Integrating Splunk application with Forcepoint ONE SSE using Forcepoint FONE App

Forcepoint provides a Splunk app on Splunkbase for easily integrating with Forcepoint ONE SSE's AWS S3 data lake for pulling Forcepoint ONE SSE SWG Web raw logs for Allowed, Denied, Process via Cloud and Isolated actions.

Before you begin

  • Use the Forcepoint FONE App in Splunk to pull SWG Web raw logs for Allowed, Denied, Process via Cloud and Isolated actions. Follow the steps mentioned below to configure Forcepoint FONE App in Splunk.
    Note: Currently, you can only pull SWG Web logs using Forcepoint FONE App.
  • Use the Bitglass extension app in Splunk to pull only denied action logs of SWG logs along with Access, Admin, CloudAudit, and SWGWebDLP logs. Refer to Integrating Splunk application with Forcepoint ONE SSE using Bitglass application to know in detail.

Follow the steps below to pull logs to your Splunk Instances:

Steps

  1. On Forcepoint ONE SSE, create an Access Point.
    Follow the steps mentioned at Exporting Logs to AWS S3 Bucket to create Access Point and configure permission policy.
  2. On a new browser tab or window, login to your Splunk instance.
  3. On the Splunk homepage, click Find More Apps from the left column and search for Forcepoint ONE App for Splunk.


  4. From the search results, click Install on the Forcepoint ONE App for Splunk tile.


  5. On the Login and Install dialog:
    1. Enter your Splunk.com account login credentials.


    2. Click Agree to Install.
      It will require you to restart your Splunk instance.
    3. Click Restart Now to restart the Splunk instance.


      After successfully restarting the Splunk instance, you will now see the Forcepoint FONE App on the left column.

  6. Select Forcepoint FONE App on the left column and then click Continue to app setup page on the next window that pops up to configure the settings.




  7. On the Forcepoint ONE Configuration page:
    1. Enter the IAM user's Access Key ID and Secret Access Key of customer's AWS account for which Access Point was created.

    2. Copy the Access Point ARN value from the Forcepoint ONE SSE (step 1) and paste in the Access Point field.
    3. Select one of the following options to pull and to display SWG logs in the Web Analysis dashboard:
      • All - Select this option to display SWG logs for allowed, denied, process via cloud and isolated actions in the Web Analysis dashboard.
        Note: If you select this option, large volume of data gets downloaded.
      • Not Allowed - Select this option to display SWG logs for only denied action in the Web Analysis dashboard.
    4. Enter Sync Interval in seconds to define how often the logs should be pulled.
      You can only set the values in the range of 600 to 3600 seconds. If you set to lower value, then the sync latency is less when compared to the higher value.
    5. Enter the Forcepoint ONE SSE Tenant ID.
    6. Leave the Proxy (optional) field as is unless you are routing your API calls through a proxy at which point you will need to fill out this field.
    7. From the Splunk Index drop-down, select the index in which data to be stored.
      You can create new indexes by navigating to Settings > Data > Indexes page. To understand indexes in detail, refer to Managing indexes in Splunk.
    8. To save the changes, click Save.
  8. Once you click Save, you will be redirected to the Web Analysis Dashboard.

    Wait for 10-15 minutes (based on your data volume) before logs are pulled over and you see log results.