Integrating QRadar application with Forcepoint ONE SSE using Forcepoint ONE application

Forcepoint ONE SSE provides a QRadar app within the QRadar hub for easily integrating with Forcepoint ONE SSE's REST API for pulling Forcepoint ONE SSE logs into QRadar.

You will first need to create an Access Point in Forcepoint ONE SSE and then download the Forcepoint ONE App from the QRadar app hub before you install the extension into your QRadar setup. Once installed, you can then configure the setup to start pulling logs.

Before you begin

  • Use the Forcepoint ONE App in QRadar to pull SWG Web raw logs for Allowed, Denied, Process via Cloud and Isolated actions. Follow the steps mentioned below to configure Forcepoint ONE App in QRadar.
    Note: Currently, you can only pull SWG Web logs using Forcepoint ONE App.
  • Use the Bitglass extension app in QRadar to pull only denied action logs of SWG logs along with Access, Admin, CloudAudit, and SWGWebDLP logs. Refer to Integrating QRadar application with Forcepoint ONE SSE using Bitglass application to know in detail.

Steps

  1. On Forcepoint ONE SSE, create an Access Point.
    Follow the steps mentioned in Exporting Logs to AWS S3 Bucket to create Access Point and configure permission policy.
  2. Open a new browser tab or window, navigate to the QRadar App Hub:
    1. Login with your IBM account.
    2. Search for Forcepoint ONE App in the search bar and select the app that appears in the results.
      Conversely, you can access the Forcepoint ONE App.
    3. Select Download to download the zip file with the application that you will need to install in your IBM QRadar instance.
  3. Open a another new browser tab or window, login to your IBM QRadar instance with Admin privileges.
  4. Navigate to Admin > System Settings > Switch to Advanced:
    1. Change the Max UDP Syslog Payload Length field to 8192.

      Note: Currently, Forcepoint recommends setting UDP server URL and does not support TCP.
    2. To save the changes, click Save.
  5. On the Admin tab, click Extension Management.


  6. On the Extension Management page, click the Add button.


  7. On the Add a New Extension dialog:
    1. Browse for the zip file that you downloaded in step 2.


    2. Select the Install immediately checkbox.
    3. To proceed with the upload, click Add.
      On the next page, you might see a message if you already have items that can be replaced or preserved.
  8. Review the table items, select the option that makes sense for your setup and then click Install at the bottom.


    Once installed, you will be redirected to summary dialog where you can review your application setup.



    You can also see the Forcepoint ONE App on the Extension Management page.



  9. On the Admin page:
    1. Expand the Apps drop-down from the left column.

      You might need to refresh the page for the Forcepoint ONE App Log Configuration to appear.



    2. Select the Forcepoint ONE App Log Configuration and then click on the Configuration option on the right screen.


  10. On the Forcepoint ONE App Configuration page:
    1. Enter the IAM user's Access Key ID and Secret Access Key of customer's AWS account for which Access Point was created.


    2. Copy the Access Point ARN value from the Forcepoint ONE SSE (step 1) and paste in the Access Point field.
    3. Select one of the following options to pull and to display SWG logs in the Web Analysis dashboard:
      • All - Select this option to display SWGWeb logs for allowed, denied, process via cloud and isolated actions in the Web Analysis dashboard.
        Note: If you select this option, large volume of data gets downloaded.
      • Not Allowed - Select this option to display SWGWeb logs for only denied action in the Web Analysis dashboard.
    4. Enter the Forcepoint ONE SSE Tenant ID.
    5. Enter Sync Interval in seconds to define how often the logs should be pulled.

      You can only set the values in the range of 600 to 3600 seconds. If you set to lower value, then the sync latency is less when compared to the higher value.

    6. Enter the Sink URL (UDP) to direct the logs to the intended destination.
    7. Leave the Proxy (optional) field as is unless you are routing your API calls through a proxy at which point you will need to fill out this field.
    8. To save the changes, click Save.
      You will see a success message. Give it about 30 minutes for logs to be pulled.
  11. To review the pulled logs on QRadar:
    1. Navigate to your IBM QRadar home page.
      There should a new tab named Forcepoint ONE App.
    2. Click the Forcepoint ONE App tab to view Web Analysis dashboard.


    3. On the upper right-corner of the dashboard, select the duration from the drop-down to view the logs for selected period.
      Available options are 15 Minutes, 30 Minutes, 1 Hour, 3 Hours, 6 Hours, 12 Hours, 24 Hours, 3 Days, 7 Days, and 14 Days.