Integrating Splunk application with Forcepoint ONE SSE using Bitglass application

Forcepoint ONE SSE provides a Splunk app on Splunkbase for easily integrating with Forcepoint ONE SSE's REST API for pulling Forcepoint ONE SSE logs.

Before you begin

Using the Bitglass extension app in Splunk, you can only pull denied action logs of SWG. To pull SWG logs for allowed, denied, process via cloud and isolated actions, follow the steps mentioned in Integrating Splunk application with Forcepoint ONE SSE using Forcepoint FONE App.

You will first need to download the Bitglass app from Splunkbase and then install the extension into your Splunk setup. Once installed, you can then create an OAuth token in Forcepoint ONE SSE and then configure the setup to start pulling logs.

Steps

  1. You can either download the app first and then install manually in Splunk or you can login to your Splunk instance and then search for and install the Bitglass app directly. From your Splunk homepage, click Find More Apps from the left column. Then search for Bitglass and click Install on the app that appears.




  2. On the next page, enter your Splunk.com account info to login and check the I have read the T&C... checkbox at the bottom then click Login and Install. It will require you to restart your Splunk instance.


  3. While Splunk is restarting, open a new browser tab or window and login to the Forcepoint ONE SSE portal as your admin account. Navigate to Settings > API Interface > OAuth to create a new OAuth token. Click on the green plus icon to create a new token.
  4. In the Edit Application window, provide a recognizable name and then select the checkbox for Access your Bitglass logs (logs api) option. Click Ok at the bottom.


  5. Now that the application has been created, back on the OAuth page select the app token you just created and then click on the Token Authorization URL to authorize the app.




  6. You will be taken to a page to Authorize the app. Once done, you will then see the Access Token you will need for finishing the setup in Splunk. Either leave this page open or copy the token to be used later in step 8.




    Note: When setting up the Bitglass app in Splunk in the next steps, you will be prompted to authenticate. You can either use Basic Auth or OAuth (which we created above). It is recommended to use the OAuth token as it is more secure, but you can use either or.
  7. Now navigate back to your Splunk instance that restarted after step 2 and log back in (while keeping the above Forcepoint ONE SSE window open). You will now see the Bitglass app in the left column. Select it and then click Continue to app setup page on the next window that pops up to configure the settings.




  8. Fill out the fields on the Setup page.
    1. Copy over the OAuth token we generated in step 6 to the OAuth 2.0 Token Field.
      You can expand the dropdown arrow to instead enter your Basic Auth credentials if you wish to authenticate that way.
    2. Select which log Dashboards you wish to pull over.
    3. Enter portal.bitglass.com/api/bitglassapi/logs/ in the API URL field.
    4. Leave the Proxy (optional) field as is unless you are routing your API calls through a proxy at which point you will need to fill out this field.
  9. Once you click Save you will be taken to the Bitglass app Dashboard. Give it a few minutes before logs are pulled over and you see log results.