Integrating Forcepoint Web Proxy (or) Email Security
Use the Reporting > Account Reports > SIEM Integration page to format reporting data for BluSapphire OnePlatform SIEM. Select data columns and apply filters to the data, just as you do in other areas of the Report Center
Before data can be exported, you need to configure SIEM Storage details. Navigate to Account > SIEM Storage to select a storage type and configure your own S3
Use the Account > SIEM Storage page to configure the storage options for SIEM output generated on the Reporting > Account Reports > SIEM Integration page
Click the radio button next to the Storage type you wish to use for SIEM output. If Bring your own storage is selected, follow the instructions provided to add and test up to 5 storage devices to the Storage List: Bring Your Own table and activate a specific device.
“Note that the same storage selections are used for each data type (Web Security or Email Security).”
AWS is selected, by default, as the storage solution. To add storage options to the Storage List:
Create one (or) more AWS S3 buckets on the AWS portal. Note that bucket names must be globally unique and Encryption for the AWS S3 buckets is not supported
Click Add to add your bucket to the table
Enter the Bucket name from the AWS portal
A Prefix is optional. Add text that will be used as a prefix to each data file created when SIEM data is exported. Enter a '/' to create a folder where the data files will be stored. If no '/' is included, the prefix is prepended to the file name. Valid prefix values are SIEMData, log_files/, or traffic-logs
Click Save when you have finished. The bucket information is added to the table and click the bucket name in the table to open the Edit Bucket page and make changes. Delete an inactive bucket by clicking Delete on the Edit Bucket page
In the table, click the JSON link in the row for the bucket you just added
On the Bucket Policy page, click Copy Text to copy the contents of the JSON pane to a clipboard
In the AWS Management Console, open the Bucket policy editor on the Permissions > Bucket policy tab of the AWS S3 Bucket Policy and paste the contents of the JSON pane
On the Bucket Policy page, click BACK when you have finished with the page
In the table, click Check connection to test the connection to the S3 bucket in your account. If the connection is successful, a token file is written in order to confirm that files can be written to the bucket. The token number then appears in the connection_token object in the AWS S3 bucket (on the AWS Management Console). If a folder was created based on the contents of the prefix for the bucket, the connection_token appears in that folder
The generated token is valid for 3 hours. After that time, a new token must be generated. On the Check Connection page, paste the token number from the connection_token object
Click Check Connection to confirm that files written to the AWS S3 bucket can be read. Note that If more than 20 connection attempts are made within 60 minutes, the account will be locked for an hour
Click Back when you are finished
The Status column displays with a green check if the token is confirmed. When the check mark appears, the bucket can be enabled for SIEM storage
A single bucket must be selected as Active. SIEM data is exported to the active bucket. Note if Bring you own has been enabled but there is no active bucket, Save is not enabled, and the Enable data export switch on the Reporting > Account Reports > SIEM Integration page cannot be set to On
Click Save to save all of your changes
After selecting the type of data that you want to export to your SIEM tool, define the data format, and enable SIEM data export
To configure and enable SIEM integration: Select a data type (Web Security or Email Security) from the drop-down list
Use the Columns drop-down list, or drag items into the report panel from the Attributes or Metrics lists to customize the information that will appear in the exported data. You can drag columns in the report panel to re-order them. The default columns vary, depending on which data type you have selected. The number of columns allowed also varies, depending on the data type. For Web Security, the limit is 35. For Email Security, the limit is 25
Drag items from the Attributes or Metrics lists to the Filters field to define any filters you want to apply to your reporting data before it is exported. On the popup that appears, use the drop-down list to define how the filter handles the value that you specify. The attributes available for use as Filters is a subset of those available to add as a column
When you are satisfied with the columns and filters that you have selected, toggle the Enable data export switch to ON
When you are finished, click Save
Last updated