Exporting data to a third-party SIEM tool

Use the Reporting > Account Reports > SIEM Integration page to format reporting data for use by a third-party SIEM tool. Select data columns and apply filters to the data, just as you do in other areas of the Report Center (see Using the Transaction Viewer for Web, see Using Message Details for Email).

Before data can be exported, you need to configure SIEM Storage details. Navigate to Account > SIEM Storage to select a storage type and configure your own storage if you do not wish to use Forcepoint storage (the default). See Configuring SIEM storage for details.

After selecting the type of data that you want to export to your SIEM tool, define the data format, and enable SIEM data export.

To configure and enable SIEM integration:

Steps

  1. Select a data type (Web Security or Email Security) from the drop-down list. Note that:
    • You can select one or both options.
    • Only options appropriate to your account are displayed.
  2. Use the Columns drop-down list, or drag items into the report panel from the Attributes or Metrics lists to customize the information that will appear in the exported data. You can drag columns in the report panel to re-order them.

    The default columns vary, depending on which data type you have selected.

    The number of columns allowed also varies, depending on the data type. For Web Security, the limit is 35. For Email Security, the limit is 25.

    See Report attributes: Web and Data Security or Email report attributes for additional infomation.

  3. Drag items from the Attributes or Metrics lists to the Filters field to define any filters you want to apply to your reporting data before it is exported. On the popup that appers, use the drop-down list to define how the filter handles the value that you specify.

    The attributes available for use as Filters is a subset of those available to add as a column. Customers exporting Web data can select filters for the following:

    • Action
    • Category
    • Parent Category
    • Risk Class
    • Severity
    • Policy
    • Cloud App Risk level

    Customers exporting Email data can select filters for:

    • Action
    • Direcion
    • Emb. URL Category

    Only data that matches the selected filters will be included in the downloadable files.

    Note: You can click a column heading to sort the data by the entries in that column. This may be useful to check that the export will include the data that you want. However, note that this sort will not be applied to the data that is exported.
  4. When you are satisfied with the columns and filters that you have selected, toggle the Enable data export switch to ON.
    Note:

    Enable data export cannot be set to ON unless a valid storage option has been configured on Account > SIEM Storage.

    The option is automatically set to OFF if:

    • Forcepoint storage is enabled but no logs have been downloaded for 30 days.
    • Bring your own storage is enabled but no SIEM data could be forwarded to the active bucket for 14 days.

    Multiple emails are sent prior to disabling the export option.

    Click Refresh to display the last 2 hours of data.

  5. When you are finished, click Save.