Console
    Start free

    Collect Forcepoint Mail Relay logs

    Supported in:

    This document explains how to ingest Forcepoint Mail Relay logs to Google Security Operations using Amazon S3.

    Forcepoint Mail Relay is a cloud-based email security solution that protects organizations from email-borne threats including spam, phishing, malware, and data loss. The solution provides comprehensive email filtering, data loss prevention (DLP), encryption, and advanced threat protection for both inbound and outbound email traffic.

    Before you begin

    Make sure that you have the following prerequisites:

    • A Google SecOps instance
    • Privileged access to Forcepoint Mail Relay Cloudportal
    • Privileged access to AWS(S3, IAM)
    • Log Exportpermission enabled for your Forcepoint administrator account

    Configure Forcepoint Mail Relay Cloud SIEM storage

    To configure Forcepoint Mail Relay Cloud to export logs to your AWS S3 bucket, do the following:

    1. Create one or more AWS S3 buckets on the AWS portal.

    2. Sign in to the Forcepoint Cloud Security Gateway Portal.

    3. Go to Account > SIEM Storage.

    4. In the Storage typesection, select the Bring your own storageradio button.

    5. Click Addto add your bucket to the Storage List: Bring Your Owntable.

    6. In the Add Bucketdialog, enter the following:

      • Bucket name: Enter the bucket name from the AWS portal (for example, forcepoint-email-logs ).
      • Prefix(optional): Enter a prefix to organize log files. Use / to create a folder (for example, email-logs/ ). If no / is included, the prefix is prepended to the filename.

    7. Click Save. The bucket information is added to the table.

    8. In the Storage List: Bring Your Owntable, click the JSONlink in the row for the bucket you just added.

    9. On the Bucket Policypage, click Copy Textto copy the contents of the JSON pane to a clipboard.

    10. In the AWS Management Console, open the S3service.

    11. Select your bucket (for example, forcepoint-email-logs ).

    12. Go to Permissions > Bucket policy.

    13. Click Edit.

    14. Paste the JSON policy copied from the Forcepoint portal.

    15. Click Save changes.

    16. Return to the Forcepoint portal SIEM Storagepage.

    17. In the Storage List: Bring Your Owntable, click Check connectionfor your bucket.

    18. After the connection test succeeds, select the Activeradio button for your bucket in the Storage List: Bring Your Owntable.

    19. Click Saveat the bottom of the page.

    Enable SIEM logging and configure export format

    1. In the Forcepoint portal, go to Reporting > Account Reports > SIEM Integration.
    2. From the Data typelist, select Email Security.

    3. Set the Enable data exporttoggle to ON.

    4. From the Attributessection on the left, drag the following attributes into the Columnssection:

      • Direction
      • From: Address
      • Policy
      • Recipient Address
      • Recipient Domain
      • Sender Domain
      • Sender Name
      • Subject
      • Action
      • Black/Whitelisted
      • Blocked Attachment Ext
      • Filtering Reason
      • Sender IP
      • Sender IP Country
      • Attachment File Type
      • Attachment Filename
      • Emb. URL Risk Class
      • Emb. URL Severity
      • Advanced Encryption
      • File Sandbox status
      • Virus Name
      • Date & Time
      • Message Size
      • Spam score
      • Attachment Size

    5. Click Save.

    Configure AWS S3 bucket and IAM for Google SecOps

    1. Create Amazon S3 bucketfollowing this user guide: Creating a bucket

    2. Save bucket Nameand Regionfor future reference (for example, forcepoint-email-logs ).

    3. Create a Userfollowing this user guide: Creating an IAM user .

    4. Select the created User.

    5. Select Security credentialstab.

    6. Click Create Access Keyin section Access Keys.

    7. Select Third-party serviceas Use case.

    8. Click Next.

    9. Optional: Add description tag.

    10. Click Create access key.

    11. Click Download .csv fileto save the Access Keyand Secret Access Keyfor future reference.

    12. Click Done.

    13. Select Permissionstab.

    14. Click Add permissionsin section Permissions policies.

    15. Select Add permissions.

    16. Select Attach policies directly.

    17. Search for AmazonS3FullAccesspolicy.

    18. Select the policy.

    19. Click Next.

    20. Click Add permissions.

    Configure a feed in Google SecOps to ingest Forcepoint Mail Relay logs

    1. Go to SIEM Settings > Feeds.
    2. Click Add New Feed.
    3. On the next page, click Configure a single feed.
    4. Enter a unique name for the Feed name.
    5. Select Amazon S3 V2as the Source type.
    6. Select Forcepoint Mail Relayas the Log type.
    7. Click Nextand then click Submit.

    8. Specify values for the following fields:

      • S3 URI: s3://forcepoint-email-logs/email-logs/ .
      • Source deletion option: Select the deletion option according to your preference.
      • Maximum File Age: Include files modified in the last number of days (default is 180 days).
      • Access Key ID: User access key with access to the S3 bucket.
      • Secret Access Key: User secret key with access to the S3 bucket.
      • Asset namespace: The asset namespace .
      • Ingestion labels: The label to be applied to the events from this feed.

    9. Click Nextand then click Submit.

    UDM mapping table

    Log field UDM mapping Logic
    		hybridSpamScore_label.key Set to "hybridSpamScore"
    hybridSpamScore
    		 hybridSpamScore_label.value Value copied directly
    		localSpamScore_label.key Set to "localSpamScore"
    localSpamScore
    		 localSpamScore_label.value Value copied directly
    		metadata.event_type Set to "GENERIC_EVENT" initially; set to "EMAIL_TRANSACTION" if has_network_email is true; else set to "NETWORK_CONNECTION" if has_principal and has_target are true; else set to "STATUS_UPDATE" if has_principal is true; else "GENERIC_EVENT"
    product_event_type
    		 metadata.product_event_type Value copied directly
    		metadata.product_name Set to "FORCEPOINT_MAIL_RELAY"
    		metadata.vendor_name Set to "FORCEPOINT_MAIL_RELAY"
    sender
    		 network.email.from Value copied directly
    subject
    		 network.email.subject Value copied directly
    recipient
    		 network.email.to Value copied directly
    identHostName
    		 principal.asset.hostname Value copied directly
    identSrc, trueSrc, src
    		 principal.asset.ip Value from src if not empty, else trueSrc if not empty, else identSrc
    identHostName
    		 principal.hostname Value copied directly
    identSrc, trueSrc, src
    		 principal.ip Value from src if not empty, else trueSrc if not empty, else identSrc
    sender
    		 principal.user.email_addresses Value copied directly
    summary
    		 security_result.action Set to "ALLOW" if summary matches (?i)clean
    act
    		 security_result.action_details Value copied directly
    hybridSpamScore_label, localSpamScore_label
    		 security_result.detection_fields Merged from hybridSpamScore_label and localSpamScore_label
    summary
    		 security_result.summary Value copied directly
    dst
    		 target.asset.ip Value copied directly
    dst
    		 target.ip Value copied directly
    recipient
    		 target.user.email_addresses Value copied directly

    Need more help? Get answers from Community members and Google SecOps professionals.

    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: