Log Export QRadar App

Forcepoint Data Security Cloud provides a QRadar extension on IBM Application Exchange for easily integrating with Forcepoint Insight's Export API for pulling Forcepoint Data Security Cloud SSE logs.

Attention: Use the Forcepoint Data Security Cloud App in QRadar to pull SWG logs (non-allowed logs), along with DLP, Health, Admin, CASBAPI, CASBInline, ZTNA logs. Follow the steps mentioned below to configure Forcepoint Data Security Cloud App in QRadar.

Prerequisites

  1. Tenant must be registered on the platform and have access to the tenant portal.
  2. Tenant must have an API Key generated on the Platform UI.

    For more details refer to this link

  3. Increase QRadar Syslog Max Log Size to at least 16384.

    To Increase the Log Size in QRadar refer below steps.

    1. Login to the QRadar Console as an administrator.
    2. From the Admin tab, click System Settings > Advanced.
    3. Key in 16384 in the Max UDP Syslog Payload Length field and click Save.
    4. From the Admin tab, click Deploy Changes.

Steps to pull logs on your QRadar Instances

  1. On a new browser tab or window, login to your QRadar instance.
  2. On the QRadar homepage, click on Admin > System Configuration > Extensions Management.

  3. In the Extensions Management window, click IBM Security App Exchange on the top right corner.

  4. Login on the IBM Security App Exchange and in the search tab key in Forcepoint Insights SIEM App and press enter.

    Screenshot to be updated after app is published with new name

  5. Click on the Forcepoint Insights SIEM App and click Download to start downloading the ZIP file.

    Screenshot to be updated after app is published with new name

  6. Go to Extensions Management page and click Add button on top right corner. Select Install immediately and click Browse. Select the ZIP file downloaded in the above step and click Add button.

    Screenshot to be updated after app is published with new name

  7. Click Install button at the bottom.

  8. Once installation is completed go back to your QRadar console and refresh the page and click Admin tab. Select the Forcepoint Data Security Cloud App Log Configuration from Apps and click Configuration.

  9. Fill out the fields on the Forcepoint Insights SIEM App page.

    1. API Key: Enter the Tenant API Key.
    2. Exported Fields: Select the type of fields you want to export.
      Note: The names of registered property/field is available here.
      1. Default Fields: Choose this option to export only the default fields. For detailed information about the default fields available for collections, refer to this document.
      2. All Fields: Select this option to export all available fields from the collections.
    3. Sync Interval: Specify the interval (between 150 and 3600 seconds) at which you want the data to be exported.
      Note: If the sync interval is set below 300 seconds, please contact the Forcepoint Support Team to address potential rate-limiting issues.
    4. Collections: Select the collections for which you want to export data.
    5. Platform Host: Enter the Platform Host. For example: portal.forcepointone.com
    6. Insights Host: Enter the Insights Host. For example: <tenanthost>.insights.forcepointone.com
    7. Proxy (Optional): Leave this field blank unless you need to route API calls through a proxy. If so, provide the required proxy details here. It should be in format as http://username:password@host:port
    8. Sink URL (UDP) (Optional): Specify this if you want to forward the logs to external Syslog server. This should be in format : <Host>:<Port>

      Once all configurations are complete, click Save to apply the changes.

    9. To view logs, click Log Activity > Add Filter. From Parameter drop down select Log Source Type and in Value select Forcepoint Insights and click Add Filter in the popup.