Forcepoint CSG data connectors won't open for configuration

[HeatonJL]

A few months ago, I was able to get into the configuration section for the Forcepoint CSG via AMA. Today, If I check the box, and click Open connector page, nothing happens, it just sits there.

[v-mabrindha]

@HeatonJL, Thanks for reporting this issue, we are checking on it with team and get back to you with some update. Thanks!

[v-mabrindha]

@HeatonJL ,
Could you please share your current version of Force Point CSG.
we have version update of force point from 3.0.0 to 3.0.3
version 3.0.2 - Deprecating data connectors
version 3.0.3 - Removed Deprecated Data Connectors

pls update with latest version 3.0.3 of Force Point CSG.

Thanks.

[HeatonJL]

The Cloud Security Gateway is a SaaS solution. I don't see anywhere that they are showing a version number. But, it's the Sentinel solution that doesn't give me the opportunity to even try to connect to the cloud Forcepoint. I do see what you're saying, in that the existing data connectors were deprecated in the project. But, that leaves me with nothing to use to make the connection. Are there new data connectors being created? Or is this Sentinel solution just dead? Thank you for your time and consideration on this matter, my security team really wants the Forcepoint data ingested into Sentinel, but without the established connector and process, I don't know how to get it there. Thanks, Joe Heaton From: v-mabrindha ***@***.***> Sent: Wednesday, February 12, 2025 12:49 AM To: Azure/Azure-Sentinel ***@***.***> Cc: Heaton, ***@***.*** ***@***.***>; Mention ***@***.***> Subject: Re: [Azure/Azure-Sentinel] Forcepoint CSG data connectors won't open for configuration (Issue #11749) You don't often get email from ***@***.******@***.***>. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> WARNING: This message is from an external source. Verify the sender and exercise caution when clicking links or opening attachments. @HeatonJL<https://github.com/HeatonJL> , Could you please share your current version of Force Point CSG. we have version update of force point from 3.0.0 to 3.0.3 version 3.0.2 - Deprecating data connectors version 3.0.3 - Removed Deprecated Data Connectors pls update with latest version of Force Point CSG. Thanks. - Reply to this email directly, view it on GitHub<#11749 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AMSY2T7RPCJDPOYARAGCUD32PMDGLAVCNFSM6AAAAABWIFPDVWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMNJTGAZDAMRVG4>. You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>

[v-mabrindha]

@HeatonJL , Please check details mentioned below

Forcepoint Cloud Security Gateway (CSG) Solution for Microsoft Sentinel exports web and/or email logs so that custom dashboards can be created using Workbooks to visualize events and insights on activities of Forcepoint Cloud Security Gateway.

For more details about this solution refer to integration documentation.

This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.

NOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on Aug 31, 2024.

[HeatonJL]

I'm not entirely sure what you're trying to say. I understand it depends on CEF. However, in that implementation guide, it tells you to specifically look for the Forcepoint Cloud Security Gateway data connector, which no longer exists. We are already using the CEF connector for another solution. Can I use the same Linux box for collecting and sending to Sentinel? From: v-mabrindha ***@***.***> Sent: Friday, February 14, 2025 4:37 AM To: Azure/Azure-Sentinel ***@***.***> Cc: Heaton, ***@***.*** ***@***.***>; Mention ***@***.***> Subject: Re: [Azure/Azure-Sentinel] Forcepoint CSG data connectors won't open for configuration (Issue #11749) You don't often get email from ***@***.******@***.***>. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> WARNING: This message is from an external source. Verify the sender and exercise caution when clicking links or opening attachments. @HeatonJL<https://github.com/HeatonJL> , Please check details mentioned below Forcepoint Cloud Security Gateway<https://www.forcepoint.com/product/cloud-security-gateway> (CSG) Solution for Microsoft Sentinel exports web and/or email logs so that custom dashboards can be created using Workbooks to visualize events and insights on activities of Forcepoint Cloud Security Gateway. For more details about this solution refer to integration documentation<https://forcepoint.github.io/docs/csg_and_sentinel/>. This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation. NOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on Aug 31, 2024. - Reply to this email directly, view it on GitHub<#11749 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AMSY2T6KK56T7H7XB3YLLP32PXPNNAVCNFSM6AAAAABWIFPDVWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMNJZGIZDOMJVGY>. You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>> [v-mabrindha]v-mabrindha left a comment (Azure/Azure-Sentinel#11749)<#11749 (comment)> @HeatonJL<https://github.com/HeatonJL> , Please check details mentioned below Forcepoint Cloud Security Gateway<https://www.forcepoint.com/product/cloud-security-gateway> (CSG) Solution for Microsoft Sentinel exports web and/or email logs so that custom dashboards can be created using Workbooks to visualize events and insights on activities of Forcepoint Cloud Security Gateway. For more details about this solution refer to integration documentation<https://forcepoint.github.io/docs/csg_and_sentinel/>. This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation. NOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on Aug 31, 2024. - Reply to this email directly, view it on GitHub<#11749 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AMSY2T6KK56T7H7XB3YLLP32PXPNNAVCNFSM6AAAAABWIFPDVWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMNJZGIZDOMJVGY>. You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>

[v-sudkharat]

@HeatonJL, The Forcepoint CSG solution version 3.0.3 required the CEF Data connector, as the existing "[Deprecated] Forcepoint CSG via AMA", has been removed from the solution.

2. You can use the same CEF solution by running the below script into your environment to configure the CEF logs, which will contains the DeviceVendor == Forcepont CSG
   

Once the configuration has been completed, you can filter out the logs by executing the below query :

CommonSecurityLog
|where DeviceVendor =~ 'Forcepoint CSG'

Thanks!

[v-mabrindha]

@HeatonJL, Waiting for your response on above comment. Thanks!

[HeatonJL]

I'm still trying to figure out what needs to be done. I setup the CEF piece in Sentinel yesterday. I know the Linux box is already collecting logs from other sources, so I have to assume the base apps are installed there. So now, I have to log into the syslog box, download and run the Forcepoint specific stuff? And is the script info you shared done on the Linux box, or in Sentinel? From: v-mabrindha ***@***.***> Sent: Thursday, February 20, 2025 5:24 AM To: Azure/Azure-Sentinel ***@***.***> Cc: Heaton, ***@***.*** ***@***.***>; Mention ***@***.***> Subject: Re: [Azure/Azure-Sentinel] Forcepoint CSG data connectors won't open for configuration (Issue #11749) WARNING: This message is from an external source. Verify the sender and exercise caution when clicking links or opening attachments. @HeatonJL<https://github.com/HeatonJL>, Waiting for your response on above comment. Thanks! - Reply to this email directly, view it on GitHub<#11749 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AMSY2T4IKID5ZGUUQTW3PTL2QXJNJAVCNFSM6AAAAABWIFPDVWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMNZRGQ4TCOBTG4>. You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>> [v-mabrindha]v-mabrindha left a comment (Azure/Azure-Sentinel#11749)<#11749 (comment)> @HeatonJL<https://github.com/HeatonJL>, Waiting for your response on above comment. Thanks! - Reply to this email directly, view it on GitHub<#11749 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AMSY2T4IKID5ZGUUQTW3PTL2QXJNJAVCNFSM6AAAAABWIFPDVWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMNZRGQ4TCOBTG4>. You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>

[v-mabrindha]

Hi @HeatonJL ,
Yes, first you need to execute the AMA connector script on a Linux box, so the AMA can forward the Forcepoint logs to Sentinel.
Once that is done, you can check the Forcepoint logs using the query below in the Sentinel workspace. This query will help you filter out the Forcepoint logs, as you have already configured CEF for a different source vendor.
CommonSecurityLog
|where DeviceVendor =~ 'Forcepoint CSG'

[v-mabrindha]

@HeatonJL, Waiting for your response on above comment. Thanks!