcurl4 curl
   

4. Login to Azure portal

5. Search for Sentinel

6. Under Configuration click Data Connectors

7. Search for Forcepoint Cloud Security Gateway and select it.

8. Click Open Connector page

   

9. In the Open Connector Page, you will find your Data Connector Syslog Agent command, copy this command.

   

10. Start the rsyslog service:

     #: sudo systemctl start rsyslog.service
    

11. on the host-machine, open a new terminal, paste the copied command and press enter. once the agent installation is done, move to the next step.

Step 2: Download the source code

• Download fp-csg-export-azure-sentinel-tr.tar.gz from this GitHub repo

The source code contains the following files:

• fp-csg-sentinel: a service to send Forcepoint CSG web/email logs to Azure Sentinel

• fp-csg-sentinel.yml: the config file for fp-csg-sentinel service

• fp-csg-sentinel.service: a systemd service file for fp-csg-sentinel service

• fp-csg-export-azure-sentinel-installer.sh: a bash script that installs fp-csg-sentinel and creates a systemd service for it.

Step 3: Run installation script

1. Decompress the source code file: this will create a directory named fp-csg-export-azure-sentinel-tr which contains all required files for this implementation.

   tar -zxvf fp-csg-export-azure-sentinel-tr.tar.gz
   

2. Change your current directory to fp-csg-export-azure-sentinel-tr

   cd fp-csg-export-azure-sentinel-tr
   

3. Edit fp-csg-sentinel.yml config file

   vi fp-csg-sentinel.yml 
   

4. Change the value of parameters inside fp-csg-sentinel.yml. The following table explains each parameter and defines if they need to be changed.

   Variable Name	Description	Requires to be changed
   CSG_WEB_LOGS_INCLUDE	Web Logs include filter: if a parameter in Cloud Security Gateway web logs matches a specified parameter in CSG_WEB_LOGS_INCLUDE, then process that log. Example - To filter logs where PolicyName field is My Policy: CSG_WEB_LOGS_INCLUDE =”PolicyName=My Policy” Multiple parameters can be added to the CSG_WEB_LOGS_INCLUDE by separating them with a comma. CSG_WEB_LOGS_INCLUDE="Action=Blocked,PolicyName=My Policy"	NO
   CSG_WEB_LOGS_EXCLUDE	Exclude filter: if a parameter in Cloud Security Gateway web logs matches a specified parameter in CSG_WEB_LOGS_EXCLUDE, then that log message will NOT be processed. Example - To exclude all logs where Action is Allowed: CSG_WEB_LOGS_EXCLUDE="Action=Allowed”	NO
   CSG_EMAIL_LOGS_INCLUDE	Email Logs include filter: if a parameter in Cloud Security Gateway web logs matches a specified parameter in CSG_EMAIL_LOGS_INCLUDE, then process that log. Example - To filter logs where PolicyName field is My Policy: CSG_EMAIL_LOGS_INCLUDE =”PolicyName=My Policy” Multiple parameters can be added to the CSG_EMAIL_LOGS_INCLUDE by separating them with a comma. CSG_EMAIL_LOGS_INCLUDE="Action=Accepted,PolicyName=My Policy"	NO
   CSG_EMAIL_LOGS_EXCLUDE	Exclude filter: if a parameter in Cloud Security Gateway web logs matches a specified parameter in CSG_EMAIL_LOGS_EXCLUDE, then that log message will NOT be processed. Example - To exclude all logs where Action is Accepted: CSG_EMAIL_LOGS_EXCLUDE="Action=Accepted”	NO
   SEND_WEB_LOGS	Boolean value, if set to true the integration will send the Cloud Security Gateway web logs to Azure Sentinel	NO
   SEND_EMAIL_LOGS	Boolean value, if set to true the integration will send the Cloud Security Gateway email logs to Azure Sentinel	NO
   WEB_LOGS_START_DATETIME	Only process the web logs with creation datetime bigger or equal to the value specified in this parameter. The expected datetime format is: YYYY-MM-DD hh:mm:ss	YES
   EMAIL_LOGS_START_DATETIME	Only process the email logs with creation datetime bigger or equal to the value specified in this parameter. The expected datetime format is: YYYY-MM-DD hh:mm:ss	YES
   INTERVAL_TIME_IN_MINUTES	This parameter defines how frequently Forcepoint Cloud Security Gateway logs will be downloaded, processed and sent to Azure Sentinel. The default value is 10 minutes	NO
   CSG_VERSION	Forcepoint Cloud Security Gateway version. The default value for this parameter is 1.0	NO
   CSG_LOGS_URL	URL for downloading Forcepoint Cloud Security Gateway web/email logs. The default URL is https://hlfs-web-d.mailcontrol.com/siem/logs	NO

5. Save fp-csg-sentinel.yml

6. Make fp-csg-export-azure-sentinel-installer.sh executable

   chmod +x fp-csg-export-azure-sentinel-installer.sh
   

7. Execute the fp-csg-export-azure-sentinel-installer.sh script

   sudo ./fp-csg-export-azure-sentinel-installer.sh 
   

8. Once fp-csg-export-azure-sentinel-installer.sh installs all required dependencies, it will ask you to enter Forcepoint CSG credentials. Credentials will be encrypted and stored on the host-machine in /var/forpcepoint-csg/csg file.

   • enter your Forcepoint CSG username:
   • enter your Forcepoint CSG password:

NOTE: if you need to change the CSG credentials stored in the host-machine:

• run:

   /var/forpcepoint-csg/fp-csg-sentinel run -c --config /var/forpcepoint-csg/fp-csg-sentinel.yml
  

• enter the new credentials
• restart fp-csg-sentinel service

   sudo systemctl restart fp-csg-sentinel.service
  

Step 4: Reboot the host-machine

Reboot the host-machine and ensure the service fp-csg-sentinelis running by executing the following command:

#: systemctl list-units | grep fp-csg-sentinel
fp-csg-sentinel.service loaded active running Send Forcepoint CSG web/email logs to Azure Sentinel

to ensure rSyslog and omsagent are running and listening to the correct ports

• install lsof package on the host-machine if not installed:

   #: sudo apt install lsof -y
  

• execute the following command to find the status of rSyslog and omsagent

  $ lsof -i | grep -e omsagent -e rsyslog
    rsyslogd  4241          syslog    5u  IPv4  34384      0t0  UDP *:syslog 
    rsyslogd  4241          syslog    6u  IPv6  34385      0t0  UDP *:syslog 
    rsyslogd  4241          syslog    7u  IPv4  34388      0t0  TCP *:shell (LISTEN)
    rsyslogd  4241          syslog    8u  IPv6  34389      0t0  TCP *:shell (LISTEN)
    omsagent  5474        omsagent    9u  IPv4  38582      0t0  TCP *:25324 (LISTEN)
    omsagent  5474        omsagent   16u  IPv4  38583      0t0  TCP localhost:25226 (LISTEN)
    omsagent  5474        omsagent   18u  IPv4  38584      0t0  UDP localhost:25224 
      
  

Note: it might take some time until all the logs are visible in Azure Sentinel. This depends on the number of logs being exported and the normal processing time on the Azure side.

Troubleshooting

Follow these steps to identify issues impacting the normal operation of the integration described in this document.

Docker Implementation

Validate the prerequisites

Make sure the prerequisites described in the Summary chapter are all satisfied:

• Check the versions of Microsoft omsagent in use is listed as compatible:

omsagent-1.13.7-0

• Docker images for this integration have been tested with

Docker 19.03.6

• The docker implementation has been tested on a CentOS 7.3 machine with docker engine and docker-compose installed, 2GB RAM and a free disk space of at least 20GB

• User needs sudo permissions in the docker host machine

Check network connectivity

Make sure firewalls or other security appliances are not impacting the network connectivity necessary for the operation of all components involved in this integration:

• Check the host machine has connectivity to the internet: execute the following command on the docker host machine:

ping -c 2 www.azure.com

Once done check the result is similar to below:

PING www.azure.com (10.10.120.12) 56(84) bytes of data.

64 bytes from 10.10.120.12 (10.10.120.12): icmp_seq=1 ttl=128 time=179 ms

64 bytes from 10.10.120.12 (10.10.120.12): icmp_seq=1 ttl=128 time=181 ms

Check dependencies are installed

Make sure the software dependencies needed by the components involved in this integration are installed:

• Check the host machine has docker installed: Execute the following command on the host machine:

docker info

Check the first few lines of the output are similar to below:

Client:

Debug Mode: false

Server:

Containers: 3

Running: 2

Paused: 0

Stopped: 1

Images: 3

Server Version: 19.03.6

• Check the host machine has docker-compose installed: Execute the following command on the host machine:

docker-compose –version

Check the docker-compose version is 1.25.4 or higher

Check all components are configured and running properly

Make sure the products and services involved in this integration are configured as expected and they are running:

• Verify the integration completed with no errors: When the below command is run:

docker-compose run csg-sentinel-service

Check there are no errors. When this command is run for the first time, the user will be prompted to enter a username and password for CSG.

Traditional Implementation

Validate the prerequisites

Make sure the prerequisites described in the Summary chapter are all satisfied:

• Check the versions of Microsoft omsagent in use is listed as compatible:

omsagent-1.13.7-0

• Verify the integration is correctly operating on an Ubuntu Server 18.x machine with at least 2GB RAM and 20GB of free disk space

• User needs to be root to install dependencies

Check network connectivity

Make sure firewalls or other security appliances are not impacting the network connectivity necessary for the operation of all components involved in this integration:

• Check the host machine has connectivity to the internet: execute the following command on the Docker host machine:

ping -c 2 www.azure.com

Once done check the result is similar to below:

PING www.azure.com (10.10.120.12) 56(84) bytes of data.

64 bytes from 10.10.120.12 (10.10.120.12): icmp_seq=1 ttl=128 time=179 ms

64 bytes from 10.10.120.12 (10.10.120.12): icmp_seq=1 ttl=128 time=181 ms

Check dependencies are installed

Make sure the software dependencies needed by the components involved in this integration are installed:

• Check python is installed: Execute the following command on the host machine:

python –version

Check the output is similar to below:

Python 2.7.x

• Check omsagent and rsyslog are installed and running execute the following command on the host machine:

lsof -i | grep -e omsagent -e rsyslog

Check the output is similar to below:

$ lsof -i | grep -e omsagent -e rsyslog
  rsyslogd  4241          syslog    5u  IPv4  34384      0t0  UDP *:syslog 
  rsyslogd  4241          syslog    6u  IPv6  34385      0t0  UDP *:syslog 
  rsyslogd  4241          syslog    7u  IPv4  34388      0t0  TCP *:shell (LISTEN)
  rsyslogd  4241          syslog    8u  IPv6  34389      0t0  TCP *:shell (LISTEN)
  omsagent  5474        omsagent    9u  IPv4  38582      0t0  TCP *:25324 (LISTEN)
  omsagent  5474        omsagent   16u  IPv4  38583      0t0  TCP localhost:25226 (LISTEN)
  omsagent  5474        omsagent   18u  IPv4  38584      0t0  UDP localhost:25224 

Check all components are configured and running properly

Make sure the products and services involved in this integration are configured as expected and they are running:

• Check all the services are running by executing the following command:

systemctl list-units | grep fp-csg-sentinel

Check the output is similar to below:

fp-csg-sentinel.service loaded active running Send Forcepoint CSG web/email logs to Azure Sentinel

Appendix A – Mapping fields between Forcepoint Cloud Security Gateway Web log and CEF

Cloud Security Gateway Web log	CEF	Fixed value
	Version	0
	Device Vendor	Forcepoint CSG
	Device Product	Web
	Device Version	Forcepoint CSG Version. Default 1.0
Risk Class	Device Event Class ID
Action	act
Severity	Severity
Cloud App Name	Name
Protocol	app
Bytes Sent	out
Bytes Received	in
Category Name	cs1
	cs1Label	Category Name
Domain	cs2
	cs2Label	Domain name of the destination site
Policy Name	cs3
	cs3Label	Policy Name
Destination IP	dst
URL Full	request
File Name	fname
Connection IP	cs4
	cs4Label	The IP address of the connection to the cloud service.
DataCenter	sflexString1
	flexString1Label	The cloud service data center that processed the request
Source IP	src	if the source IP is not available, this field will be populated with the value of “Connection IP”
Cloud App Risk Level	cs5
	cs5Label	Cloud App Risk Level
Request Method	requestMethod
User Agent	requestClientApplication
FileType	fileType
User	suid
Date & Time	deviceCustomDate1
	deviceCustomDate1Label	Log Created Time

Appendix B – Mapping fields between Forcepoint Cloud Security Gateway Email log and CEF

Cloud Security Gateway E-mail log	CEF	Fixed value
	Version	0
	Device Vendor	Forcepoint CSG
	Device Product	Email
	Device Version	Forcepoint CSG Version. Default 1.0
Emb URL Risk Class	Device Event Class ID
Action	act
Emb URL Severity	Severity
Recipient Address	duser
From Address	suser
Direction	deviceDirection
Subject	msg
Black White listed	cs1
	cs1Label	Black/white listed
Virus Name	cs2
	cs2Label	Virus Name
Policy Name	cs3
	cs3Label	Policy Name
Spam Score	cfp1
	cfp1Label	Spam Score
Message Size	cn1
	cn1Label	Message Size
Attachment Size	fsize
Attachment Filename	fname
Attachment File Type	fileType
Advanced Encryption	cs4
	cs4Label	Advanced Encryption
Filtering Reason	flexString1	Filtering Reason
Sender IP	src
Sender Name	suid
Date & Time	deviceCustomDate1
	deviceCustomDate1Label	Log Created Time

Appendix C – Create a Workbook into Azure Sentinel

Workbooks combine text, analytics queries, Azure Metrics, and parameters into rich interactive reports.

1. Login to Azure Sentinel portal

1. Select Workbooks from the left-hand menu, under the Threat management section. This launches a workbook gallery

2. Click Add workbook, this will open a new workbook

3. Click Edit, this will make workbook sections editable

4. Click the Advanced Editor icon

   

5. Click Gallery Template

   

6. Remove everything inside the Gallery Template

7. Copy the following into Gallery Template

8. Click Apply

   

9. Save your workbook