Doc Title

Forcepoint

Forcepoint Data Classification Powered by

Getvisibility Workshop POC Setup Guide

Report

Forcepoint
February 27, 2023
forcepoint.com Forcepoint Proprietary
Getvisibility: Workshop POC Setup Guide forcepoint.com

Table of Contents

OVERVIEW .......................................................................................................................................................................... 2
PRODUCTS ......................................................................................................................................................................... 2
FORCEPOINT DATA CLASSIFICATION PRO & FORCEPOINT DATA CLASSIFICATION .................................................................... 2
FORCEPOINT DATA VISIBILITY ................................................................................................................................................. 2
LAB TOPOLOGY ................................................................................................................................................................ 2
LAB COMPONENTS:.......................................................................................................................................................... 3
LAB CREDENTIALS ........................................................................................................................................................... 3
LAB PREPARATIONS ........................................................................................................................................................ 4
HOW TO ACCESS THE LAB ....................................................................................................................................................... 4
CONFIGURING BASIC SETTINGS .............................................................................................................................................. 7
TESTING MS OFFICE (WORD) CLASSIFICATION...................................................................................................................... 15
TESTING MS OUTLOOK CLASSIFICATION ............................................................................................................................... 21
FORCEPOINT CLASSIFICATION (POWERED BY GV) INTEGRATION WITH FORCEPOINT DLP ...................................................... 26

© 2023 Forcepoint Forcepoint Proprietary 1

GetVisibility: Workshop POC Setup Guide forcepoint.com

Overview
With state-of-the-art machine learning algorithms, Getvisibility combines natural language processing with neural networks. This
allows us to classify unstructured data across organizations with unparalleled accuracy and speed.

Using machine learning rather than traditional pattern matching (regular expressions) and dictionary lookup methods allows
Getvisibility to understand the context of a document, thereby increasing accuracy. As the neural network does most of the work,
organizations no longer must embark on the laborious and expensive task of creating rules and regex hits per department and
document type. Getvisibility customisable tag set enables users to apply company-specific classification to their unstructured data,
which the neural network learns with increasing accuracy. Training of the neural network can be done through our user-friendly
interface, eliminating the need for the highly qualified engineers and data scientists associated with traditional methods.

The Getvisibility classification tool is built on sophisticated machine learning algorithms to enable organizations to discover, classify
and secure their most sensitive data. The Getvisibility platform combines smart agent technology and machine learning to provide a
uniquely powerful solution for data classification and tagging. This is the first solution to enable automated, historical, and manual
classification with one deployment. This is unique but it also has a very significant value dramatically improving the quality of the
manual classification process by leveraging the advanced AI model and understanding of historically created data.

Products
Forcepoint Data Classification Pro & Forcepoint Data Classification
The Forcepoint Data Classification Pro & Forcepoint Data Classification are designed to help your organization classify and project
your data in use, new data, and data in motion. The solution works for in-cloud an on-prem applications.

Forcepoint Data Visibility

Forcepoint Data Visibility enables automated, accurate and timely legacy data discover and classification of both new and legacy
data. Getvisibility discover solution gives organisations an overview of all their data, tailored to how they want that data to be
displayed and monitored.

Getvisibility offers contextual classification, empowering the data with appropriate metadata and enhancing the usage of that data
throughout the organization.

Lab Topology
This LAB is intended to provide a quick overview and hands-on experience of GetVisibility (GV) platform, and it covers some of the
common use cases associated with GV. You will get access to a preconfigured GV tenant in Go4labs environment.

Figure 1: LAB

© 2023 Forcepoint Forcepoint Proprietary

2
GetVisibility: Workshop POC Setup Guide forcepoint.com

Lab Components:
a) GV server: This is GV management server based on Arch Linux OS,
b) FSM (Forcepoint Security Manager): Management Server for Forcepoint Email and DLP components.
c) SQL: DB used for Forcepoint Email and DLP components.
d) ESG DLP Network: Network DLP appliance used for MTA.
e) Webmail Server: Webmail server and client.
f) GetVisibility-Agent: End user machine that we will be using for this lab.

LAB Credentials
GV server:

IP address: 192.168.122.168

URL: https://192.168.122.30:9999/ui/#/login

Username / Password: admin/admin123

FSM (Forcepoint Security Manager): Management Server for Forcepoint Web/Email and DLP components.

IP address: 192.168.122.21

URL: https://192.168.122.21:9443/

Username / Password: admin/Forcepoint1!

RDP Username/ Password: administrator/Forcepoint1

DLP Protector: Network DLP appliance used for MTA

IP address: 192.168.122.23 (C) and 192.168.122.24 (P1 Outbound email)

SSH Username / Password: admin/Forcepoint1!

Webmail Server: Webmail server and client.

URL: https://192.168.122.1:5006

Username / Password: any/any

Admin: https://192.168.122.1:5006/?admin

Username / Password: admin/Forcepoint1

Client Machine: End user machine

© 2023 Forcepoint Forcepoint Proprietary

3
GetVisibility: Workshop POC Setup Guide forcepoint.com

IP address: dhcp

RDP Username/ Password: student/Forcepoint1

Lab preparations
How to access the lab
Your lab will be provisioned and assigned to your Go4labs account in case you do not see the lab in our account please reach out
to one of the CSEs or Go4labs team during the training.

1. Login to console, ensuring everyone has access.

On accessing the above lab (either via RDP or Web access) you should be able to reach the landing machine.

2. Open browser and go to https://192.168.122.30:9999/ui/#/login

Figure 2: Login page

Use below admin credentials

Username: admin

Password: admin123

You should be able to see landing page like below:

Figure 3: Agent configuration

© 2023 Forcepoint Forcepoint Proprietary

4
GetVisibility: Workshop POC Setup Guide forcepoint.com

This ensures that you have access to admin portal of GetVisibility admin GUI.

3. Open a new tab and go to http://192.168.122.30:8500/ui/customer/services

Note: You don’t need any username and password to access this page.

Figure 4: Services

This will give you access to Consul dashboard where you can see status of all services w.r.t your GV deployment.

Ensure all services are up and running before moving to other tasks in this lab.

4. Login to Client machine and ensure both GV agent and FP agent are installed.

Figure 5: LAB

5. Open GNS3 (Double-click shortcut of GNS3 present on desktop of landing machine).

6. Double-click Client Machine (Or alternatively right click Client Machine and click Console) & You should be able to
auto login to Client-Machine.

© 2023 Forcepoint Forcepoint Proprietary

5
GetVisibility: Workshop POC Setup Guide forcepoint.com

Figure 6: Client machine screen

Note: Ensure you see GVClient msi installer on Desktop.

7. Right click the msi package and Install.

Figure 7: Dialog box

8. Check I accept the terms in the License Agreement and click Install.

Figure 8: Setup screen

© 2023 Forcepoint Forcepoint Proprietary

6
GetVisibility: Workshop POC Setup Guide forcepoint.com

9. Click Finish and best to reboot the machine.

Figure 9: Finish button

Note: In some cases, after agent installation, it might also prompt you to install additional Microsoft add-ons (if not
already present on the system), please continue, and install those add-ons as well and then reboot the machine.

Once you login back, please ensure you see GV agent and Forcepoint DLP agent in system tray.

Figure 10: GV agent

Configuring Basic Settings

1. Open browser on the landing machine and go to https://192.168.122.30:9999/ui/#/login
Use below admin credentials

Username: admin

Password: admin123

© 2023 Forcepoint Forcepoint Proprietary

7
GetVisibility: Workshop POC Setup Guide forcepoint.com

You should be able to see below landing page.

Figure 11: Landing page

2. Click on Configuration Wizard.

Figure 12: Configuration wizard

3. Configure Compliance screen with the required Compliance standards:

Getvisibility comes with out of the box compliance standards shown in the agent.

Organizations can customize the classification options which appear on the end-user agent to align with internal policies
or already implemented data loss prevention solutions. This is an optional feature, if you do not wish to show compliance
standards in the agent, simply tick the Disable Compliance option.

4. For this LAB purpose will select GDPR/PII and HIPAA/PHI compliance standard and click NEXT.

Figure 13: Compliance list

© 2023 Forcepoint Forcepoint Proprietary

8
GetVisibility: Workshop POC Setup Guide forcepoint.com

5. Classification TAGS: Which classification tags will the end user be able to view & select.

Figure 14: Classification list

6. For this LAB purpose will select Default Classification option and click NEXT.
7. Which Plugins will be active for the end-user.

Figure 15: Plugins list

8. For this LAB purpose (And usually) will select all available plugin options and click NEXT.

© 2023 Forcepoint Forcepoint Proprietary

9
GetVisibility: Workshop POC Setup Guide forcepoint.com

9. Enforcement rule related to MS WORD, MS EXCEL, and MS POWERPOINT.

Enforcement rules determine the necessity for end-users to classify a document before saving or printing. The
enforcement options available are:

a) Enforce (or Force)

b) Warn
c) Log & Ignore
Review all available options in dropdown (like Force, Warn and Log & Ignore).

10. For this LAB purpose will select Force option for both given settings and click NEXT.
11. Keep the checkbox of User lowers classification level of a classified document.
un-checked - This will not allow end-user to later lower the classification of the document after saving.

Figure 16: Enforcement rule

12. Visual Tagging and Labelling for MS WORD, MS POWERPOINT and MS EXCEL
Visual labelling refers to the visual changes made to a document once classified. This includes customised:

a) Headers (You can change the text to Forcepoint {classification})

b) Footers: (You can change the text to Forcepoint {classification})
c) Watermarking: (You can change the text to (<span>Forcepoint {classification}</span>))

© 2023 Forcepoint Forcepoint Proprietary

10
GetVisibility: Workshop POC Setup Guide forcepoint.com

Figure 17: Visual tagging

13. Outlook Policies

The Forcepoint Data Classification Pro will sit within the ribbon of your Microsoft Outlook application. Organizations can
configure how they want this agent to work within their application, customising enforcement rules and visual markings.
You will also notice an option Inherit minimal classification from classified attachment. This means for example, that
if an attached document is classified as Internal, the end-user may classify the email as Internal or Confidential but not
as Public.

Same as above for MS Word, Excel, and PowerPoint, we follow Enforcement and Visual tagging rule for MS Outlook now.

Enforcement Rules

Enforcement rules determine the necessity for end-users to classify an email before sending or printing. The enforcement
options available are:

a) Enforce
b) Warn
c) Log & Ignore
14. For this LAB purpose will select Force & Block option for given settings as shown below, Will also uncheck Users
lowers classification level of a classified email, and click NEXT.

© 2023 Forcepoint Forcepoint Proprietary

11
GetVisibility: Workshop POC Setup Guide forcepoint.com

Figure 18: Outlook policies

15. Outlook Visual Tagging

Visual labelling refers to the visual changes made to an email once classified. This includes customised:

a) Headers: (You can change the text to Forcepoint {classification} or anything of your choice)
b) Footers: (You can change the text to Forcepoint {classification} or anything of your choice)

Figure 19: Outlook visual tagging

16. Sharing restrictions: Configure PUBLIC emails

Sharing restrictions can be configured through the wizard and enforced through Outlook. Sharing rules are configured
depending on the classification level of the email.

© 2023 Forcepoint Forcepoint Proprietary

12
GetVisibility: Workshop POC Setup Guide forcepoint.com

This enforces sharing rules for end-users, depending on the classification level of the email. These options are:

a) Allow
b) Warn
c) Block
Exceptions

This is an optional feature which allows administrators to create a whitelist of email addresses, that will be exempt from
the sharing restrictions enforced above. This is a useful feature in ensuring restrictions do not negatively impact daily
operations, while still maintaining the least privileges approach to data sharing.

17. For this LAB purpose will select ALLOW option for given settings as shown below and click NEXT.

Figure 20: Configure public emails

18. Configure INTERNAL Emails:

For this LAB purpose will select BLOCK option and create exception for internal domain under Allowed emails. You
can add any internal domain like forcepoint.com or forcegv.com.

© 2023 Forcepoint Forcepoint Proprietary

13
GetVisibility: Workshop POC Setup Guide forcepoint.com

Figure 21: Configure internal emails

19. Configure CONFIDENTIAL email.

20. For this LAB purpose will select WARN option and create exception for Internal domains under Allowed emails and for
non-trusted domain (like gmail.com) under blocked emails
21. You can add forcepoint.com and forcegv.com under allowed emails list.
22. You can add gmail.com under blocked email list.
The expected behaviour for this rule would be:

Always WARN user when a CONFIDENTIAL classified email is sent out, except allow when CONFIDENTIAL email is
sent to Forcepont.com & Block when CONFIDENTIAL classified email is sent to Gmail.com

Figure 22: Configure confidential emails

23. Click NEXT and FINISH.

© 2023 Forcepoint Forcepoint Proprietary

14
GetVisibility: Workshop POC Setup Guide forcepoint.com

Figure 23: Congratulations screen

24. Click RESTART.

Figure 24: Thank you screen

Testing MS Office (Word) classification

1. Double-Click Folder named Forcepoint (Located on Client Machine’s C:\ drive).
2. Create 3 new Microsoft Word Document Insider this folder and name them.
a) · Forcepoint Confidential
b) · Forcepoint Internal
c) · Forcepoint Public

© 2023 Forcepoint Forcepoint Proprietary

15
GetVisibility: Workshop POC Setup Guide forcepoint.com

Figure 25: Microsoft Word Document

3. Open Forcepoint Public Document and write exactly the command as shown below in the word document (without
quotes).

“=rand(10)”

This should auto populate random text in the word file.

Figure 26: Classification option shown as not set

4. Notice in the ribbon bar Classification option shown as Not set.

5. As you can see the Getvisibility Agent is represented in the application's ribbon by the thumbprint logo. As this is a new
document, the classification has not yet been set. Clicking on this icon will allow you to classify this document.
Note: Don’t click on this icon yet (if you did, you can simply DISMISS for now).

o First, we will try Printing this document without classification (File Print Print).
6. You should be seeing an alert as below.

© 2023 Forcepoint Forcepoint Proprietary

16
GetVisibility: Workshop POC Setup Guide forcepoint.com

Figure 27: Alert box

7. Here you can see that without classification, as per the rules configured in the configuration wizard, printing is blocked.
To successfully print this document, the end-user will need to click ok and then classify the document (click on DISMISS
at this point).
Now we will try SAVING this document without classification (File SAVE).

You should be seeing an alert as below

Figure 28: Alert box

8. Here you can see that without classification, as per the rules configured in the configuration wizard, saving is blocked. To
successfully save this document, the end-user will need to click OK and then classify the document.
9. On Clicking OK, you should see below Getvisibility pop-up screen.
10. You can get the same pop-up by clicking on the Classification option in ribbon bar.

© 2023 Forcepoint Forcepoint Proprietary

17
GetVisibility: Workshop POC Setup Guide forcepoint.com

Figure 29: Ribbon bar

11. As this is a PUBLIC Document, DON’T SELECT anything under Compliance option.
You might or might not see SUGGESTIONS option in the pop-up. This option is related to ML/AI auto suggestion model.
In above example, we are seeing FALSE match to PII information, which suggests that GV system has around 66%
confidence of the document content not being PII information.

12. Select Classification as PUBLIC and click on SET.

13. Check the Header/Footer and Watermark added to the document.

Figure 30: Check the Header/Footer and Watermark

Checking metadata properties

1. Go to FILE Properties > Advanced Properties.

Figure 31: Advanced properties

2. Click on Custom tab and review the classification metadata information.

© 2023 Forcepoint Forcepoint Proprietary

18
GetVisibility: Workshop POC Setup Guide forcepoint.com

Figure 32: Custom tab

3. Once reviewed, save, and close the document.

4. Open Forcepoint Internal document you created before and copy paste content from PII.txt (Text file already existing in
the same folder).

Figure 33: Forcepoint Internal document

Note: that the suggestions (AI/ML models) are now showing more confidence on the document content being PII.

5. Select USE SUGGESTED option.

You will note that GDPR compliance and Internal Classification is already selected.

6. Click SET, review the Header/Footer and Watermark and metadata properties of the document as done in previous
exercise.
7. Save and close the document.
Downgrading document Classification

1. Re-open Forcepoint Internal Document and try to downgrade Classification to PUBLIC.

You will note that this action is not allowed. Infact PUBLIC classification option is Greyed out.

This behaviour was as per the policy configured before which doesn’t allow users to downgrade classification.

© 2023 Forcepoint Forcepoint Proprietary

19
GetVisibility: Workshop POC Setup Guide forcepoint.com

Figure 34: Ribbon bar

Confidential document

1. Open Forcepoint Confidential.docx document and type Factorytestkeyword.

2. Copy and pastes this keyword to appear in the document for more than 5-10 times.

Figure 35: Keyword

3. Click Classification option in ribbon bar.

4. Select Classification as CONFIDENTIAL and click on SET.
5. Verify the Header/Footer and Watermark and metadata added to the document.

Figure 36: Header/Footer and Watermark

Applying classification for non-office files (for example PDF)

1. Go to C:\Forcepoint and find Installation.pdf.

2. To Classify non-office files (like PDF), you can simply right click the document and use GV Classification option to

© 2023 Forcepoint Forcepoint Proprietary

20
GetVisibility: Workshop POC Setup Guide forcepoint.com

Classify.

Figure 37: Dialog box

3. Select Confidential Classification and click SET.

Figure 38: Ribbon bar

Testing MS Outlook classification

Basic Test

1. Open Outlook.
2. Click on New Email and try to send a test email to any email ID (let’s say [email protected]) , You can use any
subject and any text in body of the email.
You can try using command =rand(10) in the body of email to generate random text for body of the email.

3. Click Send.
Note: You should be seeing below block message stating Classification not set.

© 2023 Forcepoint Forcepoint Proprietary

21
GetVisibility: Workshop POC Setup Guide forcepoint.com

Figure 39: Block message

4. Click OK on the error message and set the classification as PUBLIC (You don’t have to select anything on the
compliance option) and click SET.

Figure 40: Set the classification as PUBLIC

5. Review the Header/Footer and after review, SEND the email.

6. Go to Send Items and Open the email you just sent.
7. Go to FILES > Properties.
8. Check in the section Internet headers, classification: Public tag.

© 2023 Forcepoint Forcepoint Proprietary

22
GetVisibility: Workshop POC Setup Guide forcepoint.com

Figure 41: Internet headers

Sending International Classified Document / Emails via Outlook

1. Click on New Email and attach Forcepoint Internal.docx document.

2. Click the classification of email to INTERNAL.
3. Try to send a test email to any GMAIL.com email ID (let’s say [email protected]) , You can use any subject and
any text in body of the email.
4. Click Send.
Note: You should be seeing a BLOCK notification (as per the policy set earlier which denies sending internal email to any
domain other than forcepoint.com or forcegv.com).

Figure 42: Block notification

5. Now try sending this email to internal domain used during initial configuration within GV wizard (that is, any email ID on

© 2023 Forcepoint Forcepoint Proprietary

23
GetVisibility: Workshop POC Setup Guide forcepoint.com

forcepoint.com domain or forcegv.com domain).

Note: This time the email should go without any issues.

Figure 43: Outlook

Downgrading email classification from that off attachment

Selecting lower classification of the email than that of the attachment.

1. Click on New Email and attach Forcepoint Internal.docx document.

2. Click the classification of email to PUBLIC.
3. Now try sending this email to internal domain used during initial configuration within GV wizard (that is, any email ID on
forcepoint.com domain or forcegv.com domain).
4. Click Send.
Note: You should be seeing below notification that the attachment has more sensitive than the level you have selected
for the email. You need to increase the level of classification to match the attachment.

Figure 44: notification

© 2023 Forcepoint Forcepoint Proprietary

24
GetVisibility: Workshop POC Setup Guide forcepoint.com

5. Click OK and select the classification to INTERNAL and send the email.
Note: You should be able to send the email now.

Inherit Classification of Email chain / Block downgrading of email classification

1. Go to Send Items in outlook and open one of the last sent email which had the classification INTERNAL.
2. Click Forward option.
3. Note that the classification of this new email is already selected as INTERNAL.
4. Try downgrading the classification to PUBLIC.
5. You should see that option of PUBLIC classification is greyed out.

Figure 45: PUBLIC classification is greyed out

6. Click on DISMISS option and close the email.

Sending CONFIDENTIAL classified emails via outlook

1. Click on New Email and attach Forcepoint Confidential.docx document.

2. Click the classification of email to CONFIDENTIAL.
3. Try to send a test email to any GMAIL.com email ID (let’s say [email protected]) , You can use any subject and
any text in body of the email.
4. Click Send.
5. You should be blocked with a message popup as below:
This is as per the policy set during the initial configuration which BLOCKs confidential classified email to go to
GMAIL.com.

© 2023 Forcepoint Forcepoint Proprietary

25
GetVisibility: Workshop POC Setup Guide forcepoint.com

Figure 46: Message popup

6. Change the recipient from (gmail.com) to any other domain (use any email other than gmail.com or forcegv.com OR
forcepoint.com).
7. Click Send.
8. You should still see the warning message.

Figure 47: Warning message

9. On clicking Dismiss – the email will be sent.

10. On Clicking OK – You shall get a pop-up to re-classify the message.
Forcepoint Classification (Powered by GV) Integration with Forcepoint DLP
Integration to read Meta-Data Tags

1. Open Forcepoint DLP (FSM) console by going to

https://192.168.122.21:9443/

© 2023 Forcepoint Forcepoint Proprietary

26
GetVisibility: Workshop POC Setup Guide forcepoint.com

Figure 48: Forcepoint DLP (FSM) console

Username: admin

Password: Forcepoint1!

2. Go to Main Policy Management > Content Classifiers > File Labelling.

3. Click New.
4. Type below entries (Note: You can give any name of your choice).
Name: GV-Internal

Labelling system: Any Labelling System

5. Under Label type Internal and click Add.

6. Click OK.

Figure 49: The labelling properties

Note: By default, Classification Tags are not case-sensitive, but if you want to make them case-sensitive you can check
the below option of The detected labels are case-sensitive.

© 2023 Forcepoint Forcepoint Proprietary

27
GetVisibility: Workshop POC Setup Guide forcepoint.com

However, for this lab purpose will use the non-case-sensitive labels.

7. Click Cancel on below pop-up.

Figure 50: Pop-up

8. Similarly add Confidential.

9. Click New.
Name: GV-Confidential

Labeling system: Any Labeling System

10. Under Label type Confidential and click Add.

11. Click OK.

Figure 51: The labelling properties

12. Click Cancel on below pop-up.

© 2023 Forcepoint Forcepoint Proprietary

28
GetVisibility: Workshop POC Setup Guide forcepoint.com

Figure 52: Pop-up

13. Similarly add Confidential.

14. Click New.
Name: GV-Public

Labeling system: Any Labeling System

15. Under Label type Public and click Add.

16. Click OK.
17. Click Cancel on below pop-up.

Figure 53: Pop-up

Figure 54: File labelling

18. Now Go to Policy Management > DLP Policies > Managed Policies.

© 2023 Forcepoint Forcepoint Proprietary

29
GetVisibility: Workshop POC Setup Guide forcepoint.com

Figure 55: Manage DLP Policies

19. Click on Add Custom Policy.

Figure 56: Custom policy option

20. Enter below entries:

Policy Name: Block GV-Confidential

(Give the same rule name and description)

© 2023 Forcepoint Forcepoint Proprietary

30
GetVisibility: Workshop POC Setup Guide forcepoint.com

Figure 57: Policy rule screen

21. Click Next.

22. Click Add File Labelling and select GV-Confidential and click OK.

Figure 58: Add File Labelling

© 2023 Forcepoint Forcepoint Proprietary

31
GetVisibility: Workshop POC Setup Guide forcepoint.com

Figure 59: Conditions tab

23. Click Next.

24. Select Block All Action Plan and click Next.

Figure 60: Severity and action

25. Click Next on Source tab.

26. Click Next on Destination tab.
27. Click Finish.
28. Deploy Policy and Ensure policy is pushed to all components (green tick on all components).

© 2023 Forcepoint Forcepoint Proprietary

32
GetVisibility: Workshop POC Setup Guide forcepoint.com

Figure 61: Deployment needed window

Figure 62: Deployment process screen

29. Repeat the same steps for GV-Internal Policy.

30. Go to Policy Management > DLP Policies > Managed Policies.

Figure 63: Manage DLP Policies

© 2023 Forcepoint Forcepoint Proprietary

33
GetVisibility: Workshop POC Setup Guide forcepoint.com

31. Enter below entries:

Policy Name: Block GV-Internal

(Give the same rule name and description)

Figure 64: Policy rule screen

32. Click Next.

33. Click Add File Labelling and select GV-Internal and click OK.

Figure 65: Add File Labelling

© 2023 Forcepoint Forcepoint Proprietary

34
GetVisibility: Workshop POC Setup Guide forcepoint.com

Figure 66: Conditions tab

34. Click Next.

35. Select Block All Action Plan and click Next.

Figure 67: Severity and action

36. Click Next on Source tab.

37. Click Next on Destination tab.
38. Click Finish.
39. Deploy Policy and Ensure policy is pushed to all components (green tick on all components)

Figure 68: Deployment process screen

Detection of GV tags using Forcepoint DLP Endpoint

1. Go to Client Machine.
2. Update DLP endpoint agent.
3. Find Forcepoint DLP agent in system tray, right click and click on Open Forcepoint DLP endpoint.

© 2023 Forcepoint Forcepoint Proprietary

35
GetVisibility: Workshop POC Setup Guide forcepoint.com

4. Click on Update and OK.

Figure 69: Forcepoint DLP endpoint

5. Close the dialog box.

6. Open outlook and draft a new email.
7. Add recipient [email protected].
8. Attach Forcepoint Confidential.docx (file found in desktop folder Forcepoint).
9. Classify this email as CONFIDENTIAL.
10. Write any subject and body
11. Click SEND.
Note: Forcepoint DLP Endpoint blocks this message from going out.

Figure 70: Outlook

Let’s look at the Incident detail in FSM

12. Go to FSM (https://192.168.122.21:9443).

© 2023 Forcepoint Forcepoint Proprietary

36
GetVisibility: Workshop POC Setup Guide forcepoint.com

13. Go to Reporting > Data Loss Prevention > Incident (last 3 days).

Figure 71: Incident (last 3 days) option

Look at the incident detail.

Figure 72: Incident detail

Detection of GV tags using Forcepoint Network DLP (Protector)

Firstly, lets disable the above created policies to ensure emails are not blocked at the endpoint itself.

1. Go-to Policy Management > DLP Policies > Managed Policies.

2. Select Policies one by one and click Edit.

© 2023 Forcepoint Forcepoint Proprietary

37
GetVisibility: Workshop POC Setup Guide forcepoint.com

Figure 73: Edit option

3. Un-check Enabled option and click OK.

Figure 74: Enabled option

4. Click Deploy and save changes.

5. Follow the same for other policies.
6. Update the agent on client machine to ensure it gets the new policy changes:
a) Right click Forcepoint agent on system tray.
b) Click on Open Forcepoint DLP endpoint.

Figure 75: Dialog box

c) Click Update and check the policy getting updated.

© 2023 Forcepoint Forcepoint Proprietary

38
GetVisibility: Workshop POC Setup Guide forcepoint.com

Figure 76: Update button

7. Now Go to client machine, open Outlook to check the X-header information inserted by Forcepoint Classification.
Go-to Client Machine

1. Open Outlook and go to Sent Items. Open one of the last sent emails.
2. Click on File Click on Properties.

Figure 77: Properties

© 2023 Forcepoint Forcepoint Proprietary

39
GetVisibility: Workshop POC Setup Guide forcepoint.com

Figure 78: Outlook

3. Copy the X-Header Tag to a text file, will use it later (name it Xheader.txt).

Figure 79: Properties

It should look like below line (note it can be different for different installations):

tagset_e16409a7_1700_4153_9090_3955bc2f0ae8_classification: Internal

4. Go back to FSM.
5. Go to Policy Management > Content Classifier > Patterns & Phrases.

© 2023 Forcepoint Forcepoint Proprietary

40
GetVisibility: Workshop POC Setup Guide forcepoint.com

Figure 80: FSM

6. Click on New Key Phrases.

Figure 81: Patterns and phrases

Name: GV Internal – Header

Phrase to search: Internal

7. Click OK.
8. Cancel the pop-up.

Figure 82: Pop-up

© 2023 Forcepoint Forcepoint Proprietary

41
GetVisibility: Workshop POC Setup Guide forcepoint.com

9. Go to Policy Management > DLP policies > Managed Policies.

Figure 83: Managed Policies

10. Add custom Policy.

Figure 84: Custom policy option

11. Enter the below details:

Name: GV Internal Network Email

Rule Name: GV Internal Network Email

12. Click Next.

© 2023 Forcepoint Forcepoint Proprietary

42
GetVisibility: Workshop POC Setup Guide forcepoint.com

Figure 85: Policy rule screen

13. Click Add Patterns & Phrases.

Figure 86: Condition tab

14. Search for GV Internal – Header and click OK.

© 2023 Forcepoint Forcepoint Proprietary

43
GetVisibility: Workshop POC Setup Guide forcepoint.com

Figure 87: Content classifier list

15. Once the Content Classifier is added, click on Threshold option under Properties.

Figure 88: Condition screen

16. Scroll down and select Other header (may be user-defined) and click OK and click Next.

© 2023 Forcepoint Forcepoint Proprietary

44
GetVisibility: Workshop POC Setup Guide forcepoint.com

Figure 89: Edit condition line dialog box

a) Under Severity & Action select “lock All.

b) Under Source – keep it All.
c) Under Destination – Select Network Email.
17. Save and deploy the policy
Let’s test by sending an email to <any email id> let’s say [email protected] and select classification Internal,

18. Note the incident in DLP.

Reporting Data Loss Prevention Incident (last 3 days).

Figure 90: Reporting catalog

19. You should see incident with channel Network Email.

Figure 91: Incident with channel Network Email

© 2023 Forcepoint Forcepoint Proprietary

45
GetVisibility: Workshop POC Setup Guide forcepoint.com

20. Note the incident trigger details.

Figure 92: Incident trigger details

If you want to trigger alert only on X-header and not Header/Footer of email.

1. You can change the policy to only include specific X-header within the email.
2. Simply go back to the policy Edit go to Condition.
3. Click on Threshold under Properties.

Figure 93: Policy rule

4. Change the header to User-defined header option and paste the header details copied from before (from Xheader.txt:
tagset_e16409a7_1700_4153_9090_3955bc2f0ae8_classification

© 2023 Forcepoint Forcepoint Proprietary

46
GetVisibility: Workshop POC Setup Guide forcepoint.com

Figure 94: Edit condition line

5. Click OK and save and deploy the policy.

6. Test by sending an email again (with classification set to Internal) and see the incident details.
7. It should trigger an alert just based on X-Header information.

Figure 95: Triggered alert

Discovery task with remediation script

For this exercise we will use the default remediation script of moving Confidential tagged document to a quarantine location on
Endpoint (via Endpoint DLP).

1. Login to Client Machine.

2. Create a new folder in C:\ drive and name MOVE.

© 2023 Forcepoint Forcepoint Proprietary

47
GetVisibility: Workshop POC Setup Guide forcepoint.com

Figure 96: Folder move

3. Right click on this folder and click on Properties > Sharing > Share.
4. Search Everyone in the dropdown and click on ADD.

Figure 97: Network access

5. Change the Permission level for everyone to Read/Write and click Share.
6. Note down the Network path.

© 2023 Forcepoint Forcepoint Proprietary

48
GetVisibility: Workshop POC Setup Guide forcepoint.com

Figure 98: Network path

7. Now access (run) \\192.168.122.21\ForcepointSEU\GetVisibility - Remediation Script and find

MoveFilesnew.py.
8. Right-click MoveFiles.py and edit it using WordPad.
9. Replace the path as shown below, save and close the file.

Figure 99: File path

10. Now open FSM by going to https://192.168.122.21:9443.

11. Go to Policy Management > Resources > Remediation script.

© 2023 Forcepoint Forcepoint Proprietary

49
GetVisibility: Workshop POC Setup Guide forcepoint.com

Figure 100: Remediation script

12. Click New > Endpoint Script.

Figure 101: Dialog box

13. Name it Auto Move.

14. Under Windows Executable and Additional Files. Click Choose File.
15. Select the file you had modified MoveFilesnew.py.

© 2023 Forcepoint Forcepoint Proprietary

50
GetVisibility: Workshop POC Setup Guide forcepoint.com

Figure 102: Remediation script details

16. Click OK, Save, and Deploy.

17. Now create Discovery Policy and Discovery Task.
18. Go to Policy Management > Discovery Policies > Manage Policies.

Figure 103: Manage policies option

19. Add Custom Policy.

© 2023 Forcepoint Forcepoint Proprietary

51
GetVisibility: Workshop POC Setup Guide forcepoint.com

Figure 104: Custom policy option

20. Set the Policy and rule name to GV Confidential and click Next.

Figure 105: Policy rule

21. Under Condition tab, Click Add File Labelling. Select GV-Confidential and click OK.

Figure 106: Condition tab

© 2023 Forcepoint Forcepoint Proprietary

52
GetVisibility: Workshop POC Setup Guide forcepoint.com

22. Click Next.

23. Under Action Plan, click on New Icon.

Figure 107: Action plan option

24. Name the new Action Plan as Auto Move.

25. Select Discovery tab, check Run Endpoint remediation script checkbox under Endpoint Discovery and select the
remediation script you created in above task Auto Move. Click OK then click Next and Finish.

Figure 108: Add New Action Plan

26. Save and deploy the changes.

27. Now let’s create Endpoint Discovery Task.

© 2023 Forcepoint Forcepoint Proprietary

53
GetVisibility: Workshop POC Setup Guide forcepoint.com

Figure 109: Endpoint Discovery Task

28. Click New and enter the name Auto Move and Click Next.

Figure 110: General tab

29. Under Endpoint Hosts, keep it All and click Next.

30. Under Scheduler, select Continuously from dropdown and change the Wait time to 1 min.
31. Also uncheck Scan only when computer is idle and Pause scanning while computer is running on batteries options and
click NEXT.

Figure 111: Endpoint Task

32. Select the Policy GV Confidential and Click next.

© 2023 Forcepoint Forcepoint Proprietary

54
GetVisibility: Workshop POC Setup Guide forcepoint.com

33. Under File Filtering option, limit your discovery scope to Folder C:\Forcepoint\*.

Figure 112: Filtering option

34. Click Next and Save the Task.

35. Deploy the changes.
Now let’s test the discovery task and Move action on the Endpoint

1. Go to Client machine and go to C:\Forcepoint.

2. Create a new document and classify it Forcepoint Confidential.

3. Now Update your Forcepoint DLP agent (by right clicking the DLP agent Open Forcepoint DLP endpoint).

Figure 113: Dialog box

4. Click on Update and note the Next scan time under Discovery section.

© 2023 Forcepoint Forcepoint Proprietary

55
GetVisibility: Workshop POC Setup Guide forcepoint.com

Figure 114: Forcepoint DLP Endpoint

5. Wait till that time and note the File under C:\Forcepoint you had created.

You should see below note.

Figure 115: Notepad

6. Now Go to the Folder \\DESKTOP-67UMBUF\Move to see if the file has been moved file.

7. Now Login to FSM > Reporting > Discovery > Discovery Incidents (Last 7 days).

© 2023 Forcepoint Forcepoint Proprietary

56
GetVisibility: Workshop POC Setup Guide forcepoint.com

Figure 116: Discovery Incidents (Last 7 days) option

8. Look for Endpoint discovery incident and have a close look into the History tab to see the remediation script ran status.

Figure 117: History tab

© 2023 Forcepoint Forcepoint Proprietary

57
Getvisibility: Workshop POC Setup Guide forcepoint.com

About Forcepoint

forcepoint.com/contact Forcepoint is the leading user and data protection cybersecurity

company, entrusted to safeguard organizations while driving
digital transformation and growth. Forcepoint’s humanly attuned
solutions adapt in real-time to how people interact with data,
providing secure access while enabling employees to create
value. Based in Austin, Texas, Forcepoint creates safe, trusted
environments for thousands of customers worldwide.

© 2023 Forcepoint. Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.
All other trademarks used in this document are the property of their respective owners.
[Forcepoint Data Classification Powered by Getvisibility Workshop POC Setup Guide]
© 2023 Forcepoint Forcepoint Proprietary 58
[Status]27 Feb. 23