Documentation | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
General System Settings > Remediation
Remediation
Administrator Help | Forcepoint DLP | Version 8.4.x
Related topics:
*
Remediation
Use the Settings > General > Remediation page in the Data Security module of the Forcepoint Security Manager to define the location of the syslog server and mail release gateway used for remediation.
1.
Under Syslog Settings, enter the IP address or hostname of the syslog server, and the logging Port.
2.
To set the origin of syslog messages, select Use syslog facility for these messages, then use the drop-down menu to select the type of message to appear in the syslog:
*
User-level Messages (#1) logs generic user-level messages, such as "username/password expired".
*
Security/Authorization Messages (#4) logs authentication- and authorization-related commands, such as "authentication failed for admin user".
*
Security/Authorization Messages (#10) logs non-system authorization messages inside a protected file (for information of a sensitive nature, such as passwords).
*
Local use 0-7 (#16-23) specifies unreserved facilities available for any local use. Processes and daemons that have not been explicitly assigned a facility can use any of the "local use" facilities. Configuration is done in the syslog.conf file.
To send incident data to the syslog, select Audit Incident > Send Syslog Message in the action plan for the policy.
3.
Click Test Connection to send the syslog server a verification test message.
4.
Under Release Quarantined Emails, specify which gateway to use when releasing a quarantined email message.
*
The default is Use the gateway that detected the incident. This gateway could be Forcepoint Email Security or the protector MTA, depending on your subscription.
*
To define a specific gateway, select Use the following gateway, then enter the gateway IP address or hostname and Port.
5.
If only recipients of a message should be able to release it from quarantine, select Validate user before releasing message.
The system then ensures that the person attempting to release a message is a recipient of the message, and therefore authorized. Unauthorized users receive an email notification that they are not allowed release the message.
6.
Click OK to save your changes.
Syslog messages can be sent to an SIEM tool if desired. They are compatible with both ArcSight Common Event Format (CEF) and Audit Quality SIEM format.
The ArcSight CEF message includes the following information for each incident:
CEF:0|Forcepoint|Forcepoint DLP|8.3|{id}|DLP Syslog|{severity}| act={action} duser={destinations} fname={attachments} msg={details} suser={source} cat={policyCategories} sourceServiceName={channel}analyzedBy={policyEngineName} loginName={name}sourceIp={ip}
Here:
*
Signature ID = event ID
*
act = action taken
*
analyzedBy= sensor that detected traffic
*
cat = policy categories
*
suser = incident source
*
duser = incident destinations
*
loginName= login name or sAMAccount name
*
msg = incident details
*
fname = attachments
*
sourcelp= source IP where data loss is occurring
*
sourceServiceName = channel
The ArcSight Audit Quality SIEM message adds additional information for each incident:
severityType=MEDIUM sourceHost=MNG_ENDPOINT_1 productVersion=8.3 maxMatches=6 timeStamp=2015-03-11 16:33:48.333 destinationHosts=ACCOUNTS.GOOGLE.COM,10.0.17.2 apVersion=8.3
Here:
*
severityType = incident severity (low, medium, high)
*
sourceHost = hostname or IP address of incident source
*
productVersion = version number of Forcepoint DLP product (e.g., 8.3)
*
maxMatches = maximum number of violations triggered by any given rule in the incident.
*
timeStamp = date and time of incident (e.g., 2015-04-30 16:33:48.333)
*
destinationHosts = hostnames, IP addresses, or URLs of incident destinations
*
apVersion = Forcepoint version number
Incident risk ranking cases
When incident risk ranking cases are sent to syslog, the message includes case information. For example:
CEF:0|Forcepoint|Forcepoint DLP|8.3.0.1184836|983645|DLP Syslog|1| riskScore=1.4 caseDescription=High-severity breach content and a suspected false-positive event caseDateAndTime=07 Jul. 2016, 9:33:18 AM caseClassification=Unknown caseSummary=Low risk content;Number of files in case (46);Destination is unusual;PII breach (1 match);Possible false positive (23%) numberOfIncidents=2 eventIDs=14359168827488891711,3765310750806591754
Here:
*
riskScore = risk score assigned to the case
*
caseDescription = case description
*
caseDateAndTime = date and time case was created
*
caseClassification = case classification: suspected data theft or uncategorized/unknown
*
caseSummary = case summary
*
numberOfIncidents = number of incidents in the case. Cases can contain several incidents, so this number varies from the number of eventIDs.
*
eventIDs = IDs for up to 20 incidents in the case or 1024 characters. If there are more incidents in the case, it is indicated by an ellipses.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
General System Settings > Remediation
Copyright 2017 Forcepoint. All rights reserved.