Forcepoint
Use the IBM Security QRadar Custom Properties for Forcepoint Content Extension to closely monitor your Forcepoint deployment.
Important: To avoid content errors in this content extension, keep the associated DSMs
up to date. DSMs are updated as a part of the automatic updates. If automatic updates are not
enabled, download the most recent version of the associated DSMs from IBM® Fix Central (https://www.ibm.com/support/fixcentral).
IBM Security QRadar Custom Properties for Forcepoint Content Extension 1.0.0
The following table shows the custom properties in IBM Security QRadar Custom Properties for Forcepoint Content Extension 1.0.0.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| Alert Severity | No | 1 | severity=([^|]+) |
| BytesReceived | Yes | 1 | dstBytes=([^\t]+) |
| BytesSent | Yes | 1 | srcBytes=([^\t]+) |
| Category Number | No | 1 | cat=([^\t]+) |
| Channel | Yes | 1 | channel=([^|]+) |
| Content Type | No | 1 | contentType=([^\t]+) |
| Destination of Risk | No | 1 | destinations=([^|]+) |
| Disposition | No | 1 | disposition=([^\t]+) |
| Incident Detail | No | 1 | detaills=([^|]+) |
| Log Record Source | No | 1 | logRecordSource=([^\t]+) |
| Login ID | No | 1 | loginID=([^\t]+) |
| Method | No | 1 | method=([^\t]+) |
| Policy Name | Yes | 1 | policy=([^\t]+) policies=([^|]+) |
| Proxy Status Code | No | 1 | proxyStatus-code=([^\t]+) |
| Reason | Yes | 1 | reason=([^\t]+) |
| Role | Yes | 1 | role=([^\t]+) |
| Server Status Code | No | 1 | serverStatus-code=([^\t]+) |
| Source of Risk | No | 1 | source=([^|]+) |
| URL | Yes | 1 | url=([^\s]+) |