Configuring SIEM storage

Use the Account > SIEM Storage page to configure the storage options for SIEM output generated on the Reporting > Account Reports > SIEM Integration page. (See Exporting data to a third-party SIEM tool for additional information.)

Click the radio button next to the Storage type you wish to use for SIEM output. SIEM data can be stored by Forcepoint or you can Bring your own storage. If Forcepoint is selected (the default selection), no further configuration is required. If Bring your own storage is selected, follow the instructions provided to add and test up to 5 storage devices to the Storage List: Bring Your Own table and activate a specific device.

Note that the same storage selections are used for each data type (Web Security or Email Security).

AWS is selected, by default, as the storage solution. To add storage options to the Storage List:

Steps

  1. Create one or more AWS S3 buckets on the AWS portal.

    Note that bucket names must be globally unique.

    Encryption for the AWS S3 buckets is not supported.

  2. Click Add to add your bucket to the table.
    1. Enter the Bucket name from the AWS portal.

      See this site for details on valid bucket names.

    2. A Prefix is optional.
      • Add text that will be used as a prefix to each data file created when SIEM data is exported.
      • Enter a ‘/’ to create a folder where the data files will be stored. If no ‘/’ is included, the prefix is prepended to the file name.

      Valid prefix values are SIEMData, log_files/, or traffic-logs. More information can be found here.

    3. Click Save when you have finished. The bucket information is added to the table.

      Click the bucket name in the table to open the Edit Bucket page and make changes.

      Delete an inactive bucket by clicking Delete on the Edit Bucket page.

  3. In the table, click the JSON link in the row for the bucket you just added.
    1. On the Bucket Policy page, click Copy Text to copy the contents of the JSON pane to a clipboard.
    2. In the AWS Management Console, open the Bucket policy editor on the Permissions > Bucket policy tab of the AWS S3 Bucket Policy and paste the contents of the JSON pane.
    3. On the Bucket Policy page, click BACK when you have finished with the page.
  4. In the table, click Check connection to test the connection to the S3 bucket in your account. If the connection is successful, a token file is written in order to confirm that files can be written to the bucket. The token number then appears in the connection_token object in the AWS S3 bucket (on the AWS Management Console). If a folder was created based on the contents of the prefix for the bucket, the connection_token appears in that folder.

    The generated token is valid for 3 hours. After that time, a new token must be generated.

    1. On the Check Connection page, paste the token number from the connection_token object.
    2. Click Check Connection to confirm that files written to the AWS S3 bucket can be read.

      If more than 20 connection attempts are made within 60 minutes, the account will be locked for an hour.

    3. Click Back when you are finished.
  5. The Status column displays with a green check if the token is confirmed. When the check mark appears, the bucket can be enabled for SIEM storage.
  6. A single bucket must be selected as Active. SIEM data is exported to the active bucket.
    If Bring you own has been enabled but there is no active bucket, Save is not enabled, and the Enable data export switch on the Reporting > Account Reports > SIEM Integration page cannot be set to On.
  7. Click Save to save all of your changes.

Next steps

If Storage type is changed from Forcepoint to Bring your own after Forcepoint storage has been in use, any data files that have not been downloaded will be transferred to the configured active bucket.

Metrics at the bot tom of the page provide details on the status of SIEM data files. The specific metrics provided are determined by the Storage type selection. Use the Refresh Metrics button to update the displayed values.