Scribd
Upload
158 views9 pages

DLP Hands On Exam

Uploaded by

Tuấn Anh Nguyễn
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
158 views9 pages

DLP Hands On Exam

Uploaded by

Tuấn Anh Nguyễn
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

Forcepoint DLP

System Engineer
Hands On Exam

February 2023
Public

forcepoint.com
© 2023 Forcepoint. Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or
reduced to any electronic medium or machine-readable form without prior consent in writing
from Forcepoint. Every effort has been made to ensure the accuracy of this manual. However,
Forcepoint makes no warranties with respect to this documentation and disclaims any implied
warranties of merchantability and fitness for a particular purpose.

Forcepoint shall not be liable for any error or for incidental or consequential damages in
connection with the furnishing, performance, or use of this manual or the examples herein. The
information in this documentation is subject to change without notice.

2 | Forcepoint DLP System Engineer Public © 2022 Forcepoint


Contents
Introduction ................................................................................................................................. 1
What will be graded?............................................................................................................... 1
Configuration exercises........................................................................................................... 1

1 Endpoint debugging ............................................................................................................. 2


1.1 Situation ...................................................................................................................... 2
1.2 End result .................................................................................................................... 2

2 Exporting incident inspection data ..................................................................................... 3


2.1 Situation ...................................................................................................................... 3
2.2 End result .................................................................................................................... 4

3 Testing Policies ..................................................................................................................... 5


3.1 Situation ...................................................................................................................... 5
3.2 End result .................................................................................................................... 5

© 2023 Forcepoint Public Forcepoint DLP System Engineer | 3


This page is intentionally blank.

4 | Forcepoint DLP System Engineer Public © 2022 Forcepoint


Introduction
The Forcepoint DLP System Engineer course includes an exam where you will set up certain
advanced DLP features in a live environment. During this activity you will create configuration
artifacts in your environment, as well as incidents, export log files, and other diagnostics.

What will be graded?


The configuration of the DLP system will be graded. Please leave the configuration in place, so
that the grader can check things in your environment.

Create a folder named Results on the desktop of the Security Manager and place all file exports
as noted in the instructions into this folder.

Configuration exercises
For these exercises, remember to leave the configuration in place in your labs when complete.
You will be graded on the state of your labs after completion.

Exercises include the following:

1. Endpoint debugging
2. Exporting incident inspection data
3. Testing policies

© 2023 Forcepoint Public Forcepoint DLP System Engineer | 1


1 Endpoint debugging
1.1 Situation
A customer is complaining about PCI information not being properly analyzed on the Endpoint.
As the Endpoint Agent machine tries to print a PDF file containing multiple credit card numbers,
some of them are not discovered. Create a custom DLP rule that will match against the “Credit
Cards (Wide)” classifier, with a threshold of 1. To analyze the situation, you should debug the
Endpoint’s Policy Engine during this activity.

1. Using the endpoint package builder download (ForcepointOneEndpointPackage.zip)


located on the desktop of the Security Manager machine, extract the files to the correct
locations, build a Windows 64 DLP endpoint, and install it on the Windows Test Machine.
You can either copy and paste or use the mapped network drive Z:\ to transfer files
between machines.
2. Create the DLP rule as described above. Deploy and synchronize it with the DLP
Endpoint. Download the Sample SSN and CCN Files PDF file to your Endpoint machine
(Test-PC: https://dlptest.com/sample-data/).
3. Still on the Windows Test Machine, navigate to https://dlptest.com/. From the HTTPS
Post section, upload the sample-data.pdf document.
4. Disable anti-tampering on the endpoint and stop DLP Endpoint services. More detailed
steps on how to do this can be found in the lab “Debugging Endpoint Agent” in your lab
guide. Edit the log configuration file EndpointClassifier.log.config, and set the following
log topics from the default “error” to “debug”.
• PolicyLogic
• TransactionMonitor
• TransactionLogic
• PolicyEngine
• EndpointClassifier
5. Start the Endpoint services again. Upload the sample-data.pdf document (see Step 2) to
the HTTPS Post section of https://dlptest.com/. Confirm that the debug entries for the
incident where you upload the sample PDF file are present in the log file.

1.2 End result


Copy the file C:\Program Files\Websense\Websense Endpoint\Logs\EndPointClassifier.log to
the Results folder on the desktop of the Security Manager machine.

2 | Forcepoint DLP System Engineer Public © 2022 Forcepoint


2 Exporting incident inspection data
2.1 Situation
There is a large organization that is bound by strict privacy laws. As part of the compliance
workflow, a PDF file will have to be generated, detailing which Incident Responders are viewing
specific incidents. This PDF file generation does NOT have to be scheduled; it just has to be
available to be downloaded as needed.

Create a delegated administrator account and configure auditing for incident views on the
account. Log into the account and view at least one incident, then export the resulting audit log
to .pdf.

Hint 1: This screenshot shows how to configure delegated administrators so that their incident
views are audited.

Hint 2: This screenshot shows the Audit log, where incident inspection is part of the audit log
messages.

© 2023 Forcepoint Public Forcepoint DLP System Engineer | 3


2.2 End result
On the Security Manager desktop, paste the exported PDF file in the Results folder.

4 | Forcepoint DLP System Engineer Public © 2022 Forcepoint


3 Testing Policies
3.1 Situation
The compliance department has asked for changes to be made to the policy for
“FactoryTestKeyWord.” They want to ensure that the phrase cannot be easily exfiltrated from an
endpoint channel. To ensure this is the case, a rule must be created or modified to ensure that
the keyword “FactoryTestKeyword” is triggered via the following endpoint channels: removable
media, endpoint printing, and endpoint HTTPS. You do not have access to an endpoint with a
removable disk, so this must be accomplished by testing on the Forcepoint Security Manager
directly.

Using PolicyEngineClient.exe, confirm that the key phrase classifier “FactoryTestKeyWord” is


detected on each of the above channels. When done, export a single incident report that
contains each test incident.

Hint: Use the following SQL Query to verify the Endpoint Channel ID numbers for
PolicyEngineClient:

SQL Credentials:

Username: sa
Password: Forcepoint1!

USE [wbsn-data-security]
SELECT [ID]
,[OPTLOCK]
,[SERVICE_ID]
,[CHANNEL_NAME]
,[PROTOCOL_ID]
,[DESCRIPTION]
,[DEPLOYNENT_VERSION]
,[ELEMENT_TYPE]
,[AGENT_NAME]
,[CHANNEL_TYPE]
FROM [dbo].[PA_RP_SERVICES]

3.2 End result


On the Security Manager desktop save the exported Incident Report that shows the created
incidents from PolicyEngineClient in the Results folder on the desktop of the Security Manager
machine.

© 2023 Forcepoint Public Forcepoint DLP System Engineer | 5

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy