Skip to content

Forcepoint Secure Web Gateway

Overview

Forcepoint Secure Web Gateway (SWG) is a proxy, installed on the endpoint, applying routing policies and analyzing the traffic against threats. This product is supported by Forcepoint LLC.

Benefit from SEKOIA.IO built-in rules and upgrade Forcepoint Secure Web Gateway with the following detection capabilities out-of-the-box.

SEKOIA.IO x Forcepoint Secure Web Gateway on ATT&CK Navigator

Burp Suite Tool Detected

Burp Suite is a cybersecurity tool. When used as a proxy service, its purpose is to intercept packets and modify them to send them to the server. Burp Collaborator is a network service that Burp Suite uses to help discover many kinds of vulnerabilities (vulnerabilities scanner)

  • Effort: intermediate
CVE-2019-0604 SharePoint

Detects the exploitation of the SharePoint vulnerability (CVE-2019-0604)

  • Effort: advanced
CVE-2020-0688 Microsoft Exchange Server Exploit

Detects the exploitation of CVE-2020-0688. The POC exploit a .NET serialization vulnerability in the Exchange Control Panel (ECP) web page. The vulnerability is due to Microsoft Exchange Server not randomizing the keys on a per-installation basis resulting in them using the same validationKey and decryptionKey values. With knowledge of these, values an attacker can craft a special viewstate to use an OS command to be executed by NT_AUTHORITY\SYSTEM using .NET deserialization. To exploit this vulnerability, an attacker needs to leverage the credentials of an account it had already compromised to authenticate to OWA.

  • Effort: elementary
CVE-2020-1147 SharePoint

Detection of SharePoint vulnerability CVE-2020-1147

  • Effort: advanced
CVE-2020-17530 Apache Struts RCE

Detects the exploitation of the Apache Struts vulnerability (CVE-2020-17530).

  • Effort: intermediate
CVE-2021-20021 SonicWall Unauthenticated Administrator Access

Detects the exploitation of SonicWall Unauthenticated Admin Access.

  • Effort: advanced
CVE-2021-20023 SonicWall Arbitrary File Read

Detects Arbitrary File Read, which can be used with other vulnerabilities as a mean to obtain outputs generated by attackers, or sensitive data.

  • Effort: advanced
Covenant Default HTTP Beaconing

Detects potential Covenant communications through the user-agent and specific urls

  • Effort: intermediate
FoggyWeb HTTP Default GET/POST Requests

Detects GET or POST request pattern observed within the first FoggyWeb campaign detected by Microsoft.

  • Effort: advanced
Possible Malicious File Double Extension

Detects request to potential malicious file with double extension

  • Effort: elementary
Potential Bazar Loader User-Agents

Detects potential Bazar loader communications through the user-agent

  • Effort: elementary
Potential Lemon Duck User-Agent

Detects LemonDuck user agent. The format used two sets of alphabetical characters separated by dashes, for example "User-Agent: Lemon-Duck-[A-Z]-[A-Z]".

  • Effort: elementary
Potential LokiBot User-Agent

Detects potential LokiBot communications through the user-agent

  • Effort: intermediate
Privilege Escalation Awesome Scripts (PEAS)

Detect PEAS privileges escalation scripts and binaries

  • Effort: elementary
RYUK Ransomeware - martinstevens Username

Detects user name "martinstevens". Wizard Spider is used to add the user name "martinstevens" to the AD of its victims. It was observed in several campaigns; in 2019 and 2020.

  • Effort: elementary
Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL

Detects Raccoon Stealer 2.0 malware downloading legitimate third-party DLLs from its C2 server. These legitimate DLLs are used by the information stealer to collect data on the compromised hosts.

  • Effort: elementary
SEKOIA.IO Intelligence Feed

Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.

  • Effort: elementary
Suspicious URI Used In A Lazarus Campaign

Detects suspicious requests to a specific URI, usually on an .asp page. The website is often compromised.

  • Effort: intermediate
Telegram Bot API Request

Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind

  • Effort: advanced
TrevorC2 HTTP Communication

Detects TrevorC2 HTTP communication based on the HTTP request URI and the user-agent.

  • Effort: elementary

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
Web proxy Forcepoint Secure Web Gateway logs provide information about the connected client and the requested resource.
Web logs Forcepoint Secure Web Gateway logs provide information about the connected client and the requested resource.

In details, the following table denotes the type of events produced by this integration.

Name Values
Kind event
Category network
Type ``

Event Samples

Find below few samples of events and how they are normalized by SEKOIA.IO.

{
    "message": "0|Forcepoint|Security|8.5.4|9|Transaction blocked|7| act=blocked app=http dvc=9.8.7.6 dst=5.6.7.8 dhost=ctldl.windowsupdate.com dpt=80 src=1.2.3.4 spt=62062 suser=- loginID=- destinationTranslatedPort=0 rt=1653557213000 in=0 out=0 requestMethod=GET requestClientApplication=Microsoft-CryptoAPI/10.0 reason=- cs1Label=Policy cs1=SupAd**_O365_ cs2Label=DynCat cs2=0 cs3Label=ContentType cs3=- cn1Label=DispositionCode cn1=1025 cn2Label=ScanDuration cn2=5 request=http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab logRecordSource=OnPrem",
    "event": {
        "action": "Transaction blocked",
        "severity": 7,
        "code": "1025",
        "category": [
            "network"
        ],
        "kind": "event",
        "type": [
            "connection",
            "denied"
        ],
        "reason": "Category blocked"
    },
    "@timestamp": "2022-05-26T09:26:53.000000Z",
    "observer": {
        "vendor": "Forcepoint",
        "product": "Secure Web Gateway",
        "version": "8.5.4"
    },
    "host": {
        "ip": [
            "9.8.7.6"
        ]
    },
    "network": {
        "protocol": "http"
    },
    "destination": {
        "ip": "5.6.7.8",
        "port": 80,
        "domain": "ctldl.windowsupdate.com",
        "address": "ctldl.windowsupdate.com",
        "top_level_domain": "com",
        "subdomain": "ctldl",
        "registered_domain": "windowsupdate.com"
    },
    "source": {
        "ip": "1.2.3.4",
        "port": 62062,
        "address": "1.2.3.4"
    },
    "rule": {
        "id": "9",
        "ruleset": "Information Technology"
    },
    "url": {
        "original": "http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab",
        "domain": "ctldl.windowsupdate.com",
        "top_level_domain": "com",
        "subdomain": "ctldl",
        "registered_domain": "windowsupdate.com",
        "scheme": "http",
        "path": "/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab",
        "port": 80
    },
    "http": {
        "request": {
            "method": "GET"
        }
    },
    "user_agent": {
        "original": "Microsoft-CryptoAPI/10.0"
    },
    "forcepoint": {
        "webgateway": {
            "policies": [
                "SupAd**_O365_"
            ],
            "category": "0",
            "log": {
                "source": "OnPrem"
            }
        },
        "cef": {
            "version": "0"
        }
    },
    "related": {
        "ip": [
            "1.2.3.4",
            "5.6.7.8",
            "9.8.7.6"
        ],
        "hosts": [
            "ctldl.windowsupdate.com"
        ]
    }
}
{
    "message": "0|Forcepoint|Security|8.5.4|222|Transaction permitted|1| act=permitted app=https dvc=9.8.7.6 dst=5.6.7.8 dhost=outlook.office365.com dpt=443 src=1.2.3.4 spt=50345 suser=LDAP://4.3.2.1 OU\\=MyOrg,OU\\=Users,DC\\=Domain,DC\\=LOCAL/User 1 loginID=n_nini destinationTranslatedPort=47486 rt=1653555521000 in=1038458 out=3967 requestMethod=POST requestClientApplication=Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.10386; Pro) reason=- cs1Label=Policy cs1=SupAd**1,SupAd**2 cs2Label=DynCat cs2=0 cs3Label=ContentType cs3=application/mapi-http cn1Label=DispositionCode cn1=1026 cn2Label=ScanDuration cn2=31 request=https://outlook.office365.com/ logRecordSource=OnPrem",
    "event": {
        "action": "Transaction permitted",
        "severity": 1,
        "code": "1026",
        "category": [
            "network"
        ],
        "kind": "event",
        "type": [
            "connection",
            "allowed"
        ],
        "reason": "Category permitted"
    },
    "@timestamp": "2022-05-26T08:58:41.000000Z",
    "observer": {
        "vendor": "Forcepoint",
        "product": "Secure Web Gateway",
        "version": "8.5.4"
    },
    "host": {
        "ip": [
            "9.8.7.6"
        ]
    },
    "network": {
        "protocol": "https"
    },
    "destination": {
        "ip": "5.6.7.8",
        "port": 443,
        "domain": "outlook.office365.com",
        "nat": {
            "port": 47486
        },
        "address": "outlook.office365.com",
        "top_level_domain": "com",
        "subdomain": "outlook",
        "registered_domain": "office365.com"
    },
    "source": {
        "ip": "1.2.3.4",
        "port": 50345,
        "address": "1.2.3.4"
    },
    "rule": {
        "id": "222",
        "ruleset": "Collaboration - Office"
    },
    "url": {
        "original": "https://outlook.office365.com/",
        "domain": "outlook.office365.com",
        "top_level_domain": "com",
        "subdomain": "outlook",
        "registered_domain": "office365.com",
        "scheme": "https",
        "path": "/",
        "port": 443
    },
    "http": {
        "request": {
            "method": "POST",
            "bytes": 3967,
            "mime_type": "application/mapi-http"
        },
        "response": {
            "bytes": 1038458
        }
    },
    "user": {
        "domain": "OU\\=MyOrg,OU\\=Users,DC\\=Domain,DC\\=LOCAL",
        "name": "User 1",
        "id": "n_nini"
    },
    "user_agent": {
        "original": "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.10386; Pro)"
    },
    "forcepoint": {
        "webgateway": {
            "policies": [
                "SupAd**1",
                "SupAd**2"
            ],
            "category": "0",
            "log": {
                "source": "OnPrem"
            }
        },
        "cef": {
            "version": "0"
        }
    },
    "related": {
        "ip": [
            "1.2.3.4",
            "5.6.7.8",
            "9.8.7.6"
        ],
        "hosts": [
            "outlook.office365.com"
        ],
        "user": [
            "User 1"
        ]
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name Type Description
@timestamp date Date/time when the event originated.
destination.domain keyword The domain name of the destination.
destination.ip ip IP address of the destination.
destination.nat.port long Destination NAT Port
destination.port long Port of the destination.
event.action keyword The action captured by the event.
event.category keyword Event category. The second categorization field in the hierarchy.
event.code keyword Identification code for this event.
event.duration long Duration of the event in nanoseconds.
event.kind keyword The kind of the event. The highest categorization field in the hierarchy.
event.severity long Numeric severity of the event.
forcepoint.cef.version keyword The version of the CEF message
forcepoint.webgateway.category keyword The category determined by real-time content analysis
forcepoint.webgateway.log.source keyword The origin of the log
forcepoint.webgateway.policies keyword The policies applied to the request
host.ip ip Host ip addresses.
http.request.bytes long Total size in bytes of the request (body and headers).
http.request.method keyword HTTP request method.
http.request.mime_type keyword Mime type of the body of the request.
http.response.bytes long Total size in bytes of the response (body and headers).
network.protocol keyword Application protocol name.
observer.product keyword The product name of the observer.
observer.vendor keyword Vendor name of the observer.
observer.version keyword Observer version.
rule.id keyword Rule ID
source.ip ip IP address of the source.
source.port long Port of the source.
url.original wildcard Unmodified original url as seen in the event source.
user.domain keyword Name of the directory the user is a member of.
user.id keyword Unique identifier of the user.
user.name keyword Short name or login of the user.
user_agent.original keyword Unparsed user_agent string.

Configure

In this guide, you will configure the gateway to forward events to syslog.

This procedure should be repeated for each Forcepoint Policy Server.

Prerequisites

An internal log concentrator (Rsyslog) is required to collect and forward events to SEKOIA.IO.

Enable SIEM Integration

Log on the Web Security module of the Forcepoint Security Manager and navigate to Settings > General > SIEM Integration.

In the Internet Activity Log Data, Click on the button Add. Provide the IP address, the transport protocol (recommending TCP) and the listening port (514) of the concentrator. Select the syslog/CEF as SIEM format. Click OK then Save and Deploy to enable the integration.

Create the intake

Go to the intake page and create a new intake from the format Forcepoint Secure Web Gateway.

Transport to SEKOIA.IO

Please consult the Rsyslog Transport documentation to forward these logs to SEKOIA.IO.