Working with SIEM integration format strings

When the SIEM integration is enabled, log data can be sent to the SIEM server using a custom or predefined format. Predefined format strings are available for syslog/CEF (ArcSight), syslog/key-value pairs (Splunk and others), and syslog/LEEF (QRadar).

Tip: Pre-defined strings can be copied and pasted into the Custom string field for modification.

A sample format string looks like this:

<159>%<:%b %d %H:%M:%S> %<-sourceServer> 
CEF:0|Forcepoint|Security|%<productVersion>|%<categoryNumber
>|Transaction %<dispositionString>|%<severity>| 
act=%<dispositionString> app=%<protocol> dvc=%<sourceServer> 
dst=%<destination> dhost=%<urlHost> dpt=%<port> 
src=%<source> spt=%<clientSourcePort> suser=%<=userPath> 
loginID=%<=loginID> 
destinationTranslatedPort=%<proxySourcePort> rt=%<time> 
in=%<bytesReceived> out=%<bytesSent> 
requestMethod=%<method> requestClientApplication=%<=userAgent> 
reason=%<scanReasonString> cs1Label=Policy 
cs1=%<policyNames> cs2Label=DynCat cs2=%<dynamicCategory> 
cs3Label=ContentType cs3=%<=contentType> 
cn1Label=DispositionCode cn1=%<=dispositionNumber> 
cn2Label=ScanDuration cn2=%<scanDuration> request=%<=url> 
logRecordSource=%<logRecordSource>

With log data incorporated, the result looks like this:

<159>Feb 14 16:36:56 10.10.10.121
CEF:0|Forcepoint|Security|8.5.0|148|Transaction permitted|1| 
act=permitted app=http dvc=10.10.10.121 dst=204.15.67.17 
dhost=testdatabasewebsense.com dpt=80 src=10.10.10.7 
spt=65252 suser=LDAP://10.10.10.254
CN\=Users,DC\=forcepoint,DC\=local/win7 loginID=win7 
destinationTranslatedPort=0 rt=1518655016 in=0 out=0 
requestMethod=GET requestClientApplication=Mozilla/5.0 
(Windows NT 6.1; Win64; x64; rv:58.0) Gecko/20100101 
Firefox/58.0 reason=- cs1Label=Policy cs1=Super 
Administrator**Default cs2Label=DynCat cs2=0 
cs3Label=ContentType cs3=text/html cn1Label=DispositionCode 
cn1=1048 cn2Label=ScanDuration cn2=14 
request=http://testdatabasewebsense.com/images/site_bg.gif 
logRecordSource=OnPrem

When audit log data is sent to the SIEM server, predefined format strings are also available for syslog/CEF (ArcSight), syslog/key-value pairs (Splunk and others), and syslog/LEEF (QRadar).

A sample syslog/key-value pairs format string looks like this:

<156>%<:%b %d %H:%M:%S> %<-sourceServer> vendor=Forcepoint 
product=Security product_version=%<productVersion> 
action=%<action value> user=%<_userPath> reason=%<_details>