Forcepoint DLP Sentinel Integration

DataConnectors/Forcepoint DLP.json

@@ -0,0 +1,85 @@
+{
+    "id": "Forcepoint_DLP",
+    "title": "Forcepopint DLP",
+    "publisher": "Forcepoint",
+    "descriptionMarkdown": "The Forcepoint DLP connector allows you to automatically export DLP incident data from Forcepoint DLP into Azure Sentinel in real-time. This enriches visibility into user activities and data loss incidents, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Azure Sentinel.",
+    "graphQueries": [
+        {
+            "metricName": "Total data received",
+            "legend": "ForcepointDLPEvents_CL",
+            "baseQuery": "ForcepointDLPEvents_CL"
+        }
+    ],
+    "sampleQueries": [
+        {
+            "description" : "Rules triggered in the last three days",
+            "query": "ForcepointDLPEvents_CL\n | where TimeGenerated > ago(3d)\n | summarize count(RuleName_1_s) by RuleName_1_s, SourceIpV4_s\n | render barchart"
+        },
+        {
+            "description" : "Rules triggered over time (90 days)",
+            "query": "ForcepointDLPEvents_CL\n | where TimeGenerated > ago(90d)\n | sort by CreatedAt_t asc nulls last\n | summarize count(RuleName_1_s)  by  CreatedAt_t, RuleName_1_s\n | render linechart"
+        },
+        {
+            "description" : "Count of High, Medium and Low rules triggered over 90 days",
+            "query": "ForcepointDLPEvents_CL\n | where TimeGenerated > ago(90d)\n | sort by CreatedAt_t asc nulls last\n | summarize count(Severity_s)  by  CreatedAt_t, Severity_s\n | render barchart"
+        }
+    ],
+    "dataTypes": [
+        {
+            "name": "ForcepointDLPEvents_CL",
+            "lastDataReceivedQuery": "ForcepointDLPEvents_CL\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+        }
+    ],
+    "connectivityCriterias": [
+        {
+            "type": "IsConnectedQuery",
+            "value": [
+                "ForcepointDLPEvents_CL\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(30d)"
+            ]
+        }
+    ],
+    "availability": {
+        "status": 1
+    },
+    "permissions": {
+        "resourceProvider": [
+            {
+                "provider": "Microsoft.OperationalInsights/workspaces",
+                "permissionsDisplayText": "read and write permissions are required.",
+                "providerDisplayName": "Workspace",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                    "write": true,
+                    "read": true,
+                    "delete": true
+                }
+            }
+        ]
+    },
+    "instructionSteps": [
+        {
+            "title": "",
+            "description": "1. Step by step instructions to use this connector with Forcepoint DLP at this link: \n https://support.forcepoint.com/DocumentsDisplayed?version=8.7&name=Forcepoint%20DLP",
+            "instructions": [
+                {
+                    "parameters": {
+                        "fillWith": [
+                            "WorkspaceId"
+                        ],
+                        "label": "Workspace ID"
+                    },
+                    "type": "CopyableLabel"
+                },
+                {
+                    "parameters": {
+                        "fillWith": [
+                            "PrimaryKey"
+                        ],
+                        "label": "Primary Key"
+                    },
+                    "type": "CopyableLabel"
+                }
+            ]
+        }
+    ]
+}

Logos/FP_Green_Emblem_RGB-01.svg

@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Generator: Adobe Illustrator 23.0.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="Artwork" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 288 288" style="enable-background:new 0 0 288 288;" xml:space="preserve">
+<style type="text/css">
+	.st0{fill:none;}
+	.st1{fill:#28A505;}
+</style>
+<g>
+	<rect x="47.44" y="37.3" class="st0" width="193.12" height="213.41"/>
+	<path class="st1" d="M206.67,70.11c0.59,0,1.08,0.49,1.08,1.08v26.54c0,0.6-0.49,1.08-1.08,1.08h-96.62
+		c-0.59,0-1.08,0.48-1.08,1.08v116.9c0,0.6-0.48,1.08-1.09,1.08H81.34c-0.6,0-1.09-0.48-1.09-1.08V71.19c0-0.59,0.49-1.08,1.09-1.08
+		H206.67z M143.36,129.71c-0.93-0.92-1.57,0.03-1.57,0.74v81.77c0,1.34,0.79,1.59,1.79,0.59l42.13-39.12c0.51-0.51,0.51-1.33,0-1.83
+		L143.36,129.71z"/>
+</g>
+</svg>

Sample Data/sample.json

@@ -0,0 +1,98 @@
+[
+  {
+    "TenantId": "7e78a116-55f9-4641-bd1d-53c51f69eee8",
+    "SourceSystem": "RestAPI",
+    "MG": "",
+    "ManagementGroupName": "",
+    "TimeGenerated": "2020-02-05T14:31:55.123Z",
+    "Computer": "",
+    "RawData": "",
+    "DestinationDomain": "csm-testcenter.org",
+    "CreatedAt": "2020-02-05T14:26:54Z",
+    "Protocol": "HTTP",
+    "PolicyCategoryId": 850172,
+    "Type": "Forcepoint DLP",
+    "GeneratorId": 164061,
+    "Id": "incident_Id-164061-rule_id-164062",
+    "RuleName": "User uploading CV",
+    "Severity": "LOW",
+    "UpdatedAt": "2020-02-05T14:26:54Z",
+    "DestinationHostname": "www.csm-testcenter.org",
+    "ExternalId": 11550642310619705000,
+    "SourceIpV4": "192.168.122.2",
+    "Text": "Forcepoint Content Gateway Server on web-wcg.demo.com-HTTP",
+    "DestinationCommonName": "www.csm-testcenter.org",
+    "DestinationIpV4": "178.63.68.61",
+    "SourceDomain": "none",
+    "Title": "Forcepoint DLP Incident",
+    "ForcepointDLPSourceIP": "192.168.122.2",
+    "UpdatedBy": "Forcepoint Content Gateway Server on web-wcg.demo.com",
+    "Description": "http://www.csm-testcenter.org/test",
+    "Type": "ForcepointDLPEvents_CL",
+    "_ResourceId": ""
+  },
+  {
+    "TenantId": "7e78a116-55f9-4641-bd1d-53c51f69eee8",
+    "SourceSystem": "RestAPI",
+    "MG": "",
+    "ManagementGroupName": "",
+    "TimeGenerated": "2020-02-05T14:31:55.123Z",
+    "Computer": "",
+    "RawData": "",
+    "DestinationDomain": "csm-testcenter.org",
+    "CreatedAt": "2020-02-05T14:27:00Z",
+    "Protocol": "HTTP",
+    "PolicyCategoryId": 850170,
+    "Type": "Forcepoint DLP",
+    "GeneratorId": 163858,
+    "Id": "incident_Id-163858-rule_id-163859",
+    "RuleName": "block credit card numbers",
+    "Severity": "HIGH",
+    "UpdatedAt": "2020-02-05T14:27:00Z",
+    "DestinationHostname": "www.csm-testcenter.org",
+    "ExternalId": 237894709905121000,
+    "SourceIpV4": "192.168.122.2",
+    "Text": "Forcepoint Content Gateway Server on web-wcg.demo.com-HTTP",
+    "DestinationCommonName": "www.csm-testcenter.org",
+    "DestinationIpV4": "178.63.68.61",
+    "SourceDomain": "none",
+    "Title": "Forcepoint DLP Incident",
+    "ForcepointDLPSourceIP": "192.168.122.2",
+    "UpdatedBy": "Forcepoint Content Gateway Server on web-wcg.demo.com",
+    "Description": "http://www.csm-testcenter.org/test",
+    "Type": "ForcepointDLPEvents_CL",
+    "_ResourceId": ""
+  },
+  {
+    "TenantId": "7e78a116-55f9-4641-bd1d-53c51f69eee8",
+    "SourceSystem": "RestAPI",
+    "MG": "",
+    "ManagementGroupName": "",
+    "TimeGenerated": "2020-02-05T11:46:08.407Z",
+    "Computer": "",
+    "RawData": "",
+    "DestinationDomain": "csm-testcenter.org",
+    "CreatedAt": "2020-02-05T11:42:48Z",
+    "Protocol": "HTTP",
+    "PolicyCategoryId": 850170,
+    "Type": "Forcepoint DLP",
+    "GeneratorId": 163836,
+    "Id": "incident_Id-163836-rule_id-163837",
+    "RuleName": "block credit card numbers",
+    "Severity": "HIGH",
+    "UpdatedAt": "2020-02-05T11:42:48Z",
+    "DestinationHostname": "www.csm-testcenter.org",
+    "ExternalId": 11118801960067826000,
+    "SourceIpV4": "192.168.122.2",
+    "Text": "Forcepoint Content Gateway Server on web-wcg.demo.com-HTTP",
+    "DestinationCommonName": "www.csm-testcenter.org",
+    "DestinationIpV4": "178.63.68.61",
+    "SourceDomain": "none",
+    "Title": "Forcepoint DLP Incident",
+    "ForcepointDLPSourceIP": "192.168.122.2",
+    "UpdatedBy": "Forcepoint Content Gateway Server on web-wcg.demo.com",
+    "Description": "http://www.csm-testcenter.org/test",
+    "Type": "ForcepointDLPEvents_CL",
+    "_ResourceId": ""
+  }
+]