diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 632c0743704c2..373f8e7946a83 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -422,6 +422,11 @@ datadog_checks_base/datadog_checks/base/checks/windows/ @DataDog/wi /hubspot_content_hub/manifest.json @DataDog/saas-integrations @DataDog/documentation /hubspot_content_hub/assets/logs/ @DataDog/saas-integrations @DataDog/documentation @DataDog/logs-backend @DataDog/logs-core +/forcepoint_secure_web_gateway/ @DataDog/saas-integrations +/forcepoint_secure_web_gateway/*.md @DataDog/saas-integrations @DataDog/documentation +/forcepoint_secure_web_gateway/manifest.json @DataDog/saas-integrations @DataDog/documentation +/forcepoint_secure_web_gateway/assets/logs/ @DataDog/saas-integrations @DataDog/documentation @DataDog/logs-backend + vonage/ @DataDog/saas-integrations vonage/*.md @DataDog/saas-integrations @DataDog/documentation vonage/manifest.json @DataDog/saas-integrations @DataDog/documentation diff --git a/forcepoint_secure_web_gateway/README.md b/forcepoint_secure_web_gateway/README.md index 37e1a3662882f..57fbcf7bbe075 100644 --- a/forcepoint_secure_web_gateway/README.md +++ b/forcepoint_secure_web_gateway/README.md @@ -1,42 +1,73 @@ -# Agent Check: Forcepoint Secure Web Gateway - ## Overview -This check monitors [Forcepoint Secure Web Gateway][1]. +[Forcepoint Secure Web Gateway][1] applies web security policies in the cloud or on the endpoint with distributed enforcement for secure, high-speed access to the web, wherever your people are. It also offers advanced DLP capabilities to keep sensitive information from leaking onto websites. + + + +This integration ingests the following logs: + +- **Web Logs**: Logs generated from general web traffic activity by users. +- **Web DLP Logs**: Logs generated from Data Loss Prevention (DLP) specific policy actions. + + +Forcepoint Secure Web Gateway integration gathers these logs and forwards them to Datadog for seamless analysis. Datadog leverages its built-in log pipelines to parse and enrich these logs, facilitating easy search and detailed insights. With preconfigured out-of-the-box dashboards, the integration offers clear visibility into web activities. Additionally, it includes ready-to-use Cloud SIEM detection rules for enhanced monitoring and security. + ## Setup -### Installation +### Generate OAuth Token for Forcepoint Secure Web Gateway: +1. Login to the Forcepoint ONE Security Service Edge Platform. +2. Navigate to **SETTINGS > API Interface > OAuth**. +3. **REST API OAuth Configuration** page opens which allows you to add and configure different levels of API permissions. +4. To add a new configuration, click the **green** plus icon. +5. On the **Edit Application** dialog, fill out the information as mentioned below: -The Forcepoint Secure Web Gateway check is included in the [Datadog Agent][2] package. -No additional installation is needed on your server. + a. **Name**: Name for the new application configuration -### Configuration + b. **Permissions**: Select **Access your Forcepoint logs (logs api)** option. -!!! Add list of steps to set up this integration !!! + c. **Permitted User Groups**: Select as per your requirement. Default is **All**. -### Validation + d. Click **Ok** to save the changes. + - You will now see your application added to the list, but still listed as **Pending** under status. +6. Select the name of your application in the **Application** column to go into the **Edit Application**. -!!! Add steps to validate integration is functioning as expected !!! + a. On the **Edit Application** dialog, you will need the **Token Authorization URL** to authorize your current permission and get the access token. + + b. Click on the URL and it will take you to the **Requested Access** page allowing you to **Approve** or **Deny** the application permission settings. Again you will need to send this URL to each permitted user and have them **Approve** their access. +7. After you approve, you will be given an **Access Token** that is unique to that user and that the user must keep. This access token will be required to configure integration in datadog. The token is valid forever and must be included in each request for authorization. +8. Once access has been approved, you will notice that **Status** is changed to **Authorized**. + + +For reference: [Setting up an OAuth token Documentation][2] + +### Connect your Forcepoint Secure Web Gateway Edge to Datadog + +1. Add your Access Token. + | Parameters | Description | + | ------------------- | ------------------------------------------------------------------------------------- | + | Access Token | Access token generated above | + +2. Click the Save button to save your settings. ## Data Collected -### Metrics +### Logs -Forcepoint Secure Web Gateway does not include any metrics. +The Forcepoint Secure Web Gateway integration collects and forwards Web logs and Web DLP logs to Datadog. -### Service Checks +### Metrics -Forcepoint Secure Web Gateway does not include any service checks. +The Forcepoint Secure Web Gateway integration does not include any metrics. ### Events -Forcepoint Secure Web Gateway does not include any events. +The Forcepoint Secure Web Gateway integration does not include any events. -## Troubleshooting +## Support -Need help? Contact [Datadog support][3]. +For any further assistance, contact [Datadog support][3]. -[1]: **LINK_TO_INTEGRATION_SITE** -[2]: https://app.datadoghq.com/account/settings/agent/latest +[1]: https://www.forcepoint.com/product/secure-web-gateway-swg +[2]:https://help.forcepoint.com/fpone/sse_admin/prod/oxy_ex-1/deployment_guide/guid-18f77855-8dc9-436a-9fba-179f06a81066.html [3]: https://docs.datadoghq.com/help/ diff --git a/forcepoint_secure_web_gateway/assets/dashboards/forcepoint_secure_web_gateway_overview.json b/forcepoint_secure_web_gateway/assets/dashboards/forcepoint_secure_web_gateway_overview.json new file mode 100644 index 0000000000000..9cf72be53efb1 --- /dev/null +++ b/forcepoint_secure_web_gateway/assets/dashboards/forcepoint_secure_web_gateway_overview.json @@ -0,0 +1,1502 @@ +{ + "title": "Forcepoint Secure Web Gateway - Overview", + "description": "This dashboard provides an overview about all the logs (swgweb, swgwebdlp) generated on Forcepoint SWG.", + "widgets": [ + { + "id": 589601045470436, + "definition": { + "type": "image", + "url": "https://live-forcepoint-drupal.pantheonsite.io/sites/default/files/forcepoint.svg", + "url_dark_theme": "https://images.contentstack.io/v3/assets/blt36c2e63521272fdc/blt96f6ceb1b44d0e83/637242a8fa033a109b5d57e8/Forcepoint-Logo-2C-RGB-Rev-for-screen.png", + "sizing": "contain", + "margin": "sm", + "has_background": true, + "has_border": true, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 4 + } + }, + { + "id": 5181009489117280, + "definition": { + "type": "note", + "content": "**Dashboard Overview**\n\nForcepoint Secure Web Gateway applies web security policies in the cloud or on the endpoint with distributed enforcement for secure, high-speed access to the web, wherever your people are. It consistently protects sensitive data across the web with policies that can also be applied to cloud apps and private apps as part of an integrated platform.\n\n\nThe Forcepoint Secure Web Gateway Overview dashboard provides an overall insights of the logs generated by Forcepoint SWG.\n\n\nFor more information, see the [Forcepoint Secure Web Gateway Integration Documentation](https://docs.datadoghq.com/integrations/forcepoint_secure_web_gateway/).\n\n**Tips**\n- Use the timeframe selector in the top right of the dashboard to change the default timeframe.\n- Clone this dashboard to rearrange, modify and add widgets and visualizations. ", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 4 + } + }, + { + "id": 3940799950986972, + "definition": { + "title": "Forcepoint Secure Web Gateway Log Details", + "background_color": "vivid_purple", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 7969074099265808, + "definition": { + "title": "Total Logs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:forcepoint-secure-web-gateway $Client_IPs $Destination_IPs $User_Name $Service $Action" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 4 + } + }, + { + "id": 3362626376606578, + "definition": { + "title": "Total Logs Over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "time": {}, + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "LOG COUNT", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:forcepoint-secure-web-gateway $Client_IPs $Destination_IPs $User_Name $Service $Action" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "service", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 4 + } + }, + { + "id": 3628839276084756, + "definition": { + "title": "Logs by Type", + "title_size": "16", + "title_align": "left", + "time": {}, + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:forcepoint-secure-web-gateway $Client_IPs $Destination_IPs $User_Name $Service $Action" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@service", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 12, + "height": 5 + } + }, + { + "id": 1943696213781754, + "definition": { + "title": "Top 10 Users", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:forcepoint-secure-web-gateway -@usr.name:\"\" $Client_IPs $Destination_IPs $User_Name $Service $Action" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 9, + "width": 6, + "height": 4 + } + }, + { + "id": 318107500730384, + "definition": { + "title": "Top 10 Client IPs", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:forcepoint-secure-web-gateway -@network.client.ip:\"\" $Client_IPs $Destination_IPs $User_Name $Service $Action" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 9, + "width": 6, + "height": 4 + } + }, + { + "id": 1896419688900996, + "definition": { + "title": "Top 10 Actions", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:forcepoint-secure-web-gateway -@action:\"\" $Client_IPs $Destination_IPs $User_Name $Service $Action" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@action", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 13, + "width": 6, + "height": 4 + } + }, + { + "id": 237577671221262, + "definition": { + "title": "Top 10 Applications", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:forcepoint-secure-web-gateway -@application:\"\" $Client_IPs $Destination_IPs $User_Name $Service $Action" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@application", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 13, + "width": 6, + "height": 4 + } + }, + { + "id": 8682363151079916, + "definition": { + "title": "Top 10 Destination IPs", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:forcepoint-secure-web-gateway -@network.destination.ip:\"\" $Client_IPs $Destination_IPs $User_Name $Service $Action" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.destination.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 17, + "width": 6, + "height": 4 + } + }, + { + "id": 8135622668035718, + "definition": { + "title": "Top 10 Countries", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:forcepoint-secure-web-gateway -@country:\"\" $Client_IPs $Destination_IPs $User_Name $Service $Action" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@country", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 17, + "width": 6, + "height": 4 + } + }, + { + "id": 1563275110329664, + "definition": { + "title": "Top 10 Cities", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:forcepoint-secure-web-gateway -@city:\"\" $Client_IPs $Destination_IPs $User_Name $Service $Action" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@city", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@country", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked" + }, + "scaling": "absolute" + } + }, + "layout": { + "x": 0, + "y": 21, + "width": 12, + "height": 4 + } + }, + { + "id": 7849624578901110, + "definition": { + "title": "Geo Distribution of Client IPs", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:forcepoint-secure-web-gateway $Client_IPs $Destination_IPs $User_Name $Service $Action" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.geoip.country.iso_code", + "limit": 250, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 250, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 0, + "y": 25, + "width": 12, + "height": 5 + } + }, + { + "id": 8562392923879458, + "definition": { + "title": "Geo Distribution of Destination IPs", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:forcepoint-secure-web-gateway $Client_IPs $Destination_IPs $User_Name $Service $Action" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.destination.geoip.country.iso_code", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 0, + "y": 30, + "width": 12, + "height": 5 + } + }, + { + "id": 5510372390393434, + "definition": { + "title": "Log details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:forcepoint-secure-web-gateway $Client_IPs $Destination_IPs $User_Name $Service $Action", + "indexes": [], + "storage": "hot", + "sort": { + "order": "desc", + "column": "timestamp" + } + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@service", + "width": "auto" + }, + { + "field": "action", + "width": "auto" + }, + { + "field": "usr.name", + "width": "auto" + }, + { + "field": "network.client.ip", + "width": "auto" + }, + { + "field": "network.destination.ip", + "width": "auto" + }, + { + "field": "application", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 35, + "width": 12, + "height": 5 + } + } + ] + }, + "layout": { + "x": 0, + "y": 4, + "width": 12, + "height": 41, + "is_column_break": true + } + }, + { + "id": 3566625759245984, + "definition": { + "title": "Datadog Cloud SIEM", + "title_align": "center", + "background_color": "vivid_green", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 1919516224672150, + "definition": { + "type": "note", + "content": "Datadog Cloud SIEM analyzes and correlates the Forcepoint Secure Web Gateway logs to detect threats to your environment in real time. If you don't see signals please make sure you've enabled [Datadog Cloud SIEM](/security).", + "background_color": "green", + "font_size": "14", + "text_align": "left", + "vertical_align": "center", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 3733584174342154, + "definition": { + "title": "CRITICALs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:forcepoint-secure-web-gateway status:critical $Client_IPs $Destination_IPs $User_Name $Service $Action" + } + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#bc303c" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 0, + "y": 1, + "width": 2, + "height": 2 + } + }, + { + "id": 4419812470247932, + "definition": { + "title": "HIGHs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:forcepoint-secure-web-gateway status:high $Client_IPs $Destination_IPs $User_Name $Service $Action" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#d33043" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 2, + "y": 1, + "width": 2, + "height": 2 + } + }, + { + "id": 147955263598066, + "definition": { + "title": "Critical Security Signals", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:forcepoint-secure-web-gateway status:critical $Client_IPs $Destination_IPs $User_Name $Service $Action" + } + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#bc303c" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 4, + "y": 1, + "width": 8, + "height": 4 + } + }, + { + "id": 3298385784537918, + "definition": { + "title": "MEDIUMs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:forcepoint-secure-web-gateway status:medium $Client_IPs $Destination_IPs $User_Name $Service $Action" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#e5a21c" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 3, + "width": 2, + "height": 2 + } + }, + { + "id": 5423862689522254, + "definition": { + "title": "LOWs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:forcepoint-secure-web-gateway status:low $Client_IPs $Destination_IPs $User_Name $Service $Action" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#ffb52b" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 2, + "y": 3, + "width": 2, + "height": 1 + } + }, + { + "id": 1390465463577976, + "definition": { + "title": "INFOs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:forcepoint-secure-web-gateway status:info $Client_IPs $Destination_IPs $User_Name $Service $Action" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#84c1e0" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 2, + "y": 4, + "width": 2, + "height": 1 + } + }, + { + "id": 268370737951098, + "definition": { + "title": "High Security Signals", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:forcepoint-secure-web-gateway status:high $Client_IPs $Destination_IPs $User_Name $Service $Action" + } + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#d33043" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 5, + "width": 6, + "height": 4 + } + }, + { + "id": 8906944907621190, + "definition": { + "title": "Medium Security Signals", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:forcepoint-secure-web-gateway status:medium $Client_IPs $Destination_IPs $User_Name $Service $Action" + } + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#e5a21c" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 5, + "width": 6, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 45, + "width": 12, + "height": 10 + } + } + ], + "template_variables": [ + { + "name": "Client_IPs", + "prefix": "@network.client.ip", + "available_values": [], + "default": "*" + }, + { + "name": "Destination_IPs", + "prefix": "@network.destination.ip", + "available_values": [], + "default": "*" + }, + { + "name": "User_Name", + "prefix": "@usr.name", + "available_values": [], + "default": "*" + }, + { + "name": "Service", + "prefix": "@service", + "available_values": [], + "default": "*" + }, + { + "name": "Action", + "prefix": "@action", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/forcepoint_secure_web_gateway/assets/dashboards/forcepoint_secure_web_gateway_web_dlp_logs.json b/forcepoint_secure_web_gateway/assets/dashboards/forcepoint_secure_web_gateway_web_dlp_logs.json new file mode 100644 index 0000000000000..90915fcdd46e8 --- /dev/null +++ b/forcepoint_secure_web_gateway/assets/dashboards/forcepoint_secure_web_gateway_web_dlp_logs.json @@ -0,0 +1,1354 @@ +{ + "title": "Forcepoint Secure Web Gateway - Web DLP Logs", + "description": "This dashboard provides information about the web DLP generated on Forcepoint SWG.", + "widgets": [ + { + "id": 7757916428309470, + "definition": { + "type": "image", + "url": "https://live-forcepoint-drupal.pantheonsite.io/sites/default/files/forcepoint.svg", + "url_dark_theme": "https://images.contentstack.io/v3/assets/blt36c2e63521272fdc/blt96f6ceb1b44d0e83/637242a8fa033a109b5d57e8/Forcepoint-Logo-2C-RGB-Rev-for-screen.png", + "sizing": "contain", + "margin": "sm", + "has_background": true, + "has_border": true, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 4 + } + }, + { + "id": 5925241397880302, + "definition": { + "type": "note", + "content": "**Dashboard Overview**\n\nThe Forcepoint Secure Web Gateway - Web DLP Logs dashboard provides an overall insights of the web dlp logs generated by Forcepoint SWG.\n\n\nFor more information, see the [Forcepoint Secure Web Gateway Integration Documentation](https://docs.datadoghq.com/integrations/forcepoint_secure_web_gateway/).\n\n**Tips**\n- Use the timeframe selector in the top right of the dashboard to change the default timeframe.\n- Clone this dashboard to rearrange, modify and add widgets and visualizations. ", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 4 + } + }, + { + "id": 6200798632833536, + "definition": { + "title": "Web DLP Log Details", + "background_color": "vivid_purple", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 4203655689703336, + "definition": { + "title": "Total Web DLP Logs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:forcepoint-secure-web-gateway service:forcepoint-swg-swgwebdlp $Client_IP $Destination_IP $User_Name $URL" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 4 + } + }, + { + "id": 4101324081009488, + "definition": { + "title": "Web DLP Logs Over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "LOG COUNT", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:forcepoint-secure-web-gateway service:forcepoint-swg-swgwebdlp $Client_IP $Destination_IP $User_Name $URL" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 4 + } + }, + { + "id": 1552562384046846, + "definition": { + "title": "Top 10 Applications", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:forcepoint-secure-web-gateway service:forcepoint-swg-swgwebdlp -@application:\"\" $Client_IP $Destination_IP $User_Name $URL" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@application", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 6688333120286040, + "definition": { + "title": "Top 10 URLs", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:forcepoint-secure-web-gateway service:forcepoint-swg-swgwebdlp -@http.url:\"\" $Client_IP $Destination_IP $User_Name $URL" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@http.url", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 5395802748915852, + "definition": { + "title": "Top 10 Activities", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:forcepoint-secure-web-gateway service:forcepoint-swg-swgwebdlp -@activity:\"[]\" $Client_IP $Destination_IP $User_Name $URL" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@activity", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 8, + "width": 6, + "height": 4 + } + }, + { + "id": 1946881594723804, + "definition": { + "title": "Top 10 Requested Domain", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:forcepoint-secure-web-gateway service:forcepoint-swg-swgwebdlp -@dns.question.name:\"\" $Client_IP $Destination_IP $User_Name $URL" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@dns.question.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 8, + "width": 6, + "height": 4 + } + }, + { + "id": 5631085578240998, + "definition": { + "title": "Top 10 Actions", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:forcepoint-secure-web-gateway service:forcepoint-swg-swgwebdlp -@action:\"\" $Client_IP $Destination_IP $User_Name $URL" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@action", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 12, + "width": 6, + "height": 4 + } + }, + { + "id": 7254217274379340, + "definition": { + "title": "Top Countries", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:forcepoint-secure-web-gateway service:forcepoint-swg-swgwebdlp -@country:\"\" $Client_IP $Destination_IP $User_Name $URL" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@country", + "limit": 100, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 50, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 12, + "width": 6, + "height": 4 + } + }, + { + "id": 8553767250550934, + "definition": { + "title": "Top Cities", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:forcepoint-secure-web-gateway service:forcepoint-swg-swgwebdlp -@city:\"\" $Client_IP $Destination_IP $User_Name $URL" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@city", + "limit": 50, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@country", + "limit": 100, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 16, + "width": 12, + "height": 4 + } + }, + { + "id": 2760274415616892, + "definition": { + "title": "Top 10 DLP Patterns", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:forcepoint-secure-web-gateway service:forcepoint-swg-swgwebdlp -@dlppattern:\"[]\" $Client_IP $Destination_IP $User_Name $URL" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@dlppattern", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 20, + "width": 12, + "height": 4 + } + }, + { + "id": 4115955891070484, + "definition": { + "title": "User Details", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:forcepoint-secure-web-gateway service:forcepoint-swg-swgwebdlp -(@usr.name:\"\" AND @lastname:\"\" AND @usr.email:\"\") $Client_IP $Destination_IP $User_Name $URL" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.email", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@lastname", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@devicehostname", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 10000, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "LOG COUNT", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 0, + "y": 24, + "width": 12, + "height": 5 + } + }, + { + "id": 7056827656004500, + "definition": { + "title": "URL Details", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:forcepoint-secure-web-gateway service:forcepoint-swg-swgwebdlp -http.url:\"\" $Client_IP $Destination_IP $User_Name $URL" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@http.url", + "limit": 25, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@webcategories", + "limit": 15, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@webcategoryclass", + "limit": 5, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@bgcategories", + "limit": 5, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 10000, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "LOG COUNT", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 0, + "y": 29, + "width": 12, + "height": 5 + } + }, + { + "id": 4909048635990494, + "definition": { + "title": "Web Domains Score Details", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:forcepoint-secure-web-gateway service:forcepoint-swg-swgwebdlp -@http.url:\"\" $Client_IP $Destination_IP $User_Name $URL" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@http.url", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@dns.question.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@bgcloudscore", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@webreputation", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 10000, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "LOG COUNT", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 0, + "y": 34, + "width": 12, + "height": 5 + } + }, + { + "id": 5676950525104526, + "definition": { + "title": "Threat Indicator Details", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:forcepoint-secure-web-gateway service:forcepoint-swg-swgwebdlp -@threatindicator:\"[]\" $Client_IP $Destination_IP $User_Name $URL" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@threatindicator", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@action", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@activity", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 1000, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "LOG COUNT", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 0, + "y": 39, + "width": 12, + "height": 5 + } + }, + { + "id": 6252253944602584, + "definition": { + "title": "Geo Distribution of Client IPs", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:forcepoint-secure-web-gateway service:forcepoint-swg-swgwebdlp $Client_IP $Destination_IP $User_Name $URL" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.geoip.country.iso_code", + "limit": 250, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 0, + "y": 44, + "width": 12, + "height": 5 + } + }, + { + "id": 6688207813581142, + "definition": { + "title": "Geo Distribution of Destination IPs", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:forcepoint-secure-web-gateway service:forcepoint-swg-swgwebdlp $Client_IP $Destination_IP $User_Name $URL" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.destination.geoip.country.iso_code", + "limit": 250, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 0, + "y": 49, + "width": 12, + "height": 5 + } + }, + { + "id": 11023965535108, + "definition": { + "title": "Log details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:forcepoint-secure-web-gateway service:forcepoint-swg-swgwebdlp $Client_IP $Destination_IP $User_Name $URL", + "indexes": [], + "storage": "hot", + "sort": { + "order": "desc", + "column": "timestamp" + } + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "usr.email", + "width": "auto" + }, + { + "field": "usr.name", + "width": "auto" + }, + { + "field": "lastname", + "width": "auto" + }, + { + "field": "devicehostname", + "width": "auto" + }, + { + "field": "network.client.ip", + "width": "auto" + }, + { + "field": "network.destination.ip", + "width": "auto" + }, + { + "field": "application", + "width": "auto" + }, + { + "field": "http.url", + "width": "auto" + }, + { + "field": "dlppattern", + "width": "auto" + }, + { + "field": "dns.question.name", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 54, + "width": 12, + "height": 5 + } + } + ] + }, + "layout": { + "x": 0, + "y": 4, + "width": 12, + "height": 60, + "is_column_break": true + } + } + ], + "template_variables": [ + { + "name": "Client_IP", + "prefix": "@network.client.ip", + "available_values": [], + "default": "*" + }, + { + "name": "Destination_IP", + "prefix": "@network.destination.ip", + "available_values": [], + "default": "*" + }, + { + "name": "User_Name", + "prefix": "@usr.name", + "available_values": [], + "default": "*" + }, + { + "name": "URL", + "prefix": "@http.url", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/forcepoint_secure_web_gateway/assets/dashboards/forcepoint_secure_web_gateway_web_logs.json b/forcepoint_secure_web_gateway/assets/dashboards/forcepoint_secure_web_gateway_web_logs.json new file mode 100644 index 0000000000000..672c5dbc0e58c --- /dev/null +++ b/forcepoint_secure_web_gateway/assets/dashboards/forcepoint_secure_web_gateway_web_logs.json @@ -0,0 +1,1231 @@ +{ + "title": "Forcepoint Secure Web Gateway - Web Logs", + "description": "This dashboard provides information about the web logs (swgweb)  generated on Forcepoint SWG.", + "widgets": [ + { + "id": 1675782242092416, + "definition": { + "type": "image", + "url": "https://live-forcepoint-drupal.pantheonsite.io/sites/default/files/forcepoint.svg", + "url_dark_theme": "https://images.contentstack.io/v3/assets/blt36c2e63521272fdc/blt96f6ceb1b44d0e83/637242a8fa033a109b5d57e8/Forcepoint-Logo-2C-RGB-Rev-for-screen.png", + "sizing": "contain", + "margin": "sm", + "has_background": true, + "has_border": true, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 4 + } + }, + { + "id": 4600881145736996, + "definition": { + "type": "note", + "content": "**Dashboard Overview**\n\nThe Forcepoint Secure Web Gateway - Web Logs dashboard provides an overall insights of the web logs generated by Forcepoint SWG.\n\n\nFor more information, see the [Forcepoint Secure Web \nGateway Integration Documentation](https://docs.datadoghq.com/integrations/forcepoint_secure_web_gateway/).\n\n**Tips**\n- Use the timeframe selector in the top right of the dashboard to change the default timeframe.\n- Clone this dashboard to rearrange, modify and add widgets and visualizations. ", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 4 + } + }, + { + "id": 3353506212700888, + "definition": { + "title": "Web Log Details", + "background_color": "vivid_purple", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 2254953543882418, + "definition": { + "title": "Total Web Logs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:forcepoint-secure-web-gateway service:forcepoint-swg-swgweb $Client_IP $Destination_IP $User_Name $Action" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 4 + } + }, + { + "id": 740471415645066, + "definition": { + "title": "Web Logs Over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "LOG COUNT", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:forcepoint-secure-web-gateway service:forcepoint-swg-swgweb $Client_IP $Destination_IP $User_Name $Action" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 4 + } + }, + { + "id": 2927810270250368, + "definition": { + "title": "Top 10 URLs", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:forcepoint-secure-web-gateway service:forcepoint-swg-swgweb -@http.url:\"\" $Client_IP $Destination_IP $User_Name $Action" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@http.url", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "dog_classic" + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 7063773902795390, + "definition": { + "title": "Top 10 Requested Domains", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:forcepoint-secure-web-gateway service:forcepoint-swg-swgweb -@dns.question.name:\"\" $Client_IP $Destination_IP $User_Name $Action" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@dns.question.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "dog_classic" + } + }, + "layout": { + "x": 6, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 7906661153002208, + "definition": { + "title": "Top 10 Applications", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:forcepoint-secure-web-gateway service:forcepoint-swg-swgweb -@application:\"\" $Client_IP $Destination_IP $User_Name $Action" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@application", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "dog_classic" + } + }, + "layout": { + "x": 0, + "y": 8, + "width": 6, + "height": 4 + } + }, + { + "id": 6901351714772208, + "definition": { + "title": "Top Cities", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:forcepoint-secure-web-gateway service:forcepoint-swg-swgweb -@city:\"\" $Client_IP $Destination_IP $User_Name $Action" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@city", + "limit": 100, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@country", + "limit": 100, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10000, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked" + }, + "palette": "dog_classic" + } + }, + "layout": { + "x": 6, + "y": 8, + "width": 6, + "height": 4 + } + }, + { + "id": 2184009596410954, + "definition": { + "title": "Events by Country", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:forcepoint-secure-web-gateway service:forcepoint-swg-swgweb -@country:\"\" $Client_IP $Destination_IP $User_Name $Action" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@country", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 0, + "y": 12, + "width": 12, + "height": 5 + } + }, + { + "id": 5497121363000536, + "definition": { + "title": "User Details", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:forcepoint-secure-web-gateway service:forcepoint-swg-swgweb -(@usr.name:\"\" AND @lastname:\"\" AND @usr.email:\"\") $Client_IP $Destination_IP $User_Name $Action" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.email", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@lastname", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@usergroup", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 10000, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "LOG COUNT", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 0, + "y": 17, + "width": 12, + "height": 5 + } + }, + { + "id": 4052721578929988, + "definition": { + "title": "URL Details", + "title_size": "16", + "title_align": "left", + "time": {}, + "type": "query_table", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:forcepoint-secure-web-gateway service:forcepoint-swg-swgweb -@http.url:\"\" $Client_IP $Destination_IP $User_Name $Action" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@http.url", + "limit": 5, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@webreputation", + "limit": 5, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@bgcategories", + "limit": 5, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@webcategoryclass", + "limit": 1, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@webcategories", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "Count", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 0, + "y": 22, + "width": 12, + "height": 4 + } + }, + { + "id": 1507675777643092, + "definition": { + "title": "Web Domains Score Details", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:forcepoint-secure-web-gateway service:forcepoint-swg-swgweb -@http.url:\"\" $Client_IP $Destination_IP $User_Name $Action" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@http.url", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@dns.question.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@bgcloudscore", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@webreputation", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 10000, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "LOG COUNT", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 0, + "y": 26, + "width": 12, + "height": 5 + } + }, + { + "id": 3237824194598756, + "definition": { + "title": "Geo Distribution of Destination IPs", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:forcepoint-secure-web-gateway service:forcepoint-swg-swgweb $Client_IP $Destination_IP $User_Name $Action" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.destination.geoip.country.iso_code", + "limit": 250, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 0, + "y": 31, + "width": 12, + "height": 5 + } + }, + { + "id": 1427215736486648, + "definition": { + "title": "Geo Distribution of Client IPs", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:forcepoint-secure-web-gateway service:forcepoint-swg-swgweb $Client_IP $Destination_IP $User_Name $Action" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.geoip.country.iso_code", + "limit": 250, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 0, + "y": 36, + "width": 12, + "height": 5 + } + }, + { + "id": 4395145002123848, + "definition": { + "title": "Top 10 Client IPs", + "title_size": "16", + "title_align": "left", + "time": {}, + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:forcepoint-secure-web-gateway service:forcepoint-swg-swgweb $Client_IP $Destination_IP $User_Name $Action" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 41, + "width": 6, + "height": 4 + } + }, + { + "id": 8237711845795366, + "definition": { + "title": "Top 10 Actions", + "title_size": "16", + "title_align": "left", + "time": {}, + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:forcepoint-secure-web-gateway service:forcepoint-swg-swgweb $Client_IP $Destination_IP $User_Name $Action" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@action", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 41, + "width": 6, + "height": 4 + } + }, + { + "id": 5739202543799798, + "definition": { + "title": "Log details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:forcepoint-secure-web-gateway service:forcepoint-swg-swgweb $Client_IP $Destination_IP $User_Name $Action", + "indexes": [], + "storage": "hot", + "sort": { + "order": "desc", + "column": "timestamp" + } + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "usr.email", + "width": "auto" + }, + { + "field": "usr.name", + "width": "auto" + }, + { + "field": "lastname", + "width": "auto" + }, + { + "field": "devicehostname", + "width": "auto" + }, + { + "field": "network.client.ip", + "width": "auto" + }, + { + "field": "network.destination.ip", + "width": "auto" + }, + { + "field": "http.url", + "width": "auto" + }, + { + "field": "dns.question.name", + "width": "auto" + }, + { + "field": "webreputation", + "width": "auto" + }, + { + "field": "bgcategories", + "width": "auto" + }, + { + "field": "webcategories", + "width": "auto" + }, + { + "field": "webcategoryclass", + "width": "auto" + }, + { + "field": "application", + "width": "auto" + }, + { + "field": "country", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 45, + "width": 12, + "height": 5 + } + } + ] + }, + "layout": { + "x": 0, + "y": 4, + "width": 12, + "height": 51, + "is_column_break": true + } + } + ], + "template_variables": [ + { + "name": "Client_IP", + "prefix": "@network.client.ip", + "available_values": [], + "default": "*" + }, + { + "name": "Destination_IP", + "prefix": "@network.destination.ip", + "available_values": [], + "default": "*" + }, + { + "name": "User_Name", + "prefix": "@usr.name", + "available_values": [], + "default": "*" + }, + { + "name": "Action", + "prefix": "@action", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/forcepoint_secure_web_gateway/assets/forcepoint-secure-web-gateway.svg b/forcepoint_secure_web_gateway/assets/forcepoint-secure-web-gateway.svg new file mode 100644 index 0000000000000..40370dac51fdd --- /dev/null +++ b/forcepoint_secure_web_gateway/assets/forcepoint-secure-web-gateway.svg @@ -0,0 +1,4 @@ + + + + diff --git a/forcepoint_secure_web_gateway/assets/logs/forcepoint-secure-web-gateway.yaml b/forcepoint_secure_web_gateway/assets/logs/forcepoint-secure-web-gateway.yaml new file mode 100644 index 0000000000000..cd4c2c10a24b7 --- /dev/null +++ b/forcepoint_secure_web_gateway/assets/logs/forcepoint-secure-web-gateway.yaml @@ -0,0 +1,418 @@ +id: forcepoint-secure-web-gateway +metric_id: forcepoint-secure-web-gateway +backend_only: false +facets: + - groups: + - DNS + name: Question Name + path: dns.question.name + source: log + - groups: + - Web Access + name: Method + path: http.method + source: log + - groups: + - Web Access + name: URL Path + path: http.url + source: log + - groups: + - Web Access + name: URL Host + path: http.url_details.host + source: log + - groups: + - Web Access + name: URL Path + path: http.url_details.path + source: log + - groups: + - Web Access + name: URL Port + path: http.url_details.port + source: log + - groups: + - Web Access + name: URL scheme + path: http.url_details.scheme + source: log + - groups: + - Web Access + name: User-Agent + path: http.useragent + source: log + - groups: + - Web Access + name: Browser + path: http.useragent_details.browser.family + source: log + - groups: + - Web Access + name: Device + path: http.useragent_details.device.family + source: log + - groups: + - Web Access + name: OS + path: http.useragent_details.os.family + source: log + - groups: + - Geoip + name: City Name + path: network.client.geoip.city.name + source: log + - groups: + - Geoip + name: Continent Code + path: network.client.geoip.continent.code + source: log + - groups: + - Geoip + name: Continent Name + path: network.client.geoip.continent.name + source: log + - groups: + - Geoip + name: Country ISO Code + path: network.client.geoip.country.iso_code + source: log + - groups: + - Geoip + name: Country Name + path: network.client.geoip.country.name + source: log + - groups: + - Geoip + name: Subdivision ISO Code + path: network.client.geoip.subdivision.iso_code + source: log + - groups: + - Geoip + name: Subdivision Name + path: network.client.geoip.subdivision.name + source: log + - groups: + - Web Access + name: Client IP + path: network.client.ip + source: log + - groups: + - Web Access + name: Client Port + path: network.client.port + source: log + - groups: + - Geoip + name: Destination City Name + path: network.destination.geoip.city.name + source: log + - groups: + - Geoip + name: Destination Continent Code + path: network.destination.geoip.continent.code + source: log + - groups: + - Geoip + name: Destination Continent Name + path: network.destination.geoip.continent.name + source: log + - groups: + - Geoip + name: Destination Country ISO Code + path: network.destination.geoip.country.iso_code + source: log + - groups: + - Geoip + name: Destination Country Name + path: network.destination.geoip.country.name + source: log + - groups: + - Geoip + name: Destination Subdivision ISO Code + path: network.destination.geoip.subdivision.iso_code + source: log + - groups: + - Geoip + name: Destination Subdivision Name + path: network.destination.geoip.subdivision.name + source: log + - groups: + - Web Access + name: Destination IP + path: network.destination.ip + source: log + - groups: + - User + name: User Email + path: usr.email + source: log + - groups: + - User + name: User ID + path: usr.id + source: log + - groups: + - User + name: User Name + path: usr.name + source: log +pipeline: + type: pipeline + name: Forcepoint Secure Web Gateway + enabled: true + filter: + query: source:forcepoint-secure-web-gateway + processors: + - type: grok-parser + name: Parse syslog header + enabled: true + source: syslogheader + samples: + - <110>1 2024-12-26T06:12:35.817831Z api.hostserver.com NILVALUE + NILVALUE swgweb + - <110>1 2024-12-26T04:37:26.795000Z api.hostserver.com NILVALUE + NILVALUE swgwebdlp + grok: + supportRules: "" + matchRules: syslog_header_rule <%{integer:syslog.priority}>%{integer} + %{notSpace} %{hostname:syslog.hostname} %{notSpace} %{notSpace} + %{notSpace:syslog.msgid}%{data} + - type: grok-parser + name: Parse `indexedtime` to epoch time + enabled: true + source: indexedtime + samples: + - 2025-01-10 10:58:17 + grok: + supportRules: "" + matchRules: time_format_parsing_rule %{date("yyyy-M-d H:m:s"):indexedtime} + - type: date-remapper + name: Define `indexedtime` as the official date of the log + enabled: true + sources: + - indexedtime + - type: service-remapper + name: Define `service` as the official service of the log + enabled: true + sources: + - service + - type: attribute-remapper + name: Map `requestport` to `network.client.port` + enabled: true + sources: + - requestport + sourceType: attribute + target: network.client.port + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `requestmethod` to `http.method` + enabled: true + sources: + - requestmethod + sourceType: attribute + target: http.method + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `destinationip` to `network.destination.ip` + enabled: true + sources: + - destinationip + sourceType: attribute + target: network.destination.ip + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `ipaddress` to `network.client.ip` + enabled: true + sources: + - ipaddress + sourceType: attribute + target: network.client.ip + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `requestdomain` to `dns.question.name` + enabled: true + sources: + - requestdomain + sourceType: attribute + target: dns.question.name + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `email` to `usr.email` + enabled: true + sources: + - email + sourceType: attribute + target: usr.email + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `firstname` to `usr.name` + enabled: true + sources: + - firstname + sourceType: attribute + target: usr.name + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `useragent` to `http.useragent` + enabled: true + sources: + - useragent + sourceType: attribute + target: http.useragent + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `url` to `http.url` + enabled: true + sources: + - url + sourceType: attribute + target: http.url + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: geo-ip-parser + name: Define `network.client.ip` as default geoip attribute for source + enabled: true + sources: + - network.client.ip + target: network.client.geoip + ip_processing_behavior: do-nothing + - type: geo-ip-parser + name: Define `network.destination.ip` as default geoip attribute for destination + enabled: true + sources: + - network.destination.ip + target: network.destination.geoip + ip_processing_behavior: do-nothing + - type: url-parser + name: Parse URL + enabled: true + sources: + - http.url + target: http.url_details + normalizeEndingSlashes: false + - type: user-agent-parser + name: Extract details from `http.useragent` + enabled: true + sources: + - http.useragent + target: http.useragent_details + encoded: false + combineVersionDetails: false + - type: grok-parser + name: Extract custom_location list + enabled: true + source: custom_location + samples: + - '["Guest","Guest2"]' + grok: + supportRules: "" + matchRules: custom_location_rule %{data:custom_location:array(",")} + - type: grok-parser + name: Extract usergroup list + enabled: true + source: usergroup + samples: + - "['355160', 'All Users']" + grok: + supportRules: "" + matchRules: usergroup_rule %{data:usergroup:array(",")} + - type: grok-parser + name: Extract webcategories list + enabled: true + source: webcategories + samples: + - '["WR:Streaming Media", "WR:test"]' + grok: + supportRules: "" + matchRules: webcategories_rule %{data:webcategories:array(",")} + - type: grok-parser + name: Extract activity list + enabled: true + source: activity + samples: + - '["Uploaded","Cloudstorage","Denied"]' + grok: + supportRules: "" + matchRules: activity_rule %{data:activity:array(",")} + - type: grok-parser + name: Extract bgcategories list + enabled: true + source: bgcategories + samples: + - '["BG:Business Applications","BG:Cloud Data Services","BG:File + Sharing","BG:Internet Services","BG:Software"]' + grok: + supportRules: "" + matchRules: bgcategories_rule %{data:bgcategories:array(",")} + - type: grok-parser + name: Extract customcategories list + enabled: true + source: customcategories + samples: + - '["custom_category1","custom_category2"]' + grok: + supportRules: "" + matchRules: customcategories_rule %{data:customcategories:array(",")} + - type: grok-parser + name: Extract dlppattern list + enabled: true + source: dlppattern + samples: + - '["Source Code"]' + grok: + supportRules: "" + matchRules: dlppattern_rule %{data:dlppattern:array(",")} + - type: grok-parser + name: Extract filename list + enabled: true + source: filename + samples: + - '["file1","file2"]' + grok: + supportRules: "" + matchRules: filename_rule %{data:filename:array(",")} + - type: grok-parser + name: Extract keyword list + enabled: true + source: keyword + samples: + - '["keyword1","keyword2"]' + grok: + supportRules: "" + matchRules: keyword_rule %{data:keyword:array(",")} + - type: grok-parser + name: Extract threatindicator list + enabled: true + source: threatindicator + samples: + - '["threatindicator1","threatindicator2"]' + grok: + supportRules: "" + matchRules: threatindicator_rule %{data:threatindicator:array(",")} + - type: grok-parser + name: Extract webcategoryclass list + enabled: true + source: webcategoryclass + samples: + - '["Business/Government/Services"]' + grok: + supportRules: "" + matchRules: webcategoryclass_rule %{data:webcategoryclass:array(",")} diff --git a/forcepoint_secure_web_gateway/assets/logs/forcepoint-secure-web-gateway_tests.yaml b/forcepoint_secure_web_gateway/assets/logs/forcepoint-secure-web-gateway_tests.yaml new file mode 100644 index 0000000000000..d8ab1fd0844e1 --- /dev/null +++ b/forcepoint_secure_web_gateway/assets/logs/forcepoint-secure-web-gateway_tests.yaml @@ -0,0 +1,390 @@ +id: forcepoint-secure-web-gateway +tests: + - + sample: |- + { + "ipaddress" : "10.10.10.10", + "country" : "India", + "requestmethod" : "POST", + "firstname" : "John", + "devicehostname" : "desktop-gno7jr8", + "regioncode" : "MH", + "city" : "Mumbai", + "customlocation" : "[]", + "deviceguid" : "F47F4D56-3BED-FF67-00FD-D240EEE2F7A1", + "countrycode" : "IN", + "useragent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36", + "requestport" : "443", + "webcategoryclass" : "[\"General Information\",\"Social Media/Internet Communication\"]", + "bgcloudscore" : "7.00", + "long" : "72.88559999", + "protocol" : "https", + "customcategories" : "[]", + "indexedtime" : "2025-01-10 12:02:13", + "policyid" : "369036", + "action" : "block", + "email" : "john.doe@test.com", + "lat" : "19.07480000", + "syslogheader" : "<110>1 2025-01-10T11:55:00.000000Z api.bitglass.com NILVALUE NILVALUE swgweb", + "webcategories" : "[\"WR:Image and Video Search\",\"WR:Social Networking\"]", + "uploadedbytes" : "0", + "bgcategories" : "[\"BG:Business Applications\",\"BG:Content and Publishing\",\"BG:Internet Services\",\"BG:Media and Entertainment\",\"BG:Mobile\"]", + "uri" : "/ajax/bz", + "url" : "www.instagram.com/ajax/bz?__a=1&__ccg=EXCELLENT&__comet_req=7&__d=www&__hs=20098.HYP%3Ainstagram_web_pkg.2.1.0.0.0&__hsi=7458216500016125819&__req=15&__rev=1019252539&__s=%3Acyql2x%3At9l688&__spin_b=trunk&__spin_r=101925253...", + "setransactionid" : "190E18BD-ECB8-4FE5-9CFD-D5DAE9783017", + "lastname" : "Doe", + "destinationip" : "", + "referrer" : "https://www.instagram.com/", + "requestdomain" : "www.instagram.com", + "size" : "0", + "application" : "Instagram", + "webreputation" : "81.00", + "usergroup" : "['355160', 'All Users', 'Bitglass Admins', 'crestdatasys']", + "arguments" : "__a=1&__ccg=EXCELLENT&__comet_req=7&__d=www&__hs=20098.HYP%3Ainstagram_web_pkg.2.1.0.0.0&__hsi=7458216500016125819&__req=15&__rev=1019252539&__s=%3Acyql2x%3At9l688&__spin_b=trunk&__spin_r=101925253...", + "time" : "10 Jan 2025 11:55:00", + "region" : "Maharashtra" + } + result: + custom: + action: "block" + application: "Instagram" + arguments: "__a=1&__ccg=EXCELLENT&__comet_req=7&__d=www&__hs=20098.HYP%3Ainstagram_web_pkg.2.1.0.0.0&__hsi=7458216500016125819&__req=15&__rev=1019252539&__s=%3Acyql2x%3At9l688&__spin_b=trunk&__spin_r=101925253..." + bgcategories: + - "\"BG:Business Applications\"" + - "\"BG:Content and Publishing\"" + - "\"BG:Internet Services\"" + - "\"BG:Media and Entertainment\"" + - "\"BG:Mobile\"" + bgcloudscore: "7.00" + city: "Mumbai" + country: "India" + countrycode: "IN" + customcategories: [] + customlocation: "[]" + deviceguid: "F47F4D56-3BED-FF67-00FD-D240EEE2F7A1" + devicehostname: "desktop-gno7jr8" + dns: + question: + name: "www.instagram.com" + http: + method: "POST" + url: "www.instagram.com/ajax/bz?__a=1&__ccg=EXCELLENT&__comet_req=7&__d=www&__hs=20098.HYP%3Ainstagram_web_pkg.2.1.0.0.0&__hsi=7458216500016125819&__req=15&__rev=1019252539&__s=%3Acyql2x%3At9l688&__spin_b=trunk&__spin_r=101925253..." + url_details: + path: "www.instagram.com/ajax/bz" + queryString: + __a: "1" + __ccg: "EXCELLENT" + __comet_req: "7" + __d: "www" + __hs: "20098.HYP%3Ainstagram_web_pkg.2.1.0.0.0" + __hsi: "7458216500016125819" + __req: "15" + __rev: "1019252539" + __s: "%3Acyql2x%3At9l688" + __spin_b: "trunk" + __spin_r: "101925253..." + useragent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" + useragent_details: + browser: + family: "Chrome" + major: "131" + minor: "0" + patch: "0" + patch_minor: "0" + device: + category: "Desktop" + family: "Other" + os: + family: "Windows" + major: "10" + indexedtime: 1736510533000 + lastname: "Doe" + lat: "19.07480000" + long: "72.88559999" + network: + client: + geoip: {} + ip: "10.10.10.10" + port: "443" + destination: + ip: "" + policyid: "369036" + protocol: "https" + referrer: "https://www.instagram.com/" + region: "Maharashtra" + regioncode: "MH" + setransactionid: "190E18BD-ECB8-4FE5-9CFD-D5DAE9783017" + size: "0" + syslog: + hostname: "api.bitglass.com" + msgid: "swgweb" + priority: 110 + syslogheader: "<110>1 2025-01-10T11:55:00.000000Z api.bitglass.com NILVALUE NILVALUE swgweb" + time: "10 Jan 2025 11:55:00" + uploadedbytes: "0" + uri: "/ajax/bz" + usergroup: + - "'355160'" + - " 'All Users'" + - " 'Bitglass Admins'" + - " 'crestdatasys'" + usr: + email: "john.doe@test.com" + name: "John" + webcategories: + - "\"WR:Image and Video Search\"" + - "\"WR:Social Networking\"" + webcategoryclass: + - "\"General Information\"" + - "\"Social Media/Internet Communication\"" + webreputation: "81.00" + message: |- + { + "ipaddress" : "10.10.10.10", + "country" : "India", + "requestmethod" : "POST", + "firstname" : "John", + "devicehostname" : "desktop-gno7jr8", + "regioncode" : "MH", + "city" : "Mumbai", + "customlocation" : "[]", + "deviceguid" : "F47F4D56-3BED-FF67-00FD-D240EEE2F7A1", + "countrycode" : "IN", + "useragent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36", + "requestport" : "443", + "webcategoryclass" : "[\"General Information\",\"Social Media/Internet Communication\"]", + "bgcloudscore" : "7.00", + "long" : "72.88559999", + "protocol" : "https", + "customcategories" : "[]", + "indexedtime" : "2025-01-10 12:02:13", + "policyid" : "369036", + "action" : "block", + "email" : "john.doe@test.com", + "lat" : "19.07480000", + "syslogheader" : "<110>1 2025-01-10T11:55:00.000000Z api.bitglass.com NILVALUE NILVALUE swgweb", + "webcategories" : "[\"WR:Image and Video Search\",\"WR:Social Networking\"]", + "uploadedbytes" : "0", + "bgcategories" : "[\"BG:Business Applications\",\"BG:Content and Publishing\",\"BG:Internet Services\",\"BG:Media and Entertainment\",\"BG:Mobile\"]", + "uri" : "/ajax/bz", + "url" : "www.instagram.com/ajax/bz?__a=1&__ccg=EXCELLENT&__comet_req=7&__d=www&__hs=20098.HYP%3Ainstagram_web_pkg.2.1.0.0.0&__hsi=7458216500016125819&__req=15&__rev=1019252539&__s=%3Acyql2x%3At9l688&__spin_b=trunk&__spin_r=101925253...", + "setransactionid" : "190E18BD-ECB8-4FE5-9CFD-D5DAE9783017", + "lastname" : "Doe", + "destinationip" : "", + "referrer" : "https://www.instagram.com/", + "requestdomain" : "www.instagram.com", + "size" : "0", + "application" : "Instagram", + "webreputation" : "81.00", + "usergroup" : "['355160', 'All Users', 'Bitglass Admins', 'crestdatasys']", + "arguments" : "__a=1&__ccg=EXCELLENT&__comet_req=7&__d=www&__hs=20098.HYP%3Ainstagram_web_pkg.2.1.0.0.0&__hsi=7458216500016125819&__req=15&__rev=1019252539&__s=%3Acyql2x%3At9l688&__spin_b=trunk&__spin_r=101925253...", + "time" : "10 Jan 2025 11:55:00", + "region" : "Maharashtra" + } + tags: + - "source:LOGS_SOURCE" + timestamp: 1736510533000 + - + sample: |- + { + "country" : "India", + "requestmethod" : "POST", + "devicehostname" : "desktop-gno7jr8", + "regioncode" : "MH", + "countrycode" : "IN", + "requestport" : "443", + "protocol" : "https", + "customcategories" : "[]", + "action" : "fail", + "keyword" : "[\"politics\"]", + "lat" : "19.07480000", + "syslogheader" : "<110>1 2025-01-10T05:34:22.000000Z api.bitglass.com NILVALUE NILVALUE swgwebdlp", + "webcategories" : "[\"WR:Computer and Internet Info\"]", + "docmd5" : "", + "setransactionid" : "7E6651D9-64FA-42E5-AFC9-B6ACA339FE29", + "lastname" : "Doe", + "filename" : "[]", + "size" : "520", + "webreputation" : "92.00", + "usergroup" : "['355160', 'All Users', 'Bitglass Admins', 'crestdatasys']", + "region" : "Maharashtra", + "docsha1" : "", + "ipaddress" : "10.10.10.10", + "firstname" : "John", + "dlppattern" : "[\"Pol-keyword\"]", + "activity" : "[\"Uploaded\",\"Cloudstorage\",\"Denied\"]", + "city" : "Mumbai", + "customlocation" : "[]", + "threatindicator" : "[]", + "deviceguid" : "F47F4D56-3BED-FF67-00FD-D240EEE2F7A1", + "useragent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36", + "webcategoryclass" : "[\"Business/Government/Services\"]", + "bgcloudscore" : "0.00", + "long" : "72.88559999", + "transactionid" : "Z4CxX-VpniOk7uwOVWDvBQAABc0", + "indexedtime" : "2025-01-10 05:44:54", + "policyid" : "368630", + "docsha256" : "1a1d1484d3cbc721070469e555f6a0cc89c03d60181e1f13694014e9249d19b6", + "email" : "john.doe@test.com", + "uploadedbytes" : "1967", + "bgcategories" : "[\"BG:Uncategorized\"]", + "uri" : "/wp-admin/admin-ajax.php", + "url" : "dlptest.com/wp-admin/admin-ajax.php", + "destinationip" : "", + "doctype" : "text", + "referrer" : "https://dlptest.com/https-post/", + "requestdomain" : "dlptest.com", + "application" : "", + "docextension" : "txt", + "arguments" : "", + "time" : "10 Jan 2025 05:34:22" + } + result: + custom: + action: "fail" + activity: + - "\"Uploaded\"" + - "\"Cloudstorage\"" + - "\"Denied\"" + application: "" + arguments: "" + bgcategories: + - "\"BG:Uncategorized\"" + bgcloudscore: "0.00" + city: "Mumbai" + country: "India" + countrycode: "IN" + customcategories: [] + customlocation: "[]" + deviceguid: "F47F4D56-3BED-FF67-00FD-D240EEE2F7A1" + devicehostname: "desktop-gno7jr8" + dlppattern: + - "\"Pol-keyword\"" + dns: + question: + name: "dlptest.com" + docextension: "txt" + docmd5: "" + docsha1: "" + docsha256: "1a1d1484d3cbc721070469e555f6a0cc89c03d60181e1f13694014e9249d19b6" + doctype: "text" + filename: [] + http: + method: "POST" + url: "dlptest.com/wp-admin/admin-ajax.php" + url_details: + path: "dlptest.com/wp-admin/admin-ajax.php" + useragent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" + useragent_details: + browser: + family: "Chrome" + major: "131" + minor: "0" + patch: "0" + patch_minor: "0" + device: + category: "Desktop" + family: "Other" + os: + family: "Windows" + major: "10" + indexedtime: 1736487894000 + keyword: + - "\"politics\"" + lastname: "Doe" + lat: "19.07480000" + long: "72.88559999" + network: + client: + geoip: {} + ip: "10.10.10.10" + port: "443" + destination: + ip: "" + policyid: "368630" + protocol: "https" + referrer: "https://dlptest.com/https-post/" + region: "Maharashtra" + regioncode: "MH" + setransactionid: "7E6651D9-64FA-42E5-AFC9-B6ACA339FE29" + size: "520" + syslog: + hostname: "api.bitglass.com" + msgid: "swgwebdlp" + priority: 110 + syslogheader: "<110>1 2025-01-10T05:34:22.000000Z api.bitglass.com NILVALUE NILVALUE swgwebdlp" + threatindicator: [] + time: "10 Jan 2025 05:34:22" + transactionid: "Z4CxX-VpniOk7uwOVWDvBQAABc0" + uploadedbytes: "1967" + uri: "/wp-admin/admin-ajax.php" + usergroup: + - "'355160'" + - " 'All Users'" + - " 'Bitglass Admins'" + - " 'crestdatasys'" + usr: + email: "john.doe@test.com" + name: "John" + webcategories: + - "\"WR:Computer and Internet Info\"" + webcategoryclass: + - "\"Business/Government/Services\"" + webreputation: "92.00" + message: |- + { + "country" : "India", + "requestmethod" : "POST", + "devicehostname" : "desktop-gno7jr8", + "regioncode" : "MH", + "countrycode" : "IN", + "requestport" : "443", + "protocol" : "https", + "customcategories" : "[]", + "action" : "fail", + "keyword" : "[\"politics\"]", + "lat" : "19.07480000", + "syslogheader" : "<110>1 2025-01-10T05:34:22.000000Z api.bitglass.com NILVALUE NILVALUE swgwebdlp", + "webcategories" : "[\"WR:Computer and Internet Info\"]", + "docmd5" : "", + "setransactionid" : "7E6651D9-64FA-42E5-AFC9-B6ACA339FE29", + "lastname" : "Doe", + "filename" : "[]", + "size" : "520", + "webreputation" : "92.00", + "usergroup" : "['355160', 'All Users', 'Bitglass Admins', 'crestdatasys']", + "region" : "Maharashtra", + "docsha1" : "", + "ipaddress" : "10.10.10.10", + "firstname" : "John", + "dlppattern" : "[\"Pol-keyword\"]", + "activity" : "[\"Uploaded\",\"Cloudstorage\",\"Denied\"]", + "city" : "Mumbai", + "customlocation" : "[]", + "threatindicator" : "[]", + "deviceguid" : "F47F4D56-3BED-FF67-00FD-D240EEE2F7A1", + "useragent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36", + "webcategoryclass" : "[\"Business/Government/Services\"]", + "bgcloudscore" : "0.00", + "long" : "72.88559999", + "transactionid" : "Z4CxX-VpniOk7uwOVWDvBQAABc0", + "indexedtime" : "2025-01-10 05:44:54", + "policyid" : "368630", + "docsha256" : "1a1d1484d3cbc721070469e555f6a0cc89c03d60181e1f13694014e9249d19b6", + "email" : "john.doe@test.com", + "uploadedbytes" : "1967", + "bgcategories" : "[\"BG:Uncategorized\"]", + "uri" : "/wp-admin/admin-ajax.php", + "url" : "dlptest.com/wp-admin/admin-ajax.php", + "destinationip" : "", + "doctype" : "text", + "referrer" : "https://dlptest.com/https-post/", + "requestdomain" : "dlptest.com", + "application" : "", + "docextension" : "txt", + "arguments" : "", + "time" : "10 Jan 2025 05:34:22" + } + tags: + - "source:LOGS_SOURCE" + timestamp: 1736487894000 \ No newline at end of file diff --git a/forcepoint_secure_web_gateway/images/forcepoint_secure_web_gateway_overview.png b/forcepoint_secure_web_gateway/images/forcepoint_secure_web_gateway_overview.png new file mode 100644 index 0000000000000..5626afd9be5a6 Binary files /dev/null and b/forcepoint_secure_web_gateway/images/forcepoint_secure_web_gateway_overview.png differ diff --git a/forcepoint_secure_web_gateway/images/forcepoint_secure_web_gateway_web_dlp_logs.png b/forcepoint_secure_web_gateway/images/forcepoint_secure_web_gateway_web_dlp_logs.png new file mode 100644 index 0000000000000..a39eab6d70e96 Binary files /dev/null and b/forcepoint_secure_web_gateway/images/forcepoint_secure_web_gateway_web_dlp_logs.png differ diff --git a/forcepoint_secure_web_gateway/images/forcepoint_secure_web_gateway_web_logs.png b/forcepoint_secure_web_gateway/images/forcepoint_secure_web_gateway_web_logs.png new file mode 100644 index 0000000000000..ad78ebce2a051 Binary files /dev/null and b/forcepoint_secure_web_gateway/images/forcepoint_secure_web_gateway_web_logs.png differ diff --git a/forcepoint_secure_web_gateway/manifest.json b/forcepoint_secure_web_gateway/manifest.json index 359c9d23dddb3..764a513908e3e 100644 --- a/forcepoint_secure_web_gateway/manifest.json +++ b/forcepoint_secure_web_gateway/manifest.json @@ -1,41 +1,64 @@ { - "manifest_version": "2.0.0", - "app_uuid": "183f1ae8-8bc0-4135-8b17-e6ff2b449f9c", - "app_id": "forcepoint-secure-web-gateway", - "display_on_public_website": false, - "tile": { - "overview": "README.md#Overview", - "configuration": "README.md#Setup", - "support": "README.md#Support", - "changelog": "CHANGELOG.md", - "description": "Gain insights into Forcepoint Secure Web Gateway Logs", - "title": "Forcepoint Secure Web Gateway", - "media": [], - "classifier_tags": [ - "Category::Log Collection", - "Category::Security", - "Submitted Data Type::Logs", - "Offering::Integration" - ] - }, - "assets": { - "integration": { - "auto_install": false, - "source_type_id": 36227438, - "source_type_name": "Forcepoint Secure Web Gateway", - "events": { - "creates_events": false - }, - "service_checks": { - "metadata_path": "assets/service_checks.json" - } + "manifest_version": "2.0.0", + "app_uuid": "183f1ae8-8bc0-4135-8b17-e6ff2b449f9c", + "app_id": "forcepoint-secure-web-gateway", + "display_on_public_website": false, + "tile": { + "overview": "README.md#Overview", + "configuration": "README.md#Setup", + "support": "README.md#Support", + "changelog": "CHANGELOG.md", + "description": "Gain insights into Forcepoint Secure Web Gateway Logs", + "title": "Forcepoint Secure Web Gateway", + "media": [ + { + "caption": "Forcepoint Secure Web Gateway - Overview", + "image_url": "images/forcepoint_secure_web_gateway_overview.png", + "media_type": "image" + }, + { + "caption": "Forcepoint Secure Web Gateway - Web DLP Logs", + "image_url": "images/forcepoint_secure_web_gateway_web_dlp_logs.png", + "media_type": "image" + }, + { + "caption": "Forcepoint Secure Web Gateway - Web Logs", + "image_url": "images/forcepoint_secure_web_gateway_web_logs.png", + "media_type": "image" + } + ], + "classifier_tags": [ + "Category::Log Collection", + "Category::Security", + "Submitted Data Type::Logs", + "Offering::Integration" + ] + }, + "assets": { + "integration": { + "auto_install": false, + "source_type_id": 36227438, + "source_type_name": "Forcepoint Secure Web Gateway", + "events": { + "creates_events": false + }, + "service_checks": { + "metadata_path": "assets/service_checks.json" } }, - "author": { - "support_email": "help@datadoghq.com", - "name": "Datadog", - "homepage": "https://www.datadoghq.com", - "sales_email": "info@datadoghq.com" + "dashboards": { + "Forcepoint Secure Web Gateway - Overview": "assets/dashboards/forcepoint_secure_web_gateway_overview.json", + "Forcepoint Secure Web Gateway - Web Logs": "assets/dashboards/forcepoint_secure_web_gateway_web_logs.json", + "Forcepoint Secure Web Gateway - Web DLP Logs": "assets/dashboards/forcepoint_secure_web_gateway_web_dlp_logs.json" + }, + "logs": { + "source": "forcepoint-secure-web-gateway" } + }, + "author": { + "support_email": "help@datadoghq.com", + "name": "Datadog", + "homepage": "https://www.datadoghq.com", + "sales_email": "info@datadoghq.com" } - \ No newline at end of file +} \ No newline at end of file