Forcepoint Webproxy¶
About¶
Proactively secure the web with advanced, real-time threat defenses—full content inspection and in-line security scanning help mitigate risk and protect against malware.
Product Details¶
Vendor URL: Code42
Product Type: Web proxy
Product Tier: Tier II
Integration Method: Syslog
Integration URL: Forcepoint Webproxy
Log Guide: Sample Logs by Log Type
Parser Details¶
Log Format: CEF and LEEF
Expected Normalization Rate: 75%
Data Label: FORCEPOINT_WEBPROXY
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| csv.action | security_result.action |
| device | intermediary.ip |
| device | intermediary.hostname |
| kv.dst | target.ip |
| kv.dstBytes | network.received_bytes |
| kv.dstPort | target.port |
| kv.method | network.http.method |
| kv.proxyStatus-code | network.http.response_code |
| kv.src | principal.hostname |
| kv.srcPort | principal.port |
| kv.userAgent | network.http.user_agent |
| kv.usrName | principal.user.userid |
| url_domain | target.hostname |
| url_full | target.url |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| srcNotIp = true | NETWORK_UNCATEGORIZED |
| srcNotIp = false | NETWORK_CONNECTION |
Log Sample¶
<159>Oct 22 17:14:21 10.10.10.1 LEEF:1.0|Forcepoint|Security|8.5.4|transaction:permitted|sev=1cat=9usrName=LDAP://user OU\=Workforce,OU\=UsersOU\=ACME,DC\=acme,DC\=net/userloginID=usersrc=10.10.10.10srcPort=61101srcBytes=2142dstBytes=251dst=10.5.5.0dstPort=443proxyStatus-code=200serverStatus-code=0duration=21method=POSTdisposition=1026contentType=-reason=-policy=Super Administrator**AcmeDefault Policyrole=8userAgent=-url=url
Sample Parsing¶
metadata.event_timestamp = "2021-10-22T21:14:21Z"
metadata.event_type = "NETWORK_CONNECTION"
metadata.vendor_name = "Forcepoint"
metadata.product_name = "Web Proxy"
metadata.ingested_timestamp = "2021-10-22T21:14:40.622304Z"
principal.ip = "10.10.10.10"
principal.port = 61101
principal.asset.ip = "10.10.10.10"
target.hostname = "hostname1"
target.ip = "10.10.10.1"
target.port = 443
target.url = "url"
target.asset.ip = "10.5.5.50"
intermediary.ip = "10.10.10.1"
security_result.action = "ALLOW"
network.received_bytes = "251"
network.application_protocol = "HTTPS"
network.http.method = "POST"
network.http.response_code = 200
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon