Log Export Splunk App

Forcepoint Insights provides a Splunk app on splunkbase for easily integrating with Forcepoint Data Cloud Insight's Export API for pulling Forcepoint Data Security Cloud logs across multiple licensed Products.

Attention: For the Security Service Edge (SSE) product, use the Forcepoint Data Security Cloud App in Splunk to pull SWG logs where the action log is not equal to 'Allowed', along with DLP, Health, Admin, CASBAPI, CASBInline, and ZTNA logs.

Prerequisites

  1. Tenant must be registered on the platform and have access to the tenant portal.
  2. Tenant must have an API Key generated on the Platform UI.
Important: Ensure to select the Insights Log Export checkbox.

For more details refer to this link

Steps to pull logs to your Splunk Instances

  1. On a new browser tab or window, login to your Splunk instance.
  2. On the Splunk homepage, click Find More Apps from the left column and search for Forcepoint Insights SIEM App.

  3. From the search results, click Install on the Forcepoint Insights SIEM App.

  4. On the Login and Install dialog:
    1. Enter your Splunk account login credentials and click Agree and Install. It will require you to restart your Splunk instance.

    2. After the successful installation, you will now see the Forcepoint Insights SIEM App on the left column.

  5. Select Forcepoint Insights SIEM App on the left column and then click Continue to app setup page on the next window that pops up to configure the settings.

  6. Fill out the fields on the Forcepoint Insights SIEM App Configuration page:

    1. API Key: Enter the Tenant API Key.
    2. Platform Host: Enter the Platform Host. For example: portal.forcepointone.com
    3. Insights Host: Enter the Insights Host. For example: <tenanthost>.insights.forcepointone.com
    4. Sync Interval: Specify the interval (between 150 and 3600 seconds) at which you want the data to be exported.
      Note: If the sync interval is set below 300 seconds, please contact the Forcepoint Support Team to address potential rate-limiting issues.
    5. Proxy (Optional): Leave this field blank unless you need to route API calls through a proxy. If so, provide the required proxy details here. It should be in format as http://username:password@host:port
    6. Splunk Index: From the drop-down menu, select the index where the data should be stored.

      To create a new index, navigate to Settings > Data > Indexes.

      For more details on managing indexes, refer to: Managing indexes in Splunk.

      Once all configurations are complete, click Next.

  7. Data Sources

    • Products: Select one or more product for which you want to export data.

    • Collections: For each selected Products, select one or more collections from which you want to export data.

    • Exported Fields: For each selected Products select the type of fields you want to export.

      1. Default Fields: Choose this option to export only the default fields. For detailed information about the default fields available for collections, refer to this document.
      2. All Fields: Select this option to export all available fields from the collections.

      Once all configurations are complete, click Save Configuration to apply the changes.

  8. Once you click Save you will be taken to the Forcepoint Data Security Cloud App Dashboard. Give it a few minutes before logs are pulled over and you see log results for Secuirty Service Edge (SSE) product.