Document toolboxDocument toolbox

proxy.forcepoint

Introduction

The tags beginning with proxy.forcepoint identify events generated by Forcepoint ONE belonging to Forcepoint.

Valid tags and data tables 

The full tag must have 3 levels. The first two are fixed as proxy.forcepoint. The third level identifies the type of events sent.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Forcepoint ONE

proxy.forcepoint.access

proxy.forcepoint.access

For more information, read more about Devo tags.

Table structure

These are the fields displayed in this table:

proxy.forcepoint.access

Field

Type

Field Transformation

Source field name

Extra fields

Field

Type

Field Transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

host

str

 

vhost

 

vendor

str

 

 

 

product

str

 

 

 

product_version

str

 

 

 

action

str

 

 

 

severity

str

 

 

 

category

str

 

 

 

user

str

 

 

 

loginID

str

 

 

 

src_host

str

 

 

 

src_ip

ip4

ip4(src_host)

src_host

 

src_port

int4

 

 

 

dst_host

str

 

 

 

dst_ip

ip4

 

 

 

dst_port

int4

 

 

 

bytes_out

int8

 

 

 

bytes_in

int8

 

 

 

http_response

str

 

 

 

http_method

str

 

 

 

http_content_type

str

 

 

 

http_user_agent

str

 

 

 

http_proxy_status_code

int4

 

 

 

reason

str

 

 

 

disposition

str

 

 

 

policy

str

 

 

 

role

str

 

 

 

duration

int4

 

 

 

url

str

 

 

 

logRecordSource

str

 

 

 

hostchain

str

 

 

✓

tag

str

 

 

✓

rawMessage

str

 

 

✓

How is the data sent to Devo?

Forward the events from Forcepoint to the Devo relay

Disclaimer

This article contains instructions for using third-party software which may undergo design changes over time. This means that the instructions in this article may no longer be accurate for subsequent product versions. If this is the case, please let us know by sending us an email at documentation@devo.com.

  1. In Forcepoint, go to the Settings → General → SIEM Integration page and select Enable SIEM integration for Internet activity log data for this Policy Server. 

  2. Enter the IP address of the Devo relay and specify the port to which you will send the Forcepoint events. 

  3. Choose TCP as the Transport protocol. 

  4. Set the SIEM format to syslog/key-value pairs, then click OK. 

  5. Click Save and Deploy. 

For complete instructions, see the Forcepoint SIEM integration guide.

Set up the Devo relay rule

This simple type-1 relay rule applies the proxy.forcepoint.access tag to the events before forwarding them to Devo. In the example below, we use port 13003 but you should use any port that you can dedicate to these events - and it must be the same as you configured in Forcepoint.

  • Source Port → 13003

  • Target Tag → proxy.forcepoint.access

  • Check the Stop processing and Sent without syslog tag checkboxes.