Merge pull request #472 from michaelNevinFP/Forcepoint-DLP-Integration

Forcepoint DLP Sentinel Integration
2020-02-10 21:14:51 -08:00 · 2020-02-10 21:14:51 -08:00 · 10ec3b4b5e
--- a/DataConnectors/Forcepoint
+++ b/DataConnectors/Forcepoint
@ -0,0 +1,86 @@
+{
+    "id": "Forcepoint_DLP",
+    "title": "Forcepoint DLP (Preview)",
+    "publisher": "Forcepoint",
+    "descriptionMarkdown": "The Forcepoint DLP (Data Loss Prevention) connector allows you to automatically export DLP incident data from Forcepoint DLP into Azure Sentinel in real-time. This enriches visibility into user activities and data loss incidents, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Azure Sentinel.",
+    "graphQueries": [
+        {
+            "metricName": "Total data received",
+            "legend": "ForcepointDLPEvents_CL",
+            "baseQuery": "ForcepointDLPEvents_CL"
+        }
+    ],
+    "sampleQueries": [
+        {
+            "description" : "Rules triggered in the last three days",
+            "query": "ForcepointDLPEvents_CL\n | where TimeGenerated > ago(3d)\n | summarize count(RuleName_1_s) by RuleName_1_s, SourceIpV4_s\n | render barchart"
+        },
+        {
+            "description" : "Rules triggered over time (90 days)",
+            "query": "ForcepointDLPEvents_CL\n | where TimeGenerated > ago(90d)\n | sort by CreatedAt_t asc nulls last\n | summarize count(RuleName_1_s)  by  CreatedAt_t, RuleName_1_s\n | render linechart"
+        },
+        {
+            "description" : "Count of High, Medium and Low rules triggered over 90 days",
+            "query": "ForcepointDLPEvents_CL\n | where TimeGenerated > ago(90d)\n | sort by CreatedAt_t asc nulls last\n | summarize count(Severity_s)  by  CreatedAt_t, Severity_s\n | render barchart"
+        }
+    ],
+    "dataTypes": [
+        {
+            "name": "ForcepointDLPEvents_CL",
+            "lastDataReceivedQuery": "ForcepointDLPEvents_CL\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+        }
+    ],
+    "connectivityCriterias": [
+        {
+            "type": "IsConnectedQuery",
+            "value": [
+                "ForcepointDLPEvents_CL\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(30d)"
+            ]
+        }
+    ],
+    "availability": {
+        "status": 1,
+        "isPreview": true 
+    },
+    "permissions": {
+        "resourceProvider": [
+            {
+                "provider": "Microsoft.OperationalInsights/workspaces",
+                "permissionsDisplayText": "read and write permissions are required.",
+                "providerDisplayName": "Workspace",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                    "write": true,
+                    "read": true,
+                    "delete": true
+                }
+            }
+        ]
+    },
+    "instructionSteps": [
+        {
+            "title": "",
+            "description": "Follow step by step instructions in the [Forcepoint DLP documentation for Azure Sentinel](https://aka.ms/forcepointdlpdcconfig) to configure this connector.",
+            "instructions": [
+                {
+                    "parameters": {
+                        "fillWith": [
+                            "WorkspaceId"
+                        ],
+                        "label": "Workspace ID"
+                    },
+                    "type": "CopyableLabel"
+                },
+                {
+                    "parameters": {
+                        "fillWith": [
+                            "PrimaryKey"
+                        ],
+                        "label": "Primary Key"
+                    },
+                    "type": "CopyableLabel"
+                }
+            ]
+        }
+    ]
+}
--- a/Data/ForcepointDLP_sample.json
+++ b/Data/ForcepointDLP_sample.json
@ -0,0 +1,98 @@
+[
+  {
+    "TenantId": "00000000-0000-0000-0000-000000000000",
+    "SourceSystem": "RestAPI",
+    "MG": "",
+    "ManagementGroupName": "",
+    "TimeGenerated": "2020-02-05T14:31:55.123Z",
+    "Computer": "",
+    "RawData": "",
+    "DestinationDomain": "csm-testcenter.org",
+    "CreatedAt": "2020-02-05T14:26:54Z",
+    "Protocol": "HTTP",
+    "PolicyCategoryId": 850172,
+    "Type": "Forcepoint DLP",
+    "GeneratorId": 164061,
+    "Id": "incident_Id-164061-rule_id-164062",
+    "RuleName": "User uploading CV",
+    "Severity": "LOW",
+    "UpdatedAt": "2020-02-05T14:26:54Z",
+    "DestinationHostname": "www.csm-testcenter.org",
+    "ExternalId": 11550642310619705000,
+    "SourceIpV4": "192.168.122.2",
+    "Text": "Forcepoint Content Gateway Server on web-wcg.demo.com-HTTP",
+    "DestinationCommonName": "www.csm-testcenter.org",
+    "DestinationIpV4": "178.63.68.61",
+    "SourceDomain": "none",
+    "Title": "Forcepoint DLP Incident",
+    "ForcepointDLPSourceIP": "192.168.122.2",
+    "UpdatedBy": "Forcepoint Content Gateway Server on web-wcg.demo.com",
+    "Description": "http://www.csm-testcenter.org/test",
+    "Type": "ForcepointDLPEvents_CL",
+    "_ResourceId": ""
+  },
+  {
+    "TenantId": "00000000-0000-0000-0000-000000000000",
+    "SourceSystem": "RestAPI",
+    "MG": "",
+    "ManagementGroupName": "",
+    "TimeGenerated": "2020-02-05T14:31:55.123Z",
+    "Computer": "",
+    "RawData": "",
+    "DestinationDomain": "csm-testcenter.org",
+    "CreatedAt": "2020-02-05T14:27:00Z",
+    "Protocol": "HTTP",
+    "PolicyCategoryId": 850170,
+    "Type": "Forcepoint DLP",
+    "GeneratorId": 163858,
+    "Id": "incident_Id-163858-rule_id-163859",
+    "RuleName": "block credit card numbers",
+    "Severity": "HIGH",
+    "UpdatedAt": "2020-02-05T14:27:00Z",
+    "DestinationHostname": "www.csm-testcenter.org",
+    "ExternalId": 237894709905121000,
+    "SourceIpV4": "192.168.122.2",
+    "Text": "Forcepoint Content Gateway Server on web-wcg.demo.com-HTTP",
+    "DestinationCommonName": "www.csm-testcenter.org",
+    "DestinationIpV4": "178.63.68.61",
+    "SourceDomain": "none",
+    "Title": "Forcepoint DLP Incident",
+    "ForcepointDLPSourceIP": "192.168.122.2",
+    "UpdatedBy": "Forcepoint Content Gateway Server on web-wcg.demo.com",
+    "Description": "http://www.csm-testcenter.org/test",
+    "Type": "ForcepointDLPEvents_CL",
+    "_ResourceId": ""
+  },
+  {
+    "TenantId": "00000000-0000-0000-0000-000000000000",
+    "SourceSystem": "RestAPI",
+    "MG": "",
+    "ManagementGroupName": "",
+    "TimeGenerated": "2020-02-05T11:46:08.407Z",
+    "Computer": "",
+    "RawData": "",
+    "DestinationDomain": "csm-testcenter.org",
+    "CreatedAt": "2020-02-05T11:42:48Z",
+    "Protocol": "HTTP",
+    "PolicyCategoryId": 850170,
+    "Type": "Forcepoint DLP",
+    "GeneratorId": 163836,
+    "Id": "incident_Id-163836-rule_id-163837",
+    "RuleName": "block credit card numbers",
+    "Severity": "HIGH",
+    "UpdatedAt": "2020-02-05T11:42:48Z",
+    "DestinationHostname": "www.csm-testcenter.org",
+    "ExternalId": 11118801960067826000,
+    "SourceIpV4": "192.168.122.2",
+    "Text": "Forcepoint Content Gateway Server on web-wcg.demo.com-HTTP",
+    "DestinationCommonName": "www.csm-testcenter.org",
+    "DestinationIpV4": "178.63.68.61",
+    "SourceDomain": "none",
+    "Title": "Forcepoint DLP Incident",
+    "ForcepointDLPSourceIP": "192.168.122.2",
+    "UpdatedBy": "Forcepoint Content Gateway Server on web-wcg.demo.com",
+    "Description": "http://www.csm-testcenter.org/test",
+    "Type": "ForcepointDLPEvents_CL",
+    "_ResourceId": ""
+  }
+]