111 строки
4.5 KiB
JSON
111 строки
4.5 KiB
JSON
{
|
|
"id": "Forcepoint_DLP",
|
|
"title": "Forcepoint DLP",
|
|
"publisher": "Forcepoint",
|
|
"descriptionMarkdown": "The Forcepoint DLP (Data Loss Prevention) connector allows you to automatically export DLP incident data from Forcepoint DLP into Azure Sentinel in real-time. This enriches visibility into user activities and data loss incidents, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Azure Sentinel.",
|
|
"graphQueries": [
|
|
{
|
|
"metricName": "Total data received",
|
|
"legend": "ForcepointDLPEvents_CL",
|
|
"baseQuery": "ForcepointDLPEvents_CL"
|
|
}
|
|
],
|
|
"sampleQueries": [
|
|
{
|
|
"description" : "Rules triggered in the last three days",
|
|
"query": "ForcepointDLPEvents_CL\n | where TimeGenerated > ago(3d)\n | summarize count(RuleName_1_s) by RuleName_1_s, SourceIpV4_s\n | render barchart"
|
|
},
|
|
{
|
|
"description" : "Rules triggered over time (90 days)",
|
|
"query": "ForcepointDLPEvents_CL\n | where TimeGenerated > ago(90d)\n | sort by CreatedAt_t asc nulls last\n | summarize count(RuleName_1_s) by CreatedAt_t, RuleName_1_s\n | render linechart"
|
|
},
|
|
{
|
|
"description" : "Count of High, Medium and Low rules triggered over 90 days",
|
|
"query": "ForcepointDLPEvents_CL\n | where TimeGenerated > ago(90d)\n | sort by CreatedAt_t asc nulls last\n | summarize count(Severity_s) by CreatedAt_t, Severity_s\n | render barchart"
|
|
}
|
|
],
|
|
"dataTypes": [
|
|
{
|
|
"name": "ForcepointDLPEvents_CL",
|
|
"lastDataReceivedQuery": "ForcepointDLPEvents_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
|
|
}
|
|
],
|
|
"connectivityCriterias": [
|
|
{
|
|
"type": "IsConnectedQuery",
|
|
"value": [
|
|
"ForcepointDLPEvents_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
|
|
]
|
|
}
|
|
],
|
|
"availability": {
|
|
"status": 1,
|
|
"isPreview": true
|
|
},
|
|
"permissions": {
|
|
"resourceProvider": [
|
|
{
|
|
"provider": "Microsoft.OperationalInsights/workspaces",
|
|
"permissionsDisplayText": "read and write permissions are required.",
|
|
"providerDisplayName": "Workspace",
|
|
"scope": "Workspace",
|
|
"requiredPermissions": {
|
|
"write": true,
|
|
"read": true,
|
|
"delete": true
|
|
}
|
|
},
|
|
{
|
|
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
|
|
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
|
|
"providerDisplayName": "Keys",
|
|
"scope": "Workspace",
|
|
"requiredPermissions": {
|
|
"action": true
|
|
}
|
|
}
|
|
]
|
|
},
|
|
"instructionSteps": [
|
|
{
|
|
"title": "",
|
|
"description": "Follow step by step instructions in the [Forcepoint DLP documentation for Azure Sentinel](https://frcpnt.com/dlp-sentinel) to configure this connector.",
|
|
"instructions": [
|
|
{
|
|
"parameters": {
|
|
"fillWith": [
|
|
"WorkspaceId"
|
|
],
|
|
"label": "Workspace ID"
|
|
},
|
|
"type": "CopyableLabel"
|
|
},
|
|
{
|
|
"parameters": {
|
|
"fillWith": [
|
|
"PrimaryKey"
|
|
],
|
|
"label": "Primary Key"
|
|
},
|
|
"type": "CopyableLabel"
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"metadata": {
|
|
"id": "c4961e1e-45b1-4565-a096-6e14561c90b6",
|
|
"version": "1.0.0",
|
|
"kind": "dataConnector",
|
|
"source": {
|
|
"kind": "community"
|
|
},
|
|
"author": {
|
|
"name": "Forcepoint"
|
|
},
|
|
"support": {
|
|
"name": "Forcepoint",
|
|
"link": "https://support.forcepoint.com/",
|
|
"tier": "developer"
|
|
}
|
|
}
|
|
} |