title | description | author | ms.topic | ms.date | ms.service | ms.author | ms.collection |
---|---|---|---|---|---|---|---|
[Recommended] Forcepoint CSG via AMA connector for Microsoft Sentinel |
Learn how to install the connector [Recommended] Forcepoint CSG via AMA to connect your data source to Microsoft Sentinel. |
cwatson-cat |
how-to |
10/23/2023 |
microsoft-sentinel |
cwatson |
sentinel-data-connector |
Forcepoint Cloud Security Gateway is a converged cloud security service that provides visibility, control, and threat protection for users and data, wherever they are. For more information visit: https://www.forcepoint.com/product/cloud-security-gateway
Connector attribute | Description |
---|---|
Log Analytics table(s) | CommonSecurityLog (Forcepoint CSG) CommonSecurityLog (Forcepoint CSG) |
Data collection rules support | Azure Monitor Agent DCR |
Supported by | Community |
Top 5 Web requested Domains with log severity equal to 6 (Medium)
CommonSecurityLog
| where TimeGenerated <= ago(0m)
| where DeviceVendor == "Forcepoint CSG"
| where DeviceProduct == "Web"
| where LogSeverity == 6
| where DeviceCustomString2 != ""
| summarize Count=count() by DeviceCustomString2
| top 5 by Count
| render piechart
Top 5 Web Users with 'Action' equal to 'Blocked'
CommonSecurityLog
| where TimeGenerated <= ago(0m)
| where DeviceVendor == "Forcepoint CSG"
| where DeviceProduct == "Web"
| where Activity == "Blocked"
| where SourceUserID != "Not available"
| summarize Count=count() by SourceUserID
| top 5 by Count
| render piechart
Top 5 Sender Email Addresses Where Spam Score Greater Than 10.0
CommonSecurityLog
| where TimeGenerated <= ago(0m)
| where DeviceVendor == "Forcepoint CSG"
| where DeviceProduct == "Email"
| where DeviceCustomFloatingPoint1 > 10.0
| summarize Count=count() by SourceUserName
| top 5 by Count
| render barchart
To integrate with [Recommended] Forcepoint CSG via AMA make sure you have:
- ****: To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. Learn more
- ****: Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed Learn more
- Secure your machine
Make sure to configure the machine's security according to your organization's security policy
For more information, go to the related solution in the Azure Marketplace.