Forcepoint
Use the IBM® QRadar® Custom Properties for Forcepoint Content Extension to closely monitor your Forcepoint deployment.
Important: To avoid content errors in this content extension, keep the associated DSMs
up to date. DSMs are updated as part of the automatic updates. If automatic updates are not enabled,
download the most recent version of the associated DSMs from IBM Fix Central
(https://www.ibm.com/support/fixcentral).
IBM Security QRadar Custom Properties for Forcepoint Content Extension 1.0.0
The following table shows the custom properties in IBM Security QRadar Custom Properties for Forcepoint Content Extension 1.0.0.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| Alert Severity | No | 1 | severity=([^|]+) |
| BytesReceived | Yes | 1 | dstBytes=([^\t]+) |
| BytesSent | Yes | 1 | srcBytes=([^\t]+) |
| Category Number | No | 1 | cat=([^\t]+) |
| Channel | Yes | 1 | channel=([^|]+) |
| Content Type | No | 1 | contentType=([^\t]+) |
| Destination of Risk | No | 1 | destinations=([^|]+) |
| Disposition | No | 1 | disposition=([^\t]+) |
| Incident Detail | No | 1 | detaills=([^|]+) |
| Log Record Source | No | 1 | logRecordSource=([^\t]+) |
| Login ID | No | 1 | loginID=([^\t]+) |
| Method | No | 1 | method=([^\t]+) |
| Policy Name | Yes | 1 | policy=([^\t]+) policies=([^|]+) |
| Proxy Status Code | No | 1 | proxyStatus-code=([^\t]+) |
| Reason | Yes | 1 | reason=([^\t]+) |
| Role | Yes | 1 | role=([^\t]+) |
| Server Status Code | No | 1 | serverStatus-code=([^\t]+) |
| Source of Risk | No | 1 | source=([^|]+) |
| URL | Yes | 1 | url=([^\s]+) |