Forcepoint
Use the IBM Security QRadar Custom Properties for Forcepoint Content Extension to closely monitor your Forcepoint deployment.
Important: To avoid content errors in this content extension, keep the associated DSMs
up to date. DSMs are updated as a part of the automatic updates. If automatic updates are not
enabled, download the most recent version of the associated DSMs from IBM® Fix Central (https://www.ibm.com/support/fixcentral).
IBM Security QRadar Custom Properties for Forcepoint Content Extension 1.0.0
The following table shows the custom properties in IBM Security QRadar Custom Properties for Forcepoint Content Extension 1.0.0.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
Alert Severity | No | 1 | severity=([^|]+) |
BytesReceived | Yes | 1 | dstBytes=([^\t]+) |
BytesSent | Yes | 1 | srcBytes=([^\t]+) |
Category Number | No | 1 | cat=([^\t]+) |
Channel | Yes | 1 | channel=([^|]+) |
Content Type | No | 1 | contentType=([^\t]+) |
Destination of Risk | No | 1 | destinations=([^|]+) |
Disposition | No | 1 | disposition=([^\t]+) |
Incident Detail | No | 1 | detaills=([^|]+) |
Log Record Source | No | 1 | logRecordSource=([^\t]+) |
Login ID | No | 1 | loginID=([^\t]+) |
Method | No | 1 | method=([^\t]+) |
Policy Name | Yes | 1 | policy=([^\t]+) policies=([^|]+) |
Proxy Status Code | No | 1 | proxyStatus-code=([^\t]+) |
Reason | Yes | 1 | reason=([^\t]+) |
Role | Yes | 1 | role=([^\t]+) |
Server Status Code | No | 1 | serverStatus-code=([^\t]+) |
Source of Risk | No | 1 | source=([^|]+) |
URL | Yes | 1 | url=([^\s]+) |