Integrating with a third-party SIEM solution

Administrator Help | Forcepoint Web Security and Forcepoint URL Filtering | v8.5.x

Use the Settings > General > SIEM Integration page to configure web protection software to send log data from Filtering Service to a supported Security Information and Event Management (SIEM) solution. With v8.5.4, Audit Log entries can also be forwarded to a SIEM solution.

Before using this page to enable SIEM integration, make sure an instance of Multiplexer is installed for each Policy Server in your deployment.

In the Internet Activity Log Data section (titled in v8.5.3):

For v8.5.4: Click Add to open a new window where you will continue configuring your SIEM integration.

For v8.5 and v8.5.3: Select Enable SIEM integration for Internet activity log data for this Policy Server (v8.5.3; in v8.5, select Enable SIEM integration for this Policy Server) to turn on the SIEM integration feature. Follow these steps for each Policy Server instance in your deployment to pass log data to a third-party SIEM product.

Provide the IP address or hostname of the machine hosting the SIEM product, as well as the communication Port to use for sending SIEM data.

Specify the Transport protocol (UDP or TCP) to use when sending data to the SIEM product.

Select the SIEM format to use. This determines the syntax of the string used to pass log data to the integration.

The available formats are syslog/CEF (ArcSight), syslog/key-value pairs (Splunk and others), syslog/LEEF (QRadar), and Custom.

If you select Custom, a text box is displayed. Enter or paste the string that you want to use. Click View SIEM format strings for a set of sample strings to use as a reference or template.

If you select a non-custom option, a sample Format string showing fields and value keys is displayed.

Click OK to cache your changes. Changes are not implemented until you click Save and Deploy.

When you save your changes, log data is distributed to both Log Server and the selected SIEM integration.

(v8.5 and v8.5.3) Data for each Policy Server (including those without a SIEM solution) is sent to all SIEM solutions configured for other Policy Servers assigned to the same Policy Broker. This is true whether Policy Server was installed and assigned to a specific Policy Broker, or Policy Server was connected to a Policy Broker using the Web > Settings > General > Policy Broker page of Forcepoint Security Manager.

Note that although the same data is passed from Filtering Service to both Log Server and the SIEM product, Log Server may be configured to perform data reduction processing tasks (like recording visits instead of hits, or consolidating log records). Because the SIEM product does not perform these data reduction tasks, there may be more SIEM entries than records in the Log Database.

(Added with v8.5.4.)

Perform these steps in the Audit Log Data section for the primary Policy Server in your deployment to pass audit log data to a third-party SIEM product. (See Viewing and exporting the audit log for more information about the audit log.)

Check Enable SIEM integration for audit log data for this Policy Server to enable the feature.

Note that this feature is available only for the primary Policy Server and does not appear if you switch to a secondary Policy Server.

Provide the IP address or hostname of the machine hosting the SIEM product, as well as the communication Port to use for sending the audit log data.

Specify the Transport protocol (UDP or TCP) to use when sending audit log data to the SIEM product.

Select the SIEM format to use. This determines the syntax of the string used to pass audit log data to the integration.

If you select Custom, enter or paste the string that you want to use in the text box that displays. Click View SIEM format strings for samples to use as a reference.

If you select a non-custom format, a sample Format string displays.

Click OK to cache your changes. Changes are not implemented until you click Save and Deploy.

When you save your changes, records written to the audit log are forwarded to the SIEM solution.

For more detailed information about the data passed to the SIEM integration, see Integrating web protection solutions with third-party SIEM products. Subsections of the linked document provide mapping information for category numbers, disposition codes, reason strings, and other information included in the SIEM output.