diff --git a/DataConnectors/ForcepointCloudSecurityGateway.json b/DataConnectors/ForcepointCloudSecurityGateway.json
new file mode 100644
index 0000000000..8b977448f4
--- /dev/null
+++ b/DataConnectors/ForcepointCloudSecurityGateway.json
@@ -0,0 +1,127 @@
+{
+ "id": "ForcepointCloudSecurityGateway",
+ "title": "Forcepoint Cloud Security Gateway",
+ "publisher": "Forcepoint",
+ "descriptionMarkdown": "Forcepoint Cloud Security Gateway is a converged cloud security service that provides visibility, control, and threat protection for users and data, wherever they are. For more information visit: https://www.forcepoint.com/product/cloud-security-gateway",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "Forcepoint CSG",
+ "baseQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint CSG\"\n"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description" : "Top 5 Web requested Domains with log severity equal to 6 (Medium)",
+ "query": "CommonSecurityLog\n| where TimeGenerated <= ago(0m)\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Web\"\n| where LogSeverity == 6\n| where DeviceCustomString2 != \"\"\n| summarize Count=count() by DeviceCustomString2\n| top 5 by Count\n| render piechart"
+ },
+ {
+ "description" : "Top 5 Web Users with 'Action' equal to 'Blocked'",
+ "query": "CommonSecurityLog\n| where TimeGenerated <= ago(0m)\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Web\"\n| where Activity == \"Blocked\"\n| where SourceUserID != \"Not available\"\n| summarize Count=count() by SourceUserID\n| top 5 by Count\n| render piechart"
+ },
+ {
+ "description" : "Top 5 Sender Email Addresses Where Spam Score Greater Than 10.0",
+ "query": "CommonSecurityLog\n| where TimeGenerated <= ago(0m)\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Email\"\n| where DeviceCustomFloatingPoint1 > 10.0\n| summarize Count=count() by SourceUserName\n| top 5 by Count\n| render barchart"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "CommonSecurityLog (Forcepoint CSG)",
+ "lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Web\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ },
+ {
+ "name": "CommonSecurityLog (Forcepoint CSG)",
+ "lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Email\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Web\"\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)",
+ "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Email\"\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+ ]
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": true
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "read": true,
+ "write": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "title": "1. Linux Syslog agent configuration",
+ "description": "This integration requires the Linux Syslog agent to collect your Forcepoint Cloud Security Gateway Web/Email logs on port 514 TCP as Common Event Format (CEF) and forward them to Azure Sentinel.",
+ "instructions": [
+ {
+ "parameters": {
+ "fillWith": [
+ "WorkspaceId",
+ "PrimaryKey"
+ ],
+ "label": "Your Data Connector Syslog Agent Installation Command is:",
+ "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
+ },
+ "type": "CopyableLabel"
+ }
+ ]
+ },
+ {
+ "title": "2. Implementation options",
+ "description": "The integration is made available with two implementations options.",
+ "innerSteps": [
+ {
+ "title": "2.1 Docker Implementation",
+ "description": "Leverages docker images where the integration component is already installed with all necessary dependencies.\n\nFollow the instructions provided in the Integration Guide linked below.\n\n[Integration Guide >](https://frcpnt.com/csg-sentinel)"
+ },
+ {
+ "title": "2.2 Traditional Implementation",
+ "description": "Requires the manual deployment of the integration component inside a clean Linux machine.\n\nFollow the instructions provided in the Integration Guide linked below.\n\n[Integration Guide >](https://frcpnt.com/csg-sentinel)"
+ }
+ ]
+ },
+ {
+ "title": "3. Validate connection",
+ "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version \n \n>2. You must have elevated permissions (sudo) on your machine",
+ "instructions": [
+ {
+ "parameters": {
+ "fillWith": [
+ "WorkspaceId"
+ ],
+ "label": "Run the following command to validate your connectivity:",
+ "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
+ },
+ "type": "CopyableLabel"
+ }
+ ]
+ },
+ {
+ "title": "4. Secure your machine ",
+ "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)."
+ }
+ ]
+}
\ No newline at end of file
diff --git a/Logos/Forcepoint_new_logo.svg b/Logos/Forcepoint_new_logo.svg
new file mode 100644
index 0000000000..c2cae804a6
--- /dev/null
+++ b/Logos/Forcepoint_new_logo.svg
@@ -0,0 +1,4 @@
+
\ No newline at end of file
diff --git a/Sample Data/CEF/Forcepoint Cloud Security Gateway.csv b/Sample Data/CEF/Forcepoint Cloud Security Gateway.csv
new file mode 100644
index 0000000000..d17349cccb
--- /dev/null
+++ b/Sample Data/CEF/Forcepoint Cloud Security Gateway.csv
@@ -0,0 +1,9 @@
+TenantId,SourceSystem,TimeGenerated [UTC],ReceiptTime,DeviceVendor,DeviceProduct,DeviceEventClassID,LogSeverity,OriginalLogSeverity,DeviceAction,SimplifiedDeviceAction,Computer,CommunicationDirection,DeviceFacility,DestinationPort,DestinationIP,DeviceAddress,DeviceName,Message,Protocol,SourcePort,SourceIP,RemoteIP,RemotePort,MaliciousIP,ThreatSeverity,IndicatorThreatType,ThreatDescription,ThreatConfidence,ReportReferenceLink,MaliciousIPLongitude,MaliciousIPLatitude,MaliciousIPCountry,DeviceVersion,Activity,ApplicationProtocol,EventCount,DestinationDnsDomain,DestinationServiceName,DestinationTranslatedAddress,DestinationTranslatedPort,DeviceDnsDomain,DeviceExternalID,DeviceInboundInterface,DeviceNtDomain,DeviceOutboundInterface,DevicePayloadId,ProcessName,DeviceTranslatedAddress,DestinationHostName,DestinationMACAddress,DestinationNTDomain,DestinationProcessId,DestinationUserPrivileges,DestinationProcessName,DeviceTimeZone,DestinationUserID,DestinationUserName,DeviceMacAddress,ProcessID,ExternalID,FileCreateTime,FileHash,FileID,FileModificationTime,FilePath,FilePermission,FileType,FileName,FileSize,ReceivedBytes,OldFileCreateTime,OldFileHash,OldFileID,OldFileModificationTime,OldFileName,OldFilePath,OldFilePermission,OldFileSize,OldFileType,SentBytes,RequestURL,RequestClientApplication,RequestContext,RequestCookies,RequestMethod,SourceHostName,SourceMACAddress,SourceNTDomain,SourceDnsDomain,SourceServiceName,SourceTranslatedAddress,SourceTranslatedPort,SourceProcessId,SourceUserPrivileges,SourceProcessName,SourceUserID,SourceUserName,EventType,DeviceCustomIPv6Address1,DeviceCustomIPv6Address1Label,DeviceCustomIPv6Address2,DeviceCustomIPv6Address2Label,DeviceCustomIPv6Address3,DeviceCustomIPv6Address3Label,DeviceCustomIPv6Address4,DeviceCustomIPv6Address4Label,DeviceCustomFloatingPoint1,DeviceCustomFloatingPoint1Label,DeviceCustomFloatingPoint2,DeviceCustomFloatingPoint2Label,DeviceCustomFloatingPoint3,DeviceCustomFloatingPoint3Label,DeviceCustomFloatingPoint4,DeviceCustomFloatingPoint4Label,DeviceCustomNumber1,DeviceCustomNumber1Label,DeviceCustomNumber2,DeviceCustomNumber2Label,DeviceCustomNumber3,DeviceCustomNumber3Label,DeviceCustomString1,DeviceCustomString1Label,DeviceCustomString2,DeviceCustomString2Label,DeviceCustomString3,DeviceCustomString3Label,DeviceCustomString4,DeviceCustomString4Label,DeviceCustomString5,DeviceCustomString5Label,DeviceCustomString6,DeviceCustomString6Label,DeviceCustomDate1,DeviceCustomDate1Label,DeviceCustomDate2,DeviceCustomDate2Label,FlexDate1,FlexDate1Label,FlexNumber1,FlexNumber1Label,FlexNumber2,FlexNumber2Label,FlexString1,FlexString1Label,FlexString2,FlexString2Label,AdditionalExtensions,StartTime [UTC],EndTime [UTC],Type,_ResourceId
+ad1f026a-17e7-4fa8-82df-9cd9d3d3b320,OpsManager,"12/10/2020, 10:22:47.092 AM",,Forcepoint CSG,Web,"""Productivity Loss",0,,Authentication Required,Authentication Required,,,,,168.63.129.16,,,,,,10.0.100.4,,,,,,,,,,,,1,None,HTTP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Unknown,HealthService,,0,,,,,,,,,,890,HTTP://168.63.129.16/HealthService,None,,,Post,,,,,,,,,,,Not available,,,,,,,,,,,,,,,,,,,,,,,,,Web Hosting,Category Name,168.63.129.16,Domain name of the destination site,Cork BizDev,Policy Name,52.136.205.45,IP address of connection to the cloud service.,None,Cloud App Risk Level,,,2020-12-10T10:20:03.000Z,Log Created Time ,,,,,,,,,Netherlands - Amsterdam (X),The cloud service data center that processed therequest.,,,,,,CommonSecurityLog,
+ad1f026a-17e7-4fa8-82df-9cd9d3d3b320,OpsManager,"12/10/2020, 10:22:47.421 AM",,Forcepoint CSG,Web,"""Productivity Loss",0,,Authentication Required,Authentication Required,,,,,168.63.129.16,,,,,,10.0.100.4,,,,,,,,,,,,1,None,HTTP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Unknown,machine,,0,,,,,,,,,,669,HTTP://168.63.129.16/machine?comp\=goalstate,None,,,Get,,,,,,,,,,,Not available,,,,,,,,,,,,,,,,,,,,,,,,,Web Hosting,Category Name,168.63.129.16,Domain name of the destination site,Cork BizDev,Policy Name,52.136.205.45,IP address of connection to the cloud service.,None,Cloud App Risk Level,,,2020-12-10T10:21:05.000Z,Log Created Time ,,,,,,,,,Netherlands - Amsterdam (X),The cloud service data center that processed therequest.,,,,,,CommonSecurityLog,
+ad1f026a-17e7-4fa8-82df-9cd9d3d3b320,OpsManager,"12/10/2020, 10:22:47.476 AM",,Forcepoint CSG,Web,"""Productivity Loss",0,,Blocked,Blocked,,,,,168.63.129.16,,,,,,52.136.205.45,,,,,,,,,,,,1,None,HTTP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Unknown,HealthService,,0,,,,,,,,,,429,HTTP://168.63.129.16/HealthService,None,,,Post,,,,,,,,,,,Not available,,,,,,,,,,,,,,,,,,,,,,,,,Web Hosting,Category Name,168.63.129.16,Domain name of the destination site,Cork BizDev,Policy Name,52.136.205.45,IP address of connection to the cloud service.,None,Cloud App Risk Level,,,2020-12-10T10:21:06.000Z,Log Created Time ,,,,,,,,,Netherlands - Amsterdam (X),The cloud service data center that processed therequest.,,,,,,CommonSecurityLog,
+ad1f026a-17e7-4fa8-82df-9cd9d3d3b320,OpsManager,"12/10/2020, 10:22:47.530 AM",,Forcepoint CSG,Web,"""Productivity Loss",0,,Authentication Required,Authentication Required,,,,,168.63.129.16,,,,,,10.0.100.4,,,,,,,,,,,,1,None,HTTP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Unknown,HealthService,,0,,,,,,,,,,890,HTTP://168.63.129.16/HealthService,None,,,Post,,,,,,,,,,,Not available,,,,,,,,,,,,,,,,,,,,,,,,,Web Hosting,Category Name,168.63.129.16,Domain name of the destination site,Cork BizDev,Policy Name,52.136.205.45,IP address of connection to the cloud service.,None,Cloud App Risk Level,,,2020-12-10T10:21:05.000Z,Log Created Time ,,,,,,,,,Netherlands - Amsterdam (X),The cloud service data center that processed therequest.,,,,,,CommonSecurityLog,
+ad1f026a-17e7-4fa8-82df-9cd9d3d3b320,OpsManager,"12/10/2020, 10:22:49.185 AM",,Forcepoint CSG,Email,Business Usage,0,,Accepted,Accepted,,1,,,,,,Warning: could not send message for past 4 hours,,,127.0.0.1,,,,,,,,,,,,1,CSG EMail,,,,,,,,,,,,,,,,,,,,,,,39LXRXxQKBKsRZZRWPLWPced-YZcPaWjRZZRWP.NZXUOZPWLMdP.Pf@alerts.bounces.google.com,,,,,,,,,,"None""",None,0,,,,,,,,,,,,,,,,,,,,,,,,,,,Mail Delivery Subsystem,MAILER-DAEMON@rly10d.srv.mailcontrol.com,,,,,,,,,,0,Spam Score,,,,,,,27707,Message Size,,,,,None,Black/white listed,None,Virus Name,DEFAULT,Policy Name,None,Advanced Encryption,,,,,2020-12-10T10:14:25.000Z,Log Created Time ,,,,,,,,,Clean,Filtering Reason,,,,,,CommonSecurityLog,
+ad1f026a-17e7-4fa8-82df-9cd9d3d3b320,OpsManager,"12/10/2020, 10:22:49.497 AM",,Forcepoint CSG,Email,Business Usage,0,,Accepted,Accepted,,0,,,,,,Alerte Google : South Africa,,,209.85.219.198,,,,,,,,,,,,1,CSG EMail,,,,,,,,,,,,,,,,,,,,,,,jdoe@labse.eu,,,,,,,,,,"None""",None,0,,,,,,,,,,,,,,,,,,,,,,,,,,,Google Alerts,googlealerts-noreply@google.com,,,,,,,,,,-105.4,Spam Score,,,,,,,14767,Message Size,,,,,None,Black/white listed,None,Virus Name,DEFAULT,Policy Name,None,Advanced Encryption,,,,,2020-12-10T10:15:58.000Z,Log Created Time ,,,,,,,,,Clean,Filtering Reason,,,,,,CommonSecurityLog,
+ad1f026a-17e7-4fa8-82df-9cd9d3d3b320,OpsManager,"12/10/2020, 10:22:49.878 AM",,Forcepoint CSG,Email,Productivity Loss,0,,Accepted,Accepted,,0,,,,,,Alerte Google : Israel,,,209.85.219.198,,,,,,,,,,,,1,CSG EMail,,,,,,,,,,,,,,,,,,,,,,,jdoe@labse.eu,,,,,,,,,,"None""",None,0,,,,,,,,,,,,,,,,,,,,,,,,,,,Google Alerts,googlealerts-noreply@google.com,,,,,,,,,,-105.6,Spam Score,,,,,,,44172,Message Size,,,,,None,Black/white listed,None,Virus Name,DEFAULT,Policy Name,None,Advanced Encryption,,,,,2020-12-10T10:15:58.000Z,Log Created Time ,,,,,,,,,Clean,Filtering Reason,,,,,,CommonSecurityLog,
+ad1f026a-17e7-4fa8-82df-9cd9d3d3b320,OpsManager,"12/10/2020, 10:22:49.932 AM",,Forcepoint CSG,Email,Productivity Loss,0,,Accepted,Accepted,,1,,,,,,Returned mail: see transcript for details,,,127.0.0.1,,,,,,,,,,,,1,CSG EMail,,,,,,,,,,,,,,,,,,,,,,,3FrfIXxQKBKsRZZRWPLWPced-YZcPaWjRZZRWP.NZXUOZPWLMdP.Pf@alerts.bounces.google.com,,,,,,,,,,"None""",None,0,,,,,,,,,,,,,,,,,,,,,,,,,,,Mail Delivery Subsystem,MAILER-DAEMON@rly01a.srv.mailcontrol.com,,,,,,,,,,0,Spam Score,,,,,,,102814,Message Size,,,,,None,Black/white listed,None,Virus Name,DEFAULT,Policy Name,None,Advanced Encryption,,,,,2020-12-10T10:16:11.000Z,Log Created Time ,,,,,,,,,Clean,Filtering Reason,,,,,,CommonSecurityLog,
\ No newline at end of file
diff --git a/Workbooks/ForcepointCloudSecuirtyGatewayworkbook.json b/Workbooks/ForcepointCloudSecuirtyGatewayworkbook.json
new file mode 100644
index 0000000000..bbf26fd1f1
--- /dev/null
+++ b/Workbooks/ForcepointCloudSecuirtyGatewayworkbook.json
@@ -0,0 +1,229 @@
+{
+ "version": "Notebook/1.0",
+ "items": [
+ {
+ "type": 1,
+ "content": {
+ "json": "## Top 5 Web requested Domains with log severity equal to 6 (Medium)\n---"
+ },
+ "name": "text - 2"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "CommonSecurityLog\n| where TimeGenerated <= ago(0m)\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Web\"\n| where LogSeverity == 6\n| where DeviceCustomString2 != \"\"\n| summarize Count=count() by DeviceCustomString2\n| top 5 by Count\n| render piechart",
+ "size": 3,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "piechart",
+ "tileSettings": {
+ "showBorder": false,
+ "titleContent": {
+ "columnMatch": "RequestURL",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "Count",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "auto"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "maximumSignificantDigits": 3,
+ "maximumFractionDigits": 2
+ }
+ }
+ }
+ },
+ "graphSettings": {
+ "type": 0,
+ "topContent": {
+ "columnMatch": "RequestURL",
+ "formatter": 1
+ },
+ "centerContent": {
+ "columnMatch": "Count",
+ "formatter": 1,
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "maximumSignificantDigits": 3,
+ "maximumFractionDigits": 2
+ }
+ }
+ }
+ },
+ "mapSettings": {
+ "locInfo": "LatLong",
+ "sizeSettings": "Count",
+ "sizeAggregation": "Sum",
+ "legendMetric": "Count",
+ "legendAggregation": "Sum",
+ "itemColorSettings": {
+ "type": "heatmap",
+ "colorAggregation": "Sum",
+ "nodeColorField": "Count",
+ "heatmapPalette": "greenRed"
+ }
+ }
+ },
+ "name": "query - 2"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "## Top 5 Web requested Domains with log severity equal to 9 (High)\n---"
+ },
+ "name": "text - 7"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "CommonSecurityLog\n| where TimeGenerated <= ago(0m)\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Web\"\n| where LogSeverity == 9\n| where DeviceCustomString2 != \"\"\n| summarize Count=count() by DeviceCustomString2\n| top 5 by Count\n| render piechart",
+ "size": 3,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "piechart",
+ "tileSettings": {
+ "showBorder": false,
+ "titleContent": {
+ "columnMatch": "RequestURL",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "Count",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "auto"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "maximumSignificantDigits": 3,
+ "maximumFractionDigits": 2
+ }
+ }
+ }
+ },
+ "graphSettings": {
+ "type": 0,
+ "topContent": {
+ "columnMatch": "RequestURL",
+ "formatter": 1
+ },
+ "centerContent": {
+ "columnMatch": "Count",
+ "formatter": 1,
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "maximumSignificantDigits": 3,
+ "maximumFractionDigits": 2
+ }
+ }
+ }
+ },
+ "mapSettings": {
+ "locInfo": "LatLong",
+ "sizeSettings": "Count",
+ "sizeAggregation": "Sum",
+ "legendMetric": "Count",
+ "legendAggregation": "Sum",
+ "itemColorSettings": {
+ "type": "heatmap",
+ "colorAggregation": "Sum",
+ "nodeColorField": "Count",
+ "heatmapPalette": "greenRed"
+ }
+ }
+ },
+ "name": "query - 2 - Copy"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "## Top 5 Web Users with 'Action' equal to 'Blocked'\n---"
+ },
+ "name": "text - 2"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "CommonSecurityLog\n| where TimeGenerated <= ago(0m)\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Web\"\n| where Activity != \"Blocked\"\n| where SourceUserID != \"Not available\"\n| summarize Count=count() by SourceUserID\n| top 5 by Count\n| render piechart",
+ "size": 1,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "barchart"
+ },
+ "name": "query - 3"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "## Top 5 Sender Email Addresses Where Spam Score Greater Than 10.0\n---"
+ },
+ "name": "text - 4"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "CommonSecurityLog\n| where TimeGenerated <= ago(0m)\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Email\"\n| where DeviceCustomFloatingPoint1 > 1.0\n| summarize Count=count() by SourceUserName\n| top 5 by Count\n",
+ "size": 1,
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "categoricalbar",
+ "tileSettings": {
+ "showBorder": false,
+ "titleContent": {
+ "columnMatch": "SourceIP",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "Count",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "auto"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "maximumSignificantDigits": 3,
+ "maximumFractionDigits": 2
+ }
+ }
+ }
+ },
+ "graphSettings": {
+ "type": 0,
+ "topContent": {
+ "columnMatch": "SourceUserName",
+ "formatter": 1
+ },
+ "centerContent": {
+ "columnMatch": "Count",
+ "formatter": 1,
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "maximumSignificantDigits": 3,
+ "maximumFractionDigits": 2
+ }
+ }
+ }
+ }
+ },
+ "name": "query - 5"
+ }
+ ],
+ "fallbackResourceIds": [
+ "/subscriptions/42b86d52-1a90-43ad-ade0-3b43bdfdc113/resourcegroups/dlo-az-303/providers/microsoft.operationalinsights/workspaces/demo-csg-sentinel-dlo"
+ ],
+ "fromTemplateId": "sentinel-ForcepointCloudSecuirtyGatewayworkbook",
+ "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
+ }
\ No newline at end of file
diff --git a/Workbooks/Images/Logos/Forcepoint_new_logo.svg b/Workbooks/Images/Logos/Forcepoint_new_logo.svg
new file mode 100644
index 0000000000..c2cae804a6
--- /dev/null
+++ b/Workbooks/Images/Logos/Forcepoint_new_logo.svg
@@ -0,0 +1,4 @@
+
\ No newline at end of file
diff --git a/Workbooks/Images/Preview/ForcepointCloudSecurityGatewayBlack.png b/Workbooks/Images/Preview/ForcepointCloudSecurityGatewayBlack.png
new file mode 100644
index 0000000000..3225e74a16
Binary files /dev/null and b/Workbooks/Images/Preview/ForcepointCloudSecurityGatewayBlack.png differ
diff --git a/Workbooks/Images/Preview/ForcepointCloudSecurityGatewayWhite.png b/Workbooks/Images/Preview/ForcepointCloudSecurityGatewayWhite.png
new file mode 100644
index 0000000000..3e44d1ad2a
Binary files /dev/null and b/Workbooks/Images/Preview/ForcepointCloudSecurityGatewayWhite.png differ
diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json
index 704301c08a..e5792a3e47 100644
--- a/Workbooks/WorkbooksMetadata.json
+++ b/Workbooks/WorkbooksMetadata.json
@@ -1115,6 +1115,19 @@
"subtitle": "",
"provider": "Thycotic"
},
+ {
+ "workbookKey": "ForcepointCloudSecurityGatewayWorkbook",
+ "logoFileName": "Forcepoint_new_logo.svg",
+ "description": "Use this report to understand query runs across your workspace.",
+ "dataTypesDependencies": ["CommonSecurityLog"],
+ "dataConnectorsDependencies": ["ForcepointCloudSecurityGateway"],
+ "previewImagesFileNames": ["ForcepointCloudSecurityGatewayWhite.PNG","ForcepointCloudSecurityGatewayBlack.PNG"],
+ "version": "1.0",
+ "title": "Forcepoint Cloud Security Gateway Workbook",
+ "templateRelativePath": "ForcepointCloudSecuirtyGatewayworkbook.json",
+ "subtitle": "",
+ "provider": "Forcepoint"
+ },
{
"workbookKey": "IntsightsIOCWorkbook",
"logoFileName": "IntSights_logo.svg",