BluSapphire
  • 01_Introduction
  • 02_Unified Cyber Defense Platform
  • 03_The Stack
  • 04_Features and capabilities
  • 05_Operations
  • 06_Architecture
    • Architecture - Version 3
    • Architecture - Version 4
  • 07_Integration
    • Cisco pxGrid Integration
    • Threat Intel Sources
  • 08_Use cases
    • SIGMA Rules
      • SIGMA Detection Attributes
      • Understanding SIGMA Rule
      • Creating SIGMA Rule
  • 09_CaseHub
    • Events
    • Cases
      • Case-Templates
    • Event-Rules
    • Reflex Query Language (RQL)
    • Input Configuration
      • Credentials
      • Agents
      • Field Templates
  • 10_Active-Defense-Services
    • Services (ADS - LIADS)
      • Network Services
      • Database Services
      • Web-Apps
    • Tokens (ADS - Tokens)
  • 11_Data-Pipeline-Manager (DPM)
    • Basic Concepts
    • Getting Started
  • 12_Deployment / Log Forwarding
    • Log Forwarding (on-prem) - How To
      • Fortimanager
      • Fortinet
      • Cisco ASA with FirePOWER services
      • Cisco ASA
      • Cisco VPN 3000 Concentrator
      • Cisco IOS Switch
      • Cisco ASA using ASDM
      • Cisco Router
      • Cisco Sourcefire
      • Cisco Ironport
      • Cisco Nexus Switch
      • Cisco VPN Concentrator
      • NetScreen Firewall
        • Configure/Enable Syslog Messages for Netscreen Firewall device using CLI Console:
      • Palo Alto Firewalls
        • Configure Syslog Monitoring
        • Configure a Syslog server profile
        • Create a log forwarding profile
        • Configure security policy rule action as log forwarding
        • Configure syslog forwarding for System, Config, HIP Match, and Correlation logs
      • Juniper
        • Using J-Web
        • Using CLI
        • Using J-Web
        • Using CLI
        • Configuring to send Syslog Messages directly from Sensor
      • Sonicwall
        • Configuring SonicWALL To Direct Log Streams
        • Configuring SonicWALL Logging Level
      • Checkpoint
        • R80.20
        • R80.10
        • R77.30
      • Blue Coat Proxy Logs
        • To Forward Blue Coat Logs Using Web Interface
        • To Forward Blue Coat Proxy Logs Using CLI
      • Tipping Point
      • FireEye
        • To Forward Fireeye NX Alert Logs
      • UBUNTU
      • CENTOS-RHEL
      • Citrix Access Gateway
      • SYMANTEC AV
      • DarkTrace
      • Nutanix
      • SAP
      • Cisco Meraki Firewall
      • Zoho Vault Integration
      • Zoho Analytics Integration
      • Sophos EDR Integration
      • PowerDMARC Integration
      • Perception Point Integration
      • MS Intune Integration
      • AWS-Cloudtrail & AWS-Cloudwatch integration
      • Dell PowerEdge Log Integration
      • HPE ProLiant DX380 Gen10 Log Integration
      • Lenovo ThinkSystem SR650 Log Integration
      • Aruba-3810M-L3 Switch
      • Cisco HX220C-M5SX Log Integration
      • Aruba-6200F-48-Access Switch
      • Brocade & Ruckus Switch Log Integration
      • Cavera L2 Switch Log Integration
      • CentOS & RHEL Log Integration
      • Cisco L2 Switch Log Integration
      • Cisco L3 Switch Log Integration
      • Dell EMC Switch Log Integration
      • Dell Powervault ME4 & ME5 Series Log Integration
      • HCI_CISCO_HX 240C_M5SX_CIMS(Intersight)
      • IBM AIX Log Integration
      • IBM Storwize Log Integration
      • Lenovo L2 Switch Log Integration
      • Lenovo Think System Storage Log Integration
      • lenovo_think_system_manager_851
      • Netgear M4300 Switch Log Integration
      • Net Gear Ready NAS 314 & Net Gear Ready NAS 428
      • qnap storage log integration
      • Ruckus SmartZone 100 Wi-Fi Controller Log Integration
      • Seqrite Endpoint Security 7.6 Log Integration
      • Suse log integration
      • Ubuntu log integration
      • Vcenter log integration
      • Microsoft SQL DB integration
      • Vios log integration
      • Cisco SF/SG 200 & 300 Series Switches
      • oracle db integration
      • lenovo thinksystem storage
      • F5 BIG-IP Load Balancer (11.x - 17.x)
      • Seqrite 76
      • Seqrite 82
      • Aruba switch log integration
      • Windows FIM
        • FIM Integration with GPO
        • FIM Integration without GPO
      • Sophos Firewall
        • Sophos XG Firewalls Syslog
          • Netflow Configuration To Verify
      • SAP
      • Integrating Forcepoint Web Proxy (or) Email Security
      • MicroAgent - Winlogbeat & Sysmon
        • Deploy Micro-Agent/Sysmon via GPO
        • MicroAgent manual installation
      • Microsoft’s IIS Integration
      • vios log integration
      • aruba switch log integration
      • oracle db integration
      • Cisco SF/SG 200 & 300 Series Switches
      • microsoft sql db integration
      • seqrite 82
      • seqrite 76
      • List of Supported Log Sources
        • 17.x)
    • Cloud Log Forwarding
      • Azure Sentinel
      • AWS Cloud Logs
        • Collecting CloudWatch Logs
        • Collecting Cloudtrail Logs
      • Configuring Mimecast for Log Collection via API
      • Cisco Umbrella
      • Cisco Duo
      • Cisco AMP
      • Cisco CES
      • SOPHOS AV
      • CROWDSTRIKE
      • Microsoft Defender ATP
        • Enable SIEM integration in Microsoft Defender ATP
        • Assign permissions to the WindowsDefenderATPSiemConnector application
    • BluArmour Pre-Deployment Checklist & Roll out Process
    • Deploy BluArmour via SCCM
    • BluGenie GPO for Service Account, WinRM and WMI
    • Mirror / SPAN port configuration
    • Average LogSize by LogSource
    • Windows Package Installation
    • Linux Package Installation
  • 13_MITRE ATT&CK
    • MITRE ATT&CK Coverage by Tactic
    • MITRE ATT&CK Coverage by Technique
    • Rules mapping - MITRE ATT&CK
  • 14_BluArmour Endpoint Protection
    • BluArmour For ICS / AirGapped Networks
  • 15_BluGenie
    • Manual
    • How To Guides
      • BluGenie Intro
      • How To Run
      • How to Use Help
      • Running Localhost & Remote commands
      • Get-BluGenieChildItemList
      • Invoke-BluGenieYara
    • Enable-BluGenieWinRMoverWMI
  • 16_Best Practices
    • Windows Logging Recommendations
      • Windows Security Log recommendations
      • Windows General Log Recommendations
      • Windows Advanced Auditing Recommendations
    • Lateral Movement Logging Recommendations
    • Best Data Sources for Detection
    • Cloud Incident Readiness
  • 17_Threat Hunt
  • 18_Taxonomy
    • Categories
    • Web Security Gateway
    • Cloud AWS
    • Windows
    • Linux
    • Endpoint Detection
    • NGFW (Firewalls)
    • Email Gateway Security
    • Network Access Control
    • Auth (IDAM)
    • Alert Data
    • Web Security Gateway
    • Endpoint Protection
    • DHCP
    • Cloud AWS
    • Wireless Access Controllers
    • Windows
    • Load Balancers (LB)
    • Linux
    • Active Defence (Deception)
  • 19_Product Videos
  • 20_M-SOC_Self Service Portal
    • Registering as a Customer (Regulated Entity)
    • Digital Contract Signing Process
      • RACI Matrix
    • Updating Billing Information
    • Updating Escalation Matrix
    • Manage Users and Roles
    • Windows Package Installation
    • Linux Package Installation
    • RPM Package Installation
    • Frequently Asked Questions (FAQ)
    • Default Log Collection
    • Incident Management Workflow(M-SOC only)
    • Troubleshooting Installs
    • MACOS Package Installation
  • Customer Self Service Portal
    • Registering as a Customer
    • Registering as a Partner
    • Digital Contract Signing Process
    • Updating Billing Information
    • Updating Escalation Matrix
    • Manage Users and Roles
    • Windows Package Installation
    • Linux deb Package Installation
    • Linux rpm Package Installation
    • Frequently Asked Questions (FAQ)
    • Default Log Collection
    • Troubleshooting Installs
  • Appendix A
  • 21_Incident Response
    • Cloud Incident Readiness
Powered by GitBook
On this page
  1. 12_Deployment / Log Forwarding
  2. Log Forwarding (on-prem) - How To

Integrating Forcepoint Web Proxy (or) Email Security

  1. Use the Reporting > Account Reports > SIEM Integration page to format reporting data for BluSapphire OnePlatform SIEM. Select data columns and apply filters to the data, just as you do in other areas of the Report Center

  2. Before data can be exported, you need to configure SIEM Storage details. Navigate to Account > SIEM Storage to select a storage type and configure your own S3

  3. Use the Account > SIEM Storage page to configure the storage options for SIEM output generated on the Reporting > Account Reports > SIEM Integration page

  4. Click the radio button next to the Storage type you wish to use for SIEM output. If Bring your own storage is selected, follow the instructions provided to add and test up to 5 storage devices to the Storage List: Bring Your Own table and activate a specific device.

    “Note that the same storage selections are used for each data type (Web Security or Email Security).”

  5. AWS is selected, by default, as the storage solution. To add storage options to the Storage List:

    • Create one (or) more AWS S3 buckets on the AWS portal. Note that bucket names must be globally unique and Encryption for the AWS S3 buckets is not supported

    • Click Add to add your bucket to the table

      • Enter the Bucket name from the AWS portal

      • A Prefix is optional. Add text that will be used as a prefix to each data file created when SIEM data is exported. Enter a '/' to create a folder where the data files will be stored. If no '/' is included, the prefix is prepended to the file name. Valid prefix values are SIEMData, log_files/, or traffic-logs

      • Click Save when you have finished. The bucket information is added to the table and click the bucket name in the table to open the Edit Bucket page and make changes. Delete an inactive bucket by clicking Delete on the Edit Bucket page

    • In the table, click the JSON link in the row for the bucket you just added

      • On the Bucket Policy page, click Copy Text to copy the contents of the JSON pane to a clipboard

      • In the AWS Management Console, open the Bucket policy editor on the Permissions > Bucket policy tab of the AWS S3 Bucket Policy and paste the contents of the JSON pane

      • On the Bucket Policy page, click BACK when you have finished with the page

    • In the table, click Check connection to test the connection to the S3 bucket in your account. If the connection is successful, a token file is written in order to confirm that files can be written to the bucket. The token number then appears in the connection_token object in the AWS S3 bucket (on the AWS Management Console). If a folder was created based on the contents of the prefix for the bucket, the connection_token appears in that folder

      • The generated token is valid for 3 hours. After that time, a new token must be generated. On the Check Connection page, paste the token number from the connection_token object

      • Click Check Connection to confirm that files written to the AWS S3 bucket can be read. Note that If more than 20 connection attempts are made within 60 minutes, the account will be locked for an hour

      • Click Back when you are finished

    • The Status column displays with a green check if the token is confirmed. When the check mark appears, the bucket can be enabled for SIEM storage

    • A single bucket must be selected as Active. SIEM data is exported to the active bucket. Note if Bring you own has been enabled but there is no active bucket, Save is not enabled, and the Enable data export switch on the Reporting > Account Reports > SIEM Integration page cannot be set to On

    • Click Save to save all of your changes

  6. After selecting the type of data that you want to export to your SIEM tool, define the data format, and enable SIEM data export

  7. To configure and enable SIEM integration: Select a data type (Web Security or Email Security) from the drop-down list

  8. Use the Columns drop-down list, or drag items into the report panel from the Attributes or Metrics lists to customize the information that will appear in the exported data. You can drag columns in the report panel to re-order them. The default columns vary, depending on which data type you have selected. The number of columns allowed also varies, depending on the data type. For Web Security, the limit is 35. For Email Security, the limit is 25

  9. Drag items from the Attributes or Metrics lists to the Filters field to define any filters you want to apply to your reporting data before it is exported. On the popup that appears, use the drop-down list to define how the filter handles the value that you specify. The attributes available for use as Filters is a subset of those available to add as a column

  10. When you are satisfied with the columns and filters that you have selected, toggle the Enable data export switch to ON

  11. When you are finished, click Save

PreviousSAPNextMicroAgent - Winlogbeat & Sysmon

Last updated 7 months ago