🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Forcepoint Firewall

integrations firewall forcepoint


The following instructions are for configuring Forcepoint Firewall to facilitate log ingestion into Taegis™ XDR.

Forcepoint Firewall event types normalized by Taegis™ XDR include:

Connectivity Requirements

Source Destination Port/Protocol
Forcepoint Firewall Taegis™ XDR Collector (mgmt IP) UDP/514

Data Provided from Integration

  Antivirus Auth DHCP DNS Email Encrypt File HTTP Management Netflow NIDS Process Thirdparty
Forecepoint Firewall   D Y         D   D     V

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

Note

Taegis™ XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Configure the Forcepoint Firewall Platform

Configure Syslog Header

Follow the instructions in the Configuration Options for the Syslog Header section of the Forcepoint documentation to configure the Syslog header.

Configure Log Forwarding

Follow the instructions in the Configuring log and audit data forwarding section of the Forcepoint documentation to configure log forwarding.

Enter the following information:

Option Required Value
Target Host Taegis™ XDR Collector (mgmt IP)
Service UDP
Port 514
Format CEF

Example Query Language Searches

To search for Forcepoint Firewall events from the last 24 hours:

WHERE sensor_type = 'FORCEPOINT_FIREWALL' and EARLIEST=-24h

To search for auth events associated with user "foo":

FROM auth WHERE sensor_type = 'FORCEPOINT_FIREWALL' and source_user_name = 'foo'

To search for http events associated with a specific source IP address:

FROM http WHERE sensor_type='FORCEPOINT_FIREWALL' AND source_address = '10.19.50.23'

To search Inspection events:

FROM thirdpartyalert WHERE sensor_type='FORCEPOINT_FIREWALL'

 

On this page: