This guide will help you set up SIEM logging in the cloud portal.
SIEM logging permissions are available by default. To set up SIEM logging in the cloud portal:
- Create a new administrator contact for Forcepoint storage.
We strongly recommend that the log download process has its own user name and password to gain access to the Forcepoint Web Security Cloud service. This keeps the process separate from your other administration tasks and enables you to establish longer password expiration policies.
- Enable SIEM logging.
- Schedule log file download for Forcepoint storage.
Connector Server Requirement:
- Cent OS 8
- GB RAM
- GHz or Higher Processor(4 Cores)
- 40 GB Hard Disk
- 64-bit x86 System
- Perl Interpreter with PAR Packer module.
- This is Perl 5, version 24, subversion 4 (v5.24.4) built for MSWin32-x64-multi-thread.
- Python Interpreter, any version.
- Port 443 to be open from the connector server to Websense Cloud URL.( https://sync-web.mailcontrol.com/hosted/logs)
- Port 514 to be open from the connector server to the Qrdar Event collector.
Below is the HLD of how the log collection will work:
2. Create a New Administrator Contact for Forcepoint Storage
To create the new contact:
- In the cloud portal, on the main toolbar, click Account, then select contacts.
- Under the Contacts list, click Add.
- Enter identifying information for the new contact in the First name and Surname For example, “SIEM” and “Logging.”
- Click Submit.
- Click the link provided to supply a User name for the account.
- Enter a password for the contact. It must conform to the password policy on the main Contacts page.
- Enter a password expiration date for the contact. To avoid having to regularly update it, this should be different than the regular account settings; it should span a longer period. The maximum period is 365 days.
- Under Account Permissions, check the Log Export box, and any other permissions you want to give this user. You can act as an administrator from this logon.
If you give this contact only the Log Export permission and nothing else, the user name and password cannot be used to log on to the cloud portal. Although log on permissions are not needed to run the download script, the View Reports permission is the minimum permission a user needs to be able to log on.
Minimum permissions should be given to this user. The user password is needed to run the script and is viewable in plain text. For that reason, it is recommended that this user not be one with permissions to modify reports or account policies.
- Click Submit.
3. Enable SIEM Logging
Use the Account > SIEM Storage page of the cloud portal to configure the storage options for SIEM output generated on the Reporting > Account Reports > SIEM Integration page. See Configuring SIEM Storage for details.
The Reporting > Account Reports > SIEM Integration page is used to format reporting data for use by a third-party SIEM tool and enable the generation of the log files.
The option to export data cannot be set to ON unless a valid storage option has been configured on Account > SIEM Storage. The option is automatically set to OFF if:
- Forcepoint storage is enabled but no logs have been downloaded for 30 days.
- Bring your own storage is enabled but no SIEM data could be forwarded to the active bucket for 14 days.
Multiple emails are sent prior to disabling the export option.
See Exporting data to a third-party SIEM tool in Help for details on formatting the data.
Using Bring your own storage
The output generated by the export process is forwarded to the active AWS S3 bucket listed on the SIEM Storage page. Files are assigned names using the format web|email_<accountid>_<timestamp>_<server>_<timestamp>.csv.gz, and will use any prefix values defined for the bucket.
Using Forcepoint storage
To get the formatted SIEM data to your network when Forcepoint storage has been selected as the Storage type on the SIEM Storage page, you can either use the sample Perl script included in the zip file linked at the top of the SIEM integration page, or create a script of your own. The account used to run this script is the one created in Create a new administrator contact for Forcepoint storage.
See Running the SIEM log file download script for Forcepoint Storage in Help for details on formatting the data and downloading and using the script.
4. Configure the Connector Scripts to Connect Logs
We get a PERL script from Forcepoint which can be downloaded and edited to trigger a python script that formats the logs from the CSV to syslog format sends them to QRadar.
The python script will be provided by SecurityHQ.
Request you to get this configured on a call with our Onboarding engineer.