proxy.forcepoint
Introduction
The tags beginning with proxy.forcepoint
identify events generated by Forcepoint ONE belonging to Forcepoint.
Valid tags and data tablesÂ
The full tag must have 3 levels. The first two are fixed as proxy.forcepoint
. The third level identifies the type of events sent.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
---|---|---|
Forcepoint ONE |
|
|
For more information, read more about Devo tags.
Table structure
These are the fields displayed in this table:
proxy.forcepoint.access
Field | Type | Field Transformation | Source field name | Extra fields |
---|---|---|---|---|
eventdate |
| Â | Â | Â |
host |
| Â | vhost | Â |
vendor |
| Â | Â | Â |
product |
| Â | Â | Â |
product_version |
| Â | Â | Â |
action |
| Â | Â | Â |
severity |
| Â | Â | Â |
category |
| Â | Â | Â |
user |
| Â | Â | Â |
loginID |
| Â | Â | Â |
src_host |
| Â | Â | Â |
src_ip |
| ip4(src_host) | src_host | Â |
src_port |
| Â | Â | Â |
dst_host |
| Â | Â | Â |
dst_ip |
| Â | Â | Â |
dst_port |
| Â | Â | Â |
bytes_out |
| Â | Â | Â |
bytes_in |
| Â | Â | Â |
http_response |
| Â | Â | Â |
http_method |
| Â | Â | Â |
http_content_type |
| Â | Â | Â |
http_user_agent |
| Â | Â | Â |
http_proxy_status_code |
| Â | Â | Â |
reason |
| Â | Â | Â |
disposition |
| Â | Â | Â |
policy |
| Â | Â | Â |
role |
| Â | Â | Â |
duration |
| Â | Â | Â |
url |
| Â | Â | Â |
logRecordSource |
| Â | Â | Â |
hostchain |
|  |  | ✓ |
tag |
|  |  | ✓ |
rawMessage |
|  |  | ✓ |
How is the data sent to Devo?
Forward the events from Forcepoint to the Devo relay
Disclaimer
This article contains instructions for using third-party software which may undergo design changes over time. This means that the instructions in this article may no longer be accurate for subsequent product versions. If this is the case, please let us know by sending us an email at documentation@devo.com.
In Forcepoint, go to the Settings → General → SIEM Integration page and select Enable SIEM integration for Internet activity log data for this Policy Server.Â
Enter the IP address of the Devo relay and specify the port to which you will send the Forcepoint events.Â
Choose TCP as the Transport protocol.Â
Set the SIEM format to syslog/key-value pairs, then click OK.Â
Click Save and Deploy.Â
For complete instructions, see the Forcepoint SIEM integration guide.
Set up the Devo relay rule
This simple type-1 relay rule applies the proxy.forcepoint.access tag to the events before forwarding them to Devo. In the example below, we use port 13003 but you should use any port that you can dedicate to these events - and it must be the same as you configured in Forcepoint.
Source Port → 13003
Target Tag → proxy.forcepoint.access
Check the Stop processing and Sent without syslog tag checkboxes.