xForcepoint Firewall🔗
The following instructions are for configuring Forcepoint Firewall to facilitate log ingestion into Secureworks® Taegis™ XDR.
Forcepoint Firewall event types normalized by XDR include:
- Authentication
- Browser-Based User Authentication
- DHCP Relay
- Inspection
- Packet Filtering
Connectivity Requirements🔗
| Source | Destination | Port/Protocol |
|---|---|---|
| Forcepoint Firewall | Taegis™ XDR Collector (mgmt IP) | UDP/514 |
Data Provided from Integration🔗
| Normalized Data | Out-of-the-Box Detections | Vendor-Specific Detections | |
|---|---|---|---|
| Forecepoint Firewall | DHCP | Auth, HTTP, Netflow | Thirdparty |
Note
XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.
Configure the Forcepoint Firewall Platform🔗
Configure Syslog Header🔗
Follow the instructions in the Configuration Options for the Syslog Header section of the Forcepoint documentation to configure the Syslog header.
- Set
SYSLOG_COMPLETE_HEADER=true
Configure Log Forwarding🔗
Follow the instructions in the Configuring log and audit data forwarding section of the Forcepoint documentation to configure log forwarding.
Enter the following information:
| Option | Required Value |
|---|---|
| Target Host | XDR Collector (mgmt IP) |
| Service | UDP |
| Port | 514 |
| Format | CEF |
Example Query Language Searches🔗
To search for Forcepoint Firewall events from the last 24 hours:
WHERE sensor_type = 'FORCEPOINT_FIREWALL' and EARLIEST=-24h
To search for auth events associated with user "foo":
FROM auth WHERE sensor_type = 'FORCEPOINT_FIREWALL' and source_user_name = 'foo'
To search for http events associated with a specific source IP address:
FROM http WHERE sensor_type='FORCEPOINT_FIREWALL' AND source_address = '10.19.50.23'
To search Inspection events:
FROM thirdpartyalert WHERE sensor_type='FORCEPOINT_FIREWALL'