Setting up Bitglass in QRadar App

You will first need to download the Bitglass app from the QRadar app hub and then install the extension into your QRadar setup. Once installed, you can then create an OAuth token in Forcepoint ONE SSE and then configure the setup to start pulling logs.

1. Before starting the Bitglass app installation, you will need to navigate to the QRadar System Settings page and change the Max UDP Syslog Payload Length field to 8192.
   
2. Start by navigating to the QRadar App Hub and login with your IBM account. Search for Bitglass in the search bar and select the app that appears in the results. Conversely, you can access the Bitglass app here.

   Select latest version, 1.0.23, of the Bitglass application.

3. Select Download to download the zip file with the application that you will need to install in your QRadar app.
   
4. Login to your QRadar instance and select the Admin tab and then click on Extension Management.
   
   
   
   
   
5. In the Extension Management tab, click on the Add button in the top right. In the new dialog window, browse for the zip file you downloaded in step 2 and then check the box to install immediately.
   
   
   
   
   
6. On the next page, you might see a message if you already have items that can be replaced or preserved. Review the table items and select the option that makes sense for your setup and then click Install at the bottom. Once installed, you will see the Bitglass application appear in the Extension Management window.
   
   
   
   
   
7. Open a new browser tab or window, login to the Forcepoint ONE SSE portal and login as your admin account. Navigate to Settings > API Interface > OAuth to create a new OAuth token. Click on the green plus icon to create a new token.
   
   
   
8. In the Edit Application window, provide a recognizable name and then select the checkbox for Access your Forcepoint logs (logs api) option. Click Ok at the bottom.
   
   
   
9. Now that the application has been created with pending status, back on the OAuth page, select the app token you just created and then click on the Token Authorization URL to authorize the app.
   
   
   

   
   
   
10. You will be taken to a page to Authorize the app. Once done, you will then see the Access Token you will need for finishing the setup in QRadar. Either leave this page open or copy the token to be used later in step 11 below.
    
    
    
    
    
11. Now switch back to your QRadar app instance and go back to the Admin page and expand the App drop-down in the left column (you might need to refresh the page for the Bitglass app to appear). Select the Bitglass app and then click on the Configuration option on the next screen.
    
    
    
    
    
12. You will be taken to the Bitglass OAuth configuration page.
    
    
    
    1. Copy over the token from step 10 above to the Authentication field.
    2. Check off each of the log types you want to pull (Access for proxy logs, Admin for admin logs, CloudAudit for API scanning logs, SWGWeb logs and SWGWebDLP logs.
    3. Logging interval is in seconds and we recommend setting it to 900 (though we support a minimum of 300 seconds).
    4. Enter https://portal.bitglass.com/api/bitglassapi/logs in the API URL field.
       Note:

       • Bitglass supports 300 API calls within a 24 hour period. This means you should not be setting your interval time to anything below 300 seconds or else you might hit your API call limit and miss logs being pulled over.
       • Customers if using a proxy can configure the proxy information to ensure the logs can be pulled from Bitglass into QRadar.
         
         
    5. Click Save when you are done and you will see a success message. Give it about 30 or so minutes for logs to be pulled and you can review them.