TABLE OF CONTENT
Forcepoint web protection solutions allow Internet activity logging data and, as of v8.5.4, audit log data to be passed to a third-party SIEM product, like Seceon AI SIEM.
Use web protection reporting tools or SIEM integration to report on Internet activity when alerts reveal a potential issue.
Ref. link: https://www.websense.com/content/support/library/web/v85/siem/siem.pdf
STEP 1: Log in to the FORCEPOINT PROXY server.
STEP 2: Navigate through SETTINGS>>GENERAL>>SIEM INTEGRATION to activate.
STEP 3: Provide the <CCE IP address> or Hostname of the machine hosting the SIEM product, then further provide the communication Port(514) to use for sending SIEM data.
STEP 4: Specify the transport Protocol (TCP/UDP) to use when sending data to the SIEM product.
STEP 5: Click OK to cache your data, changes are not implemented until you click on Save and deploy(THIS OPTION IS ON RIGHT SIDE TOP).
Verification can be done either from UI or from the CCE server.
STEP1: Login to UI >> SYSTEM>> LOGS AND FLOWS COLLECTION STATUS.
STEP 2: >> LOGS AND FLOWS COLLECTION STATUS.
STEP 3: >>Inside SOURCE DEVICE IP, IP will reflect.
Login into CCE Server with seceon user and execute the following command.
sudo tcpdump -i any host 514 and host <IP address> -AAA