Document toolboxDocument toolbox

dlp.forcepoint

Introduction

The tags beginning with dlp.forcepoint identify events belonging to Forcepoint.

Valid tags and data tables 

The full tag must have three levels. The first two are fixed as dlp.forcepoint. The third level identifies the type of events sent.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Forcepoint

dlp.forcepoint.events

dlp.forcepoint.events

For more information, read more about Devo tags.

Table structure

These are the fields displayed in this table:

Field

Type

Extra fields

Field transformation

Source field name

Field

Type

Extra fields

Field transformation

Source field name

eventdate

timestamp

 

 

 

hostchain

str

✓

 

 

deviceVersion

str

 

 

 

signatureID

str

 

 

 

name

str

 

 

 

severity

str

 

 

 

sourceServiceName

str

 

 

 

act

str

 

 

 

cat

str

 

 

 

duser

str

 

 

 

fname

str

 

 

 

suser

str

 

 

 

msg

str

 

 

 

destinationHosts

str

 

 

 

loginName

str

 

 

 

domainName

str

 

ifthenelse(loginName_len > 1, loginName_tmp[0], null)

loginName_len

loginName_tmp

userName

str

 

ifthenelse(loginName_len = 1, loginName_tmp[0], substring(loginName, length(domainName), +1))

domainName

loginName

loginName_len

loginName_tmp

analyzedBy

str

 

 

 

timestamp

timestamp

 

parsedate(timeStamp, "YYYY-MM-DD HH:mm:ss.SSS", "UTC")

timeStamp

productVersion

str

 

 

 

severityType

str

 

 

 

maxMatches

str

 

 

 

sourceIp

str

 

 

 

sourceHost

str

 

 

 

tag

str

✓

 

 

rawMessage

str

✓

 

rawSource