Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Forcepoint Web Security

integrations web security forcepoint

The following instructions are for configuring Forcepoint Web Security to facilitate log ingestion into Taegis™ XDR.

Connectivity Requirements

Source Destination Port/Protocol
Forcepoint Web Security Taegis™ XDR Collector (mgmt IP) TCP/601

Data Provided from Integration

  Antivirus Auth DHCP DNS Email Encrypt File HTTP Management Netflow NIDS Process Thirdparty
Forcepoint Web Security               D          

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections


Taegis™ XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Configure the Forcepoint Web Security Platform

Follow the instructions in the Enabling and configuring SIEM integration section on page 3 of Forcepoint Security Information Event Management (SIEM) Solutions to configure log forwarding.

Enter the following information:

Option Required Value
IP address or hostname Taegis™ XDR Collector (mgmt IP)
Port 601
Transport protocol TCP
SIEM format "syslog/CEF"

Example Query Language Searches

To search for Forcepoint Web Security events from the last 24 hours:


To search for http events associated with a specific URL:

FROM http WHERE sensor_type = 'FORCEPOINT_SECURE_WEB_GATEWAY' and uri_host = 'test.domain.com'

To search for http events associated with a specific source IP address:

FROM http WHERE sensor_type='FORCEPOINT_SECURE_WEB_GATEWAY' AND source_address = ''

Event Details

Forcepoint Web Security Event Details

Forcepoint Web Security Event Details


On this page: