Forcepoint CSG Solution

[javbux]

Describe the bug This recently changed from Preview and I had to re-set up but this time I could use AMA on the Syslog server I built. When you install the solution you get two Data Connectors

[Deprecated] Forcepoint CSG via Legacy Agent [Recommended] Forcepoint CSG via AMA

I followed the Configuration Steps on the connector page for [Recommended] Forcepoint CSG via AMA

First Bug I have is that the connected data connector lit up green is [Deprecated] Forcepoint CSG via Legacy Agent and not [Recommended] Forcepoint CSG via AMA

Second Bug is the configuration guide no longer works and I get a page 404 not found

Third Bug is around how much data is being pulled down from Forcepoint Cloud; it appears to only get a certain amount of files every 10 minutes.

To Reproduce When you install the solution you get two data connectors

[Deprecated] Forcepoint CSG via Legacy Agent [Recommended] Forcepoint CSG via AMA

Try and follow the Configuration Guide and under Step B. Implementation options Both Docker Implementation and Traditional Implementation take you to https://forcepoint.github.io/docs/csg_and_sentinel with a message

404 Page not found :(

The requested page could not be found.

Expected behavior A clear and concise description of what you expected to happen.

Screenshots

Desktop (please complete the following information):

• OS: Windows 10
• Browser Edge
• Version 117

Additional context I also logged this with Forcepoint who after trying to assist, suggested I log with the Community

[github-actions[bot]]

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

[v-sudkharat]

Hi @javbux, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 19-10-2023. Thanks!

[v-sudkharat]

Hi @javbux, thanks for sharing the bug description with us. For 1st bug - Could you please check and let us know in your workspace the CollectorHostName column is present? Use below query to get the schema. if No then [Recommended] Forcepoint CSG via AMA connector is not configured. And about the [Deprecated] Forcepoint CSG via Legacy Agent show as green because the workspace having the old data.

CommonSecurityLog
| getschema 

2nd bug - We're following up with the Forcepoint team on the configuration guide; if you have a support contract with them, you can get in touch with them while we're still working.

3rd bug - please check the data available in syslog table at your workspace, that data is sync to the CommonSecurityLog in same workspace.

Thanks!

[javbux]

Hello @v-sudkharat, thanks for getting back to me.

Bug 1: I do have the CollectorHostName column, screenshot below

If I work off that being required, I can see from the data I have coming from AMA that CollectorHostName is not one of them These are the fields being populated for Forcepoint CSG in CommonSecurityLog

TimeGenerated [UTC] DeviceVendor DeviceProduct DeviceVersion DeviceEventClassID Activity LogSeverity DeviceAction ApplicationProtocol DestinationIP FileType FileName RequestURL RequestClientApplication RequestMethod SourceIP SourceUserID DeviceCustomString1 DeviceCustomString1Label DeviceCustomString2

Bug 2: This has been logged with Forcepoint who advised it should be looked at by the community here as they are not responsible for the Sentinel content.

Bug 3: Is there anyone from the community who wrote the code who could explain the behaviour and how much data is being pulled back? the data is being collected, but I dont know what determines how much and what is picked up every 10 minutes.

[v-sudkharat]

Hi @javbux, Thanks for your response. We are reaching out to the concerned team for connector configuration steps, once we receive an update on this, we will update you by 07-11-2023. Thanks!

[v-sudkharat]

Hi @javbux, hope you are doing well. We are still waiting for response from concerned team for the connector configuration steps, once we receive an update on this, we will update you. Thanks!

[v-sudkharat]

Hi @javbux, I hope this message finds you in good health. We have received a response from our concerned team regarding the configuration steps for the connector. These steps are currently being relayed to the partner. At this moment, we do not have further details. However, rest assured, once we receive any updates from the partner regarding these configuration steps, we will promptly inform you. so, as of now we are closing this issue. If you still need support for this issue, feel free to re-open it any time. Thank you for your co-operation. Thanks!

[javbux]

thanks @v-sudkharat

Can you confirm that the concerned team are working on all 3 bugs I reported? It hasn't been right since Mid Sept, how long do they need and how does Microsoft "encourage" a speedier resolution? It seems that with anything from the Content Hub - support is slow.

[v-sudkharat]

Hi @javbux, Apologies for the delay in response. We will check the bug you've raised with our concerned team and will share an update with you. Thanks!

[v-sudkharat]

Hi @javbux. I hope this message finds you well. Our team has been continuously followed up with the Forcepoint team, to address the issue and we are grateful for your patience and understanding. Please check on below your reported bug's -

1st bug - As you mentioned the CommonSecurityLogtable schema having CollectorHostNamecolumn. So, could you please check the CollectorHostNamecolumn having data into it? if it is having the data the then [Recommended] Forcepoint CSG via AMAconnector is get configured. But only column schema is there and not consisting of any data then the [Deprecated] Forcepoint CSG via Legacy Agent will get configured. It would be great if you share screenshots.

2nd bug - We are able to access the configuration steps link. so, could you please check on the below link and try again - link -https://frcpnt.com/csg-sentinel

3rd bug - We are checking with the concern team on this. But FYI. As per the connector instruction page, it may take about 20 minutes until the connection streams data to your workspace.

Thanks!

[javbux]

Hi @v-sudkharat thanks for the update.

Bug1 I did give an update on the 19th Oct about this.

I do have CollectorHostName column in the table schema. When I look at the forcepoint data being pulled in, that column name is not one of them.

I can confirm that I am using a Linux VM with AMA installed which is successfully bringing the logs into Log Analytics.

(My assumption is the source code from the GitHub repo that I download and run on the Linux syslog is either missing something or not applying something?)

What I have in place I built a Linux VM and followed the data connector configuration guide for [Recommended] Forcepoint CSG via AMA

Step A has you configure a DCR in Common Event Format (CEF) via AMA data connector Step B has you go off to https://frcpnt.com/csg-sentinel which is now working again so Bug2 is fixed.

From that Integration Guide, I followed the steps for Traditional Implementation. (You will note that the guide does not have any steps for AMA, it still talks about the OMS agent)

On step 9, I did not use the link provided for OMS agent installation, and proceeded to use a link to install the AMA agent which I obtained from the Common Event Format (CEF) via AMA (Preview) data connector

sudo wget -O Forwarder_AMA_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Forwarder_AMA_installer.py&&sudo python Forwarder_AMA_installer.py

Step 2, as shown below has you download Source Code and run on the Linux VM.

I am wondering if this code needs updating to reflect AMA is in use and accounts for the CollectorHostName column?

Can this be looked into?

[v-sudkharat]

Hi @javbux, Yes right, Based on the below connector connectivityCriterias query, the column called sent_by_ama, which will contain the value from the CollectorHostName column if it exists, Otherwise, it will be an empty string. So, CollectorHostName column should have the data to configure the AMA connector.

Regarding the GitHub repo script. We will check on this and get back to you by 17-01-2024.

Thanks!

[v-sudkharat]

Hi @javbux, We have checked the details of GitHub repo script, which you highlighted. The Repo/Script is own by Forcepoint team, and we are not authorized to do any modification on it. We are kindly requesting you could you please raise issue with them in below shared repo link. so the Forcepoint team will can look into it. https://github.com/Forcepoint/fp-bd-csg-azure-sentinel/releases/tag/v1.0 Thanks!

[javbux]

Hi @v-sudkharat, thank you. I have raised in their repo, although it doesn't look like anyone maintains it? Are you able to tell or assign to someone who maintains?

[v-sudkharat]

Hi @javbux, thank you for your response. Based on recent history, I can see that - 'dlo-bagari' has contributed into it. So, as you have raised issue in their repo, could you please let us know, can we close this issue from our end.

Thanks!

[javbux]

Information Classification: Official - Corporate

Hmmm, that was 3 years ago. I’m not confident I will get a response, so can we leave open for the meantime or is there nothing further you can do at all?

Do you not have any means of chasing up who inputs into the Azure-Sentinel Solutions?

Regards,

[PPF logo] Jav Bux MBCS (he/him) Infrastructure Engineer Pension Protection Fund T: +44 (0)20 8406 2174 E: @.*** www.ppf.co.uk

[Facebook logo]https://www.facebook.com/PensionProtectionFund/ [Instagram logo]https://www.instagram.com/pensionprotectionfund/ [LinkedIn logo]https://www.linkedin.com/company/pension-protection-fund/ [X logo]https://twitter.com/PPF

As part of our Community Impact work, the PPF supports Lives Not Kniveshttps://livesnotknives.enthuse.com/cf/pension-protection-fund-ppf.

From: v-sudkharat @.> Sent: Monday, January 15, 2024 1:10 PM To: Azure/Azure-Sentinel @.> Cc: Jav Bux @.>; Mention @.> Subject: [External] Re: [Azure/Azure-Sentinel] Forcepoint CSG Solution (Issue #9219)

Hi @javbuxhttps://github.com/javbux, thank you for your response. Based on recent history, I can see that - 'dlo-bagari' has contributed into it. So, as you have raised issue in their repo, could you please let us know, can we close this issue from our end.

Thanks!

— Reply to this email directly, view it on GitHubhttps://github.com/Azure/Azure-Sentinel/issues/9219#issuecomment-1892149043, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BDC46ER4HYFGBP7YDFVLA5LYOUTCFAVCNFSM6AAAAAA57M7RACVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQOJSGE2DSMBUGM. You are receiving this because you were mentioned.Message ID: @.**@.>>

[v-sudkharat]

Hi @javbux, This solution and the GitHub repository mentioned above are maintained by Forcepoint. Therefore, we are not authorized to make any modifications to it. As per our procedure, we cannot keep this issue open, so we are closing it on our GitHub. If you still require support for this issue, please feel free to reopen it at any time. Thank you for your cooperation.

[Gabrielpbs]

Hello, javbux!

Were you able to resolve the connector issue via Forcepoint AMA? I'm also having the same problem.

I install the connector, the AMA agent on Linux and the connector still does not receive the data.

[javbux]

Hi @Gabrielpbs

So I have the forcepointcloud logs coming in using AMA and populating the CommonSecurityLog table in LAW but only the [Deprecated] Forcepoint CSG via Legacy Agent - data connector shows connected still. The other does not, just as I reported here.

The GitHub repo maintained by Forcepoint has had no updates for three years and no one came back to me, so I have just accepted it.

[Gabrielpbs]

Thank you very much for your feedback, JavBux!

Did you uninstall the Legacy agent and just install AMA?

[javbux]

In my case I started with a new ubuntu vm and installed the AMA agent, but had to amend the install command to use Python3

sudo wget -O Forwarder_AMA_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Forwarder_AMA_installer.py&&sudo python3 Forwarder_AMA_installer.py