Skip to content

Forcepoint Secure Web Gateway

Overview

Forcepoint Secure Web Gateway (SWG) is a proxy, installed on the endpoint, applying routing policies and analyzing the traffic against threats. This product is supported by Forcepoint LLC.

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
Web proxy Forcepoint Secure Web Gateway logs provide information about the connected client and the requested resource.
Web logs Forcepoint Secure Web Gateway logs provide information about the connected client and the requested resource.

In details, the following table denotes the type of events produced by this integration.

Name Values
Kind event
Category network
Type ``

Event Samples

Find below few samples of events and how they are normalized by SEKOIA.IO.

{
    "@timestamp": "2022-05-26T09:26:53.000000Z",
    "message": "0|Forcepoint|Security|8.5.4|9|Transaction blocked|7| act=blocked app=http dvc=9.8.7.6 dst=5.6.7.8 dhost=ctldl.windowsupdate.com dpt=80 src=1.2.3.4 spt=62062 suser=- loginID=- destinationTranslatedPort=0 rt=1653557213000 in=0 out=0 requestMethod=GET requestClientApplication=Microsoft-CryptoAPI/10.0 reason=- cs1Label=Policy cs1=SupAd**_O365_ cs2Label=DynCat cs2=0 cs3Label=ContentType cs3=- cn1Label=DispositionCode cn1=1025 cn2Label=ScanDuration cn2=5 request=http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab logRecordSource=OnPrem",
    "source": {
        "address": "1.2.3.4",
        "ip": "1.2.3.4",
        "port": 62062
    },
    "destination": {
        "ip": "5.6.7.8",
        "address": "ctldl.windowsupdate.com",
        "domain": "ctldl.windowsupdate.com",
        "registered_domain": "windowsupdate.com",
        "subdomain": "ctldl",
        "top_level_domain": "com",
        "port": 80
    },
    "event": {
        "severity": 7,
        "code": "1025",
        "kind": "event",
        "type": [
            "access",
            "denied"
        ],
        "category": [
            "network"
        ],
        "action": "Transaction blocked",
        "duration": 5,
        "reason": "Category blocked"
    },
    "observer": {
        "version": "8.5.4",
        "product": "Secure Web Gateway",
        "vendor": "Forcepoint"
    },
    "host": {
        "ip": [
            "9.8.7.6"
        ]
    },
    "related": {
        "hosts": [
            "ctldl.windowsupdate.com"
        ],
        "ip": [
            "1.2.3.4",
            "5.6.7.8",
            "9.8.7.6"
        ]
    },
    "url": {
        "original": "http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab",
        "domain": "ctldl.windowsupdate.com",
        "path": "/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab",
        "port": 80,
        "registered_domain": "windowsupdate.com",
        "subdomain": "ctldl",
        "top_level_domain": "com",
        "scheme": "http"
    },
    "user_agent": {
        "original": "Microsoft-CryptoAPI/10.0"
    },
    "network": {
        "protocol": "http"
    },
    "rule": {
        "id": "9",
        "ruleset": "Information Technology"
    },
    "http": {
        "request": {
            "method": "GET"
        }
    },
    "forcepoint": {
        "cef": {
            "version": "0"
        },
        "webgateway": {
            "category": "0",
            "log": {
                "source": "OnPrem"
            },
            "policies": [
                "SupAd**_O365_"
            ]
        }
    }
}
{
    "@timestamp": "2022-05-26T08:58:41.000000Z",
    "message": "0|Forcepoint|Security|8.5.4|222|Transaction permitted|1| act=permitted app=https dvc=9.8.7.6 dst=5.6.7.8 dhost=outlook.office365.com dpt=443 src=1.2.3.4 spt=50345 suser=LDAP://4.3.2.1 OU\\=MyOrg,OU\\=Users,DC\\=Domain,DC\\=LOCAL/User 1 loginID=n_nini destinationTranslatedPort=47486 rt=1653555521000 in=1038458 out=3967 requestMethod=POST requestClientApplication=Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.10386; Pro) reason=- cs1Label=Policy cs1=SupAd**1,SupAd**2 cs2Label=DynCat cs2=0 cs3Label=ContentType cs3=application/mapi-http cn1Label=DispositionCode cn1=1026 cn2Label=ScanDuration cn2=31 request=https://outlook.office365.com/ logRecordSource=OnPrem",
    "source": {
        "address": "1.2.3.4",
        "ip": "1.2.3.4",
        "port": 50345
    },
    "destination": {
        "address": "outlook.office365.com",
        "ip": "5.6.7.8",
        "domain": "outlook.office365.com",
        "registered_domain": "office365.com",
        "subdomain": "outlook",
        "top_level_domain": "com",
        "port": 443,
        "nat": {
            "port": 47486
        }
    },
    "event": {
        "severity": 1,
        "code": "1026",
        "kind": "event",
        "type": [
            "access",
            "allowed"
        ],
        "category": [
            "network"
        ],
        "action": "Transaction permitted",
        "duration": 31,
        "reason": "Category permitted"
    },
    "observer": {
        "version": "8.5.4",
        "product": "Secure Web Gateway",
        "vendor": "Forcepoint"
    },
    "host": {
        "ip": [
            "9.8.7.6"
        ]
    },
    "related": {
        "hosts": [
            "outlook.office365.com"
        ],
        "ip": [
            "1.2.3.4",
            "5.6.7.8",
            "9.8.7.6"
        ],
        "user": [
            "LDAP://4.3.2.1 OU\\=MyOrg,OU\\=Users,DC\\=Domain,DC\\=LOCAL/User 1"
        ]
    },
    "url": {
        "original": "https://outlook.office365.com/",
        "path": "/",
        "domain": "outlook.office365.com",
        "port": 443,
        "registered_domain": "office365.com",
        "subdomain": "outlook",
        "top_level_domain": "com",
        "scheme": "https"
    },
    "user_agent": {
        "original": "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.10386; Pro)"
    },
    "user": {
        "name": "LDAP://4.3.2.1 OU\\=MyOrg,OU\\=Users,DC\\=Domain,DC\\=LOCAL/User 1",
        "id": "n_nini"
    },
    "network": {
        "protocol": "https"
    },
    "rule": {
        "id": "222",
        "ruleset": "Collaboration - Office"
    },
    "http": {
        "request": {
            "method": "POST",
            "bytes": 3967,
            "mime_type": "application/mapi-http"
        },
        "response": {
            "bytes": 1038458
        }
    },
    "forcepoint": {
        "cef": {
            "version": "0"
        },
        "webgateway": {
            "category": "0",
            "log": {
                "source": "OnPrem"
            },
            "policies": [
                "SupAd**1",
                "SupAd**2"
            ]
        }
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name Type Description
@timestamp date Date/time when the event originated.
destination.domain keyword The domain name of the destination.
destination.ip ip IP address of the destination.
destination.nat.port long Destination NAT Port
destination.port long Port of the destination.
event.action keyword The action captured by the event.
event.category keyword Event category. The second categorization field in the hierarchy.
event.code keyword Identification code for this event.
event.duration long Duration of the event in nanoseconds.
event.kind keyword The kind of the event. The highest categorization field in the hierarchy.
event.severity long Numeric severity of the event.
forcepoint.cef.version keyword None
forcepoint.webgateway.category keyword None
forcepoint.webgateway.log.source keyword None
forcepoint.webgateway.policies keyword None
host.ip ip Host ip addresses.
http.request.bytes long Total size in bytes of the request (body and headers).
http.request.method keyword HTTP request method.
http.request.mime_type keyword Mime type of the body of the request.
http.response.bytes long Total size in bytes of the response (body and headers).
network.protocol keyword Application protocol name.
observer.product keyword The product name of the observer.
observer.vendor keyword Vendor name of the observer.
observer.version keyword Observer version.
rule.id keyword Rule ID
source.ip ip IP address of the source.
source.port long Port of the source.
url.original wildcard Unmodified original url as seen in the event source.
user.id keyword Unique identifier of the user.
user.name keyword Short name or login of the user.
user_agent.original keyword Unparsed user_agent string.

Configure

In this guide, you will configure the gateway to forward events to syslog.

This procedure should be repeated for each Forcepoint Policy Server.

Prerequisites

An internal log concentrator (Rsyslog) is required to collect and forward events to SEKOIA.IO.

Enable SIEM Integration

Log on the Web Security module of the Forcepoint Security Manager and navigate to Settings > General > SIEM Integration.

In the Internet Activity Log Data, Click on the button Add. Provide the IP address, the transport protocol (recommending TCP) and the listening port (514) of the concentrator. Select the syslog/CEF as SIEM format. Click OK then Save and Deploy to enable the integration.

Create the intake

Go to the intake page and create a new intake from the format Forcepoint Secure Web Gateway.

Transport to SEKOIA.IO

Please consult the Rsyslog Transport documentation to forward these logs to SEKOIA.IO.