Forcepoint

Forcepoint is an advanced threat protection product with added local management controls.

The Forcepoint-Demisto integration allows you to create and manage custom categories.

To set up Forcepoint to work with Demisto:

  • Make sure you have administrator permissions.
  • Make sure you have port 15873 open.

To set up the integration on Demisto:

  1. Go to ‘Settings > Integrations > Servers & Services’
  2. Locate ‘Forcepoint ’ by searching for it using the search box on the top of the page.
  3. Click ‘Add instance’ to create and configure a new integration. You should configure the following settings:
    Name : A textual name for the integration instance.
    Server URL : API Server URL.
    Username and Password: The username and password for accessing the integration.
    Use system proxy settings: Specify whether to communicate with the integration via the system proxy server or not.
    Do not validate server certificate: Select in case you wish to circumvent server certification validation.  You may want to do this in case the server you are connecting to does not have a valid certificate.
    Demisto engine : If relevant, select the engine that acts as a proxy to the server. Engines are used when you need to access a remote network segments and there are network devices such as proxies, firewalls, etc. that prevent the Demisto server from accessing the remote networks.
    For more information on Demisto engines see:
    https://demisto.zendesk.com/hc/en-us/articles/226274727-Settings-Integrations-Engines
  4. Press the ‘Test’ button to validate connection.
    If you are experiencing issues with the service configuration, please contact Demisto support at support@demisto.com
  5. After completing the test successfully, press the ‘Done’ button.

Fetched incidents data:

This integration does not fetch incidents.

Top Use-cases:

Forcepoint integration can be used to create a block list category for URL and IP addresses.

A possible flow of commands could be:

  1. Use ‘fp-add-category’ to add a new category. The new category will automatically be set to block access.
  2. Use ‘fp-get-category-details’ to get the new category ID.
  3. Use ‘fp-add-addresses-to-category’ to add URLs and/or IP addresses to the category. Use the category name or ID as identifier.
  4. Use ‘fp-delete-addresses-from-category’ to remove URLs and/or IP addresses from the category.

The integration can also be used to view a detailed list of managed categories. Use ‘fp-list-categories’ to view all Forceoint categories or only categories managed by the integration.

Commands:

  • fp-list-categories

Input:

Option to list all categories or only API-managed categories (default).

Context output:

```

{

Forcepoint: {

ListCategories: [

{

CategoryDescription: Sites that provide information about or that sell or provide curriculum materials or direct instruction; also, learned journals and similar publications.

CategoryID: 118

CategoryName: Educational Materials

CategoryOwner: Forcepoint

CategoryParent: Education

}

]

}

```

Raw output:

```

[

{

Category Description: Parent category that contains categories known to consume bandwidth resources.

Category Hierarchy: 890

Category ID: 116

Category Name: Bandwidth

Category Owner: Forcepoint

CategoryParent:

Children: [

{

Category Description: Sites that store personal files on Internet servers for backup or exchange.

Category Hierarchy: 1510

Category ID: 113

Category Name: Personal Network Storage and Backup

Category Owner: Forcepoint

CategoryParent: Bandwidth

}

]

}

]

```

  • fp-get-category-details

Input:

category name or  ID

Context output:

{

Forcepoint: {

CategoryDetails: {

CategoryID: 116

CategoryName: Bandwidth

IPs: []

URLs: []

}

}

}

Raw output:

```

{

Category ID: 116

Category Name: Bandwidth

IPs: []

URLs: []

}

```

  • fp-add-category

Input:

category name, category description, category parent.

Context output:

```

{

Forcepoint: {

Add Category: {

Categories:

[

{ Category Name: Test category }

]

}

}

}

```

Raw output:

```

{

Categories: [

{ Category Name: Test category }

]

}

```

  • fp-add-addresses-to-category

Input:

Category name or  ID , list of URLs and/or list of IP addresses.

Context output:

```

{

Forcepoint: {

AddAddressToCategory: {

Category ID: 1932

Category Name:

Totals: {

Added IPs: 0

Added URLs: 1

}

}

}

}

```

Raw output:

```

{

Category ID: 1932

Category Name:

Totals: {

Added IPs: 0

Added URLs: 1

}

}

```

  • fp-delete-addresses-from-category

Input:

category name or  ID , list of URLs and/or list of IP addresses.

Context output:

```

{

Forcepoint: {

AddAddressToCategory: {

Category ID: 1932

Category Name:

Totals: {

Deleted IPs: 0

Deleted URLs: 1

}

}

}

}

```

Raw output:

```

{

Category ID: 1932

Category Name:

Totals: {

Deleted IPs: 0

Deleted URLs: 1

}

}

```

  • fp-delete-category

Input:

List of category names or  IDs

Context output:

```

{

Forcepoint: {

DeletedCategories: [

{

CategoryID: 116

CategoryName: Bandwidth

IPs: []

URLs: []

},

]

}

}

```

Raw output:

```

{

Category ID: 116

Category Name: Bandwidth

IPs: []

URLs: []

},

]

```

Additional info:

URL restrictions and clarifications:

  • Only the hostname field (part of the authority) is required.
  • Other parts are optional, but can be used to define a stricter match.
  • CGI parameters (anything after the "?" in a URL) are automatically removed from the URL.
  • If no protocol is specified, the following protocols will be added to the database:
    http://, https://, and ftp://.
  • URLs can be added to more than one category. When the URL is matched, all categories for the URL are returned for use in policy enforcement.

IP addresses restrictions and clarification:

  • IP addresses and ranges are as specified by IPv4 and IPv6.
  • IP addresses and ranges can be added to more than one category. When an IP address is matched, all categories for the IP address are returned for use in policy enforcement.

Known Limitations

  • New category will automatically be set to block access. You may change category access with Forcepoint TRITON manager.

Troubleshooting

  • Failed attempts to add/delete URL or IP addresses to a category might be caused by invalid category name or ID.
    Invalid category name/ID indicates one of the following:
    • The category does not exist.
    • The ID/name belongs to a Forcepoint-defined category.
    • The ID/name belongs to a custom category defined via the TRITON Manager.
  • Failed attempts to create a new category might be caused by:
    • The name provided is associated with another category.
  • Recurring error ‘Another transaction is in process …’ :
    This error might rise when running a playbook with parallel tasks assigned to the integration commands.
    This error is caused by the Forcepoint data enforcement protocol. Any request to update/add/delete a category cannot run in parallel to another request of this type.
    If this error arises, try to avoid assigning the following commands to parallel tasks:
    • ‘fp-add-category’
    • ‘fp-add-addresses-to-category’
    • ‘fp-delete-addresses-from-category’
    • ‘fp-delete-category’