Forcepoint Data Loss Prevention and Azure Sentinel

Table of contents

Forcepoint Data Loss Prevention and Azure Sentinel
Summary
1. Demo
2. Source Code
3. Caveats
Implementation
Appendix A - Description of config.json settings
Appendix B – Service scripts
Appendix C – Logs of DLP Incident Exporter
1. Example message
2. Log structure
Appendix D – Create a Workbook into Azure Sentinel
Troubleshooting

License

These contents are licensed under Apache License, Version 2.0. http://www.apache.org/licenses/LICENSE-2.0

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE SITE AND ITS CONTENT IS PROVIDED TO YOU ON AN “AS IS,” “AS AVAILABLE” AND “WHERE-IS” BASIS. ALL CONDITIONS, REPRESENTATIONS AND WARRANTIES WITH RESPECT TO THE SITE OR ITS CONTENT, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT OF THIRD PARTY RIGHTS, ARE HEREBY DISCLAIMED

Document Revision

Version	Date	Author	Notes
0.1	31 December 2019	Michael Nevin	First draft
0.2	13 January 2020	Michael Nevin	Update
0.3	21 January 2020	Mattia Maggioli	Review
0.4	30 January 2020	Jonathan Knepher	Review
0.5	23 March 2020	Neelima Rai	Added troubleshooting chapter
0.6	15 December 2020	Michael Nevin, Neelima Rai	Minor updates to Implementation chapter
0.7	28 January 2021	Michael Nevin, Neelima Rai	Updated exporter version and log details
0.8	24 March 2021	Michael Nevin	Updated version of the code

Summary

This guide provides step by step instructions to configure Forcepoint DLP and Azure Sentinel to export DLP incidents, transform data, and ingest them into Azure Sentinel.

The code and instructions provided enable system administrators to:

Export incident data from Forcepoint DLP automatically in real-time
Transform incident data into the format required by Azure Sentinel
Ingest the data as custom logs into Azure Sentinel and query events

This interoperability enables customers to use Azure Sentinel for incident data provided by Forcepoint DLP, and to correlate incident events with other Findings from multiple sources including Azure workloads.

A description of the workflow between the components involved in this POC is depicted in this diagram:

Demo

Source Code

fp-bd-dlp-aws

Caveats

The integration described in this document is tested with the following product versions:

Forcepoint DLP with Forcepoint Security Manager versions 8.5 and 8.6
Azure Monitor with the HTTP Data Collector API (public preview)

Implementation

The solution described in this chapter requires the latest version of the files available at this link:

https://github.com/Forcepoint/fp-bd-dlp-aws/releases

fp-dlp-exporter-aws-azure-v1-9-x.zip

The archive fp-dlp-exporter-aws-azure-v1-9-x.zip contains all files necessary to setup and run all the services which enable the integration between Forcepoint DLP and Azure Sentinel:

FSM DB connection: provides real-time export of DLP incidents, extracted from the database used by Forcepoint Security Manager

The solution allows for customizable levels of granularity (High, Medium, and Low severity levels) and performs the transformation and upload tasks, with minimal impact on the underlying storage.

We suggest deploying the solution on the machine which hosts Forcepoint Security Manager, the instructions provided in this document are based on this scenario. The instructions and hardware requirements for installing Forcepoint DLP with FSM can be found at this link https://www.websense.com/content/support/library/data/v871/install/install_dlp.pdf

The machine hosting the Forcepoint Security Manager will be referenced in the rest of this document with the name “FSM”.

The following software will be automatically installed by the install.bat script provided inside fp-dlp-exporter-aws-azure-v1.zip

Nssm 2.24

using the following command

START /WAIT powershell -command “[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest “https://nssm.cc/release/nssm-2.24.zip” -Method Get -OutFile .\Resources\nssm.zip”

Step 1 – Unpack DLP Incident Exporter and setup Azure Sentinel

Interoperability with Azure Sentinel requires the activation of the service within Azure and obtaining credentials that will be used to send data using the HTTP Data Collector API. If both requirements are already satisfied skip to Step 2.

Install The ODBC Connector from this link: https://www.microsoft.com/en-us/download/details.aspx?id=56567

If the installation of the connector prompts you to install the c++ redistributable, use this link: https://support.microsoft.com/en-us/topic/the-latest-supported-visual-c-downloads-2647da03-1eea-4433-9aff-95f26a218cc0
Login to the FSM machine and unzip fp-dlp-exporter-aws-azure-v1.x.zip into C:\fp-dlp-exporter-aws-azure-v1\
Login to your Microsoft Azure portal
Using the search bar search for “Azure Sentinel”
Click on +Add and in the new window that opens, click +Create a new workspace. Add details for Resource Group, Name and Region
Click on Review + Create and then Create
Once the new workspace is created, click Add to add Azure Sentinel to the created workspace
Select the workspace from the workspace pane. On the next page go to Configuration > Settings then in the new pane click Workspace Settings
Go to Settings > Agents management on the left pane. Store in a secure location the values of WORKSPACE ID and PRIMARY KEY

Step 2 – Installing the DLP Incident Exporter

Install The ODBC Connector from this link: https://www.microsoft.com/en-us/download/details.aspx?id=56567

If the installation of the connector prompts you to install the c++ redistributable, use this link:
<https://support.microsoft.com/en-us/topic/the-latest-supported-visual-c-downloads-2647da03-1eea-4433-9aff-95f26a218cc0>

On the FSM machine navigate to C:\fp-dlp-exporter-aws-azure-v1

Open config.json with a text editor edit the settings needed by the DLP Incident Exporter.

Explanation of all settings is in Appendix A of this document. Do not fill in you credentials for UID and PWD manually in this config.
```
  { 
    "file_location": "/XMLFileCopy ", 
    "HIGH": true, 
    "MEDIUM": false, 
    "LOW": false, 
    "Database_Connection":  
  { 
      "Server": "sqlserver-hostname", 
      "Database": "database-name", 
      "Trusted_Connection": "yes", 
      "UID": "username"
    },
    "AzureWorkspaceID": "3b754544t8-d4f8-4c96-894rfd-44t4f71d3c",
    "AzurePrimaryKey": "ededeyuyfuehfueehffIccvbbbzzzvrBVUiebfeufefag==",
    "LogName": "ForcepointDLPEvents"
  } 
```
Once config.json is edited with all necessary values, follow the following steps:
- Run command prompt (cmd) as administrator.
- cd to the location C:\fp-dlp-exporter-aws-azure-v1
- Run the command install.bat
- The installer will display a few messages as it progresses through the installation steps.
The installer will pause at Creating Service: DLPExporter and wait for user input:

Is this your first login? (y/n)
- If it’s the first time the DLPExporter is installed then enter y you will be asked to enter credentials to the database server used by Forcepoint Security Manager. After a successful connection to the database a new file is created in C:\fp-dlpexporter-aws-azure-v1 called secret-key.txt . This must be stored in a safe location since it’s necessary to log in in the future: the database password will be stored in an encrypted format and the secret-key file is necessary for future login attempts.
- If the DLPExporter was already installed enter n and provide the required credentials
Please enter your administrator username: enter the username of an account with administrator access to the FSM machine. Username must be entered according to the format

DOMAIN\username if using a domain account

.\username if using a local account
Please enter your administrator password: enter the password of the account with administrator access

Once both values are entered the installer will progress until a successful completion.

Once completed, the DLP Incident Exporter will run as a service on the FSM machine and DLP incidents will be exported to Azure Sentinel within 5 minutes of being triggered.

To check the logs in Azure Sentinel:

Go to the created workspace.
Click on Logs on the left pane. Then open Custom Logs.
The user can click on the custom log ForcepointDLPEvents_CL to see the logs in detail.

Note: Because this is a custom log, Azure appends a _CL to the log name.

The column Id_s in the logs ForcepointDLPEvents_CL in Azure is a primary key. It is a combination of Incident id + rule id, as shown below:

incident_Id-131080-rule_id-131081

incident_Id-131080-rule_id-131083

No two Id_s would be same.

Config.json changes

If you’re upgrading from older versions, please note the config.json Azure keys have changed. The new key names are “AzureWorkspaceID” and “AzurePrimaryKey”.

Note on the number of logs

Azure has records stored in a flat file format and these records cannot have nested data: if a DLP incident matches multiple policies configured into Forcepoint Security Manager, the user will multiple logs in Azure for the same DLP incident. It is then possible to have more events in Azure Custom Logs ForcepointDLPEvents_CL compared to the number of DLP incidents recorded and displayed into Forcepoint Security Manager.

Note on reinstalling or upgrading the integration

If the user is reinstalling or upgrading this integration, ensure a backup is made of the /Resources/azureDate.json to avoid any potential duplicate records. Sample azureDate.json file format: {“AzureUpdateDate”: “2022-05-24 10:26:11”}

Appendix A - Description of config.json settings

PARAMETER	DESCRIPTION	CHANGE REQUIRED
file_location	Location used by the DLP Incident Exporter to store XML files with incident data before upload to Azure. Used when log export is done using the manual method based on remediation script	NO
HIGH MEDIUM LOW	These parameters allow filtering of DLP incidents, upload only logs whose severity matches the levels set to TRUE.	YES
Database_Connection	These parameters are needed to connect to the SQL database used by Forcepoint Security Manager to store data of DLP incidents. Server: hostname or IP address of the SQL database Database: name of the database hosting the FSM data Trusted_Connection: only “yes” or “no” are possible yes - if it is a trusted connection no - if username and password will be used to connect UID: username used to login to the database	YES
AzureWorkspaceID	Obtained from step 1.1 WORKSPACE ID	YES
AzurePrimaryKey	Obtained from step 1.1 PRIMARY KEY	YES
LogName	This will be the name of the log that Azure Sentinel will receive from DLP as “custom log”. “_CL” will be appended automatically to the log name once the file is received by Azure Sentinel e.g. “LogName_CL”	YES

Appendix B – Service scripts

The DLP Incident Exporter service is managed by the NSSM tool.

Navigate to C:\fp-dlp-exporter-aws-azure-v1\ServiceScripts. There are four scripts provided.

PARAMETER	DESCRIPTION
changePassword	This script opens the UI of NSSM to provide an easy way to change or update the password. The password is editable from the Log on tab of NSSM (see below)
removeService	This script will remove the DLPExporter service from the server and stop it from running
restart	Restarts the DLPExporter service
stopService	Stops the DLPExporter service (Note this has not removed the service only stopped it from running)

Appendix C – Logs of DLP Incident Exporter

Logs of DLP Incident Exporter operations are stored into C:\fp-dlp-exporter-aws-azure-v1\logs\ForcepointDLPEvents.

Example message

2020-01-03 09:29:25 - DLPExporter - INFO - Azure is configured on

Log structure

Date and time	Service Name	Message Type	message
2019-12-13 17:56:35	DLPExporter	INFO DEBUG CRITICAL ERROR WARNING	Azure is configured on

2019-12-13 17:56:35

DLPExporter

INFO

DEBUG

CRITICAL

ERROR

WARNING

Azure is configured on

Appendix D – Create a Workbook into Azure Sentinel

Workbooks combine text, Analytics queries, Azure Metrics and parameters into rich interactive reports.

Login to Azure Sentinel portal
Select Workbooks from the left-hand menu, under Threat management section. This launches a workbook gallery
Click on Add workbook, to open a new workbook
Click on Edit, to edit workbook sections
Click Add query, to launch a new Log Analytics workspace Logs Query

Insert the following query

ForcepointDLPEvents_CL 
| where TimeGenerated > ago(3d) 
| summarize count(RuleName_1_s) by RuleName_1_s, SourceIpV4_s

The above query searches for rules triggered in the last three days. The query provides an output similar to this

Click Done Editing
Move to the next section of the workbook and click Edit

Add the following query to display a Bar Chart which provides a visual overview for rules triggered in the last three days

ForcepointDLPEvents_CL 
| where TimeGenerated > ago(3d) 
| summarize count(RuleName_1_s) by RuleName_1_s, SourceIpV4_s 
| render barchart

Click Done Editing. The result displayed will be similar to this

Another query to display rules triggered over time (past 90 days) generated is

ForcepointDLPEvents_CL 
| where TimeGenerated > ago(90d) 
| sort by CreatedAt_t asc nulls last  
| summarize count(RuleName_1_s)  by  CreatedAt_t, RuleName_1_s 
| render linechart 

Another query to display counts of High, Medium and Low rules triggered over 90 days

ForcepointDLPEvents_CL 
| where TimeGenerated > ago(90d) 
| sort by CreatedAt_t asc nulls last  
| summarize count(Severity_s)  by  CreatedAt_t, Severity_s 
| render barchart 

Once finished editing queries click Done Editing on the top left corner and on the save icon to save the workbook

Multiple queries can be used to populate a workbook with tables and chart, enabling powerful visualization of events and security related activities obtained from Forcepoint DLP.

Troubleshooting

Follow these steps to identify issues impacting the normal operation of the integration described in this document.

Validate the prerequisites

Make sure the prerequisites described in the Summary chapter are all satisfied:

Check the versions of Forcepoint DLP with Forcepoint Security Manager and 3^rd party products/services in use are listed as compatible
```
Forcepoint DLP with Forcepoint Security Manager 8.5.x
Azure Monitor with the HTTP Data Collector API (public preview)
```
Verify the integration component is hosted on a Windows 10 or Windows Server machine
User must have administrator access to the Windows machine in order to run and complete the installation successfully. Username and password will be requested at the time of install.
The machine running the DLPExporter must have network connectivity to the SQL server
Check the user has permissions to Invoke-WebRequest and Expand-Archive in Powershell

Check network connectivity

Make sure firewalls or other security appliances are not impacting the network connectivity necessary for the operation of all components involved into this integration:

Check the windows machine has network connectivity to AWS:

The user can check this from the logs created in C:\fp-dlp-exporter-aws-azure-v1\logs in the log file named ForcepointDLPEvents

and check the log file has a message similar to below:

2020-02-28 13:06:06 - DLPExporter - INFO - Azure is configured on

Check the windows machine has network connectivity to the SQL server:

The user can check this from the logs created in C:\fp-dlp-exporter-aws-azure-v1\logs in the log file named ForcepointDLPEvents

and check the log file has a message similar to below:

2020-02-28 13:06:06 - DLPExporter - INFO - Database Connection established

Check all components are configured and running properly

Make sure the products and services involved into this integration are configured as expected and they are running:

Check SQL connectivity: If you get messages similar to below, that means you either have no SQL connectivity or are entering wrong credentials:

  2020-02-28 13:04:21 - DLPExporter - ERROR - [08001] [Microsoft][ODBC SQL Server Driver][DBNETLIB]SQL Server does not exist or access denied. (17) (SQLDriverConnect); [08001] [Microsoft][ODBC SQL Server Driver][DBNETLIB]ConnectionOpen (Connect()). (53)  
  Traceback (most recent call last):  
  File "DLPExporter.py", line 135, in <module>  
  KeyboardInterrupt  
  [18468] Failed to execute script DLPExporter 
  2020-02-28 13:09:35 - DLPExporter - ERROR - [28000] [Microsoft][ODBC SQL Server Driver][SQL Server]Login failed for user 'g'. (18456) (SQLDriverConnect); [28000] [Microsoft][ODBC SQL Server Driver][SQL Server]Login failed for user 'g'. (18456) 

In case the user provided wrong credentials for SQL server connection, you can follow the following steps:
1. Go to C:\fp-dlp-exporter-aws-azure-v1 and edit the configs.json file to add the correct SQL Server connection credentials
2. Run command prompt as administrator.
3. cd to the C:\fp-dlp-exporter-aws-azure-v1\ServiceScripts
4. Type command restart to restarrt the DLPExporter service.
5. Check the ForcepointDLPEVents log in C:\fp-dlp-exporter-aws-azure-v1\logs and see if the database connection is established.
  - The install.bat file should only be run once. If anything goes wrong, you need to go back to the Service scripts to make changes.
  - If a wrong password for the administrator account was entered during the first run of the install.bat file to install DLPExporter, use the following steps to change it:
    1. Run command prompt as administrator.
    2. cd to C:\fp-dlp-exporter-aws-azure-v1\ServiceScripts
    3. Type command changePassword in the command prompt. A window will pop up where the user can enter the correct password
    4. Type command restart to restart the DLPExporter service.
If the install.bat file was run multiple times, the DLPExporter service might still be running in the background even if removeService script was run afterwards). Follow the steps below in order to remove the service completely:
1. Run command prompt as administrator.
2. Go to the C:\fp-dlp-exporter-aws-azure-v1\Resources folder
3. Execute the command: nssm
4. Execute the command: nssm stop DLPExporter
5. Execute the command: nssm remove DLPExporter confirm
6. Execute the command: nssm status DLPExporter