Forcepoint Data Loss Prevention (DLP) enables businesses to discover, classify, monitor, and protect data intuitively with zero friction to the user experience. Audit behavior in real-time with Risk-Adaptive Protection to stop data loss before it occurs.
Prerequisites
- Admin access to Forcepoint DLP
- Instance of Websense Multiplexer is installed for each Policy Server in your deployment
Configure Syslog Server
Go to Settings > General > SIEM Integration page to configure Websense software to send log data from Filtering Service to a supported Security Information and Event Management (SIEM) solution.
Perform these steps for each Policy Server instance in your deployment.
- Select Enable SIEM integration for this Policy Server to turn on the SIEM integration feature.
- Provide the Forwarder IP address used for sending SIEM data.
- Specify the Transport protocol (11727)(UDP or TCP) to use.
- Select the SIEM format to use. This determines the syntax of the string used to pass log data to the integration.
- The available formats are syslog/CEF.
- If you select Custom, a text box is displayed. Enter or paste the string that you want to use. Click View SIEM format strings for a set of sample strings to use as a reference or template.
- If you select a non-custom option, a sample Format string showing fields and value keys is displayed.
- Click OK to cache your changes. Changes are not implemented until you click Save and Deploy.
Once the configuration is completed, need to validate the logs in chronicle using a regular expression as (".*") this expression or with a specific hostname, will provide the log source types which are ingesting to chronicle, below is the screenshot for reference.
Sample Logs
The following are the logs that Forcepoint DLP sends to the Chronicle.
"2023/07/06 10:54:43","None","192.168.1.1","None","None","r2x-excel-15.cdn.office.net:443/",
"None","Collaboration - Office","Contoso DEFAULT","usax-macnx1","euser1@contoso.com","None",
"None","None","Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/30.0.1599.66 Safari/537.36","Windows 8","Connect","None","None","office.net",
"0.0.0.0","0.0.0.0","Allowed","Collaboration - Office"
Comments
0 comments
Please sign in to leave a comment.