Log Export Splunk App

Forcepoint Data Security Cloud provides a Splunk app on Splunkbase for easily integrating with Forcepoint Insight's Export API for pulling Forcepoint Data Security Cloud SSE logs.

Attention: Use the Forcepoint Data Security Cloud App in Splunk to pull SWG logs where the action log is not equal to 'Allowed', along with DLP, Health, Admin, CASBAPI, CASBInline, and ZTNA logs. Follow the steps mentioned below to configure Forcepoint Data Security Cloud App in Splunk.

Prerequisites

  1. Tenant must be registered on the platform and have access to the tenant portal.
  2. Tenant must have an API Key generated on the Platform UI.

For more details refer to this link

Steps to pull logs to your Splunk Instances

  1. On a new browser tab or window, login to your Splunk instance.
  2. On the Splunk homepage, click Find More Apps from the left column and search for Forcepoint Data Security Cloud App for Splunk.

  3. From the search results, click Install on the Forcepoint Data Security Cloud App for Splunk title.

  4. On the Login and Install dialog:
    1. Enter your Splunk account login credentials and click Agree to Install. It will require you to restart your Splunk instance.

    2. Click Restart Now to restart the Splunk instance.

      After successfully restarting the Splunk instance, you will now see the Forcepoint Data Security Cloud App on the left column.

  5. Select Forcepoint Data Security Cloud App on the left column and then click Continue to app setup page on the next window that pops up to configure the settings.

  6. Fill out the fields on the Forcepoint Data Security Cloud App Configuration page:

    1. API Key: Enter the Tenant API Key.
    2. Exported Fields: Select the type of fields you want to export.
      1. Default Fields: Choose this option to export only the default fields. For detailed information about the default fields available for collections, refer to this document.
      2. All Fields: Select this option to export all available fields from the collections.
    3. Sync Interval: Specify the interval (between 150 and 3600 seconds) at which you want the data to be exported.
      Note: If the sync interval is set below 300 seconds, please contact the Forcepoint Support Team to address potential rate-limiting issues.
    4. Collections: Select the collections for which you want to export data.
    5. Insights Base URL: Enter the Insights Base URL. For example: <tenantHost>.insights.forcepointone.com
    6. Platform Base URL: Enter the Platform Base URL. For example: portal.forcepointone.com
    7. Proxy (Optional): Leave this field blank unless you need to route API calls through a proxy. If so, provide the required proxy details here. It should be in format as http://username:password@host:port
    8. Splunk Index: From the drop-down menu, select the index where the data should be stored. To create a new index, navigate to Settings > Data > Indexes. For more details on managing indexes, refer to Managing indexes in Splunk.

      Once all configurations are complete, click Save to apply the changes.

  7. Once you click Save you will be taken to the Forcepoint Data Security Cloud app Dashboard. Give it a few minutes before logs are pulled over and you see log results.