Extend Cortex Cloud visibility into logs from Forcepoint DLP.
Notice
Requires the Data Collection add-on.
If you use Forcepoint DLP to prevent data loss over endpoint channels, you can take advantage of Cortex Cloud investigation and detection capabilities by forwarding your logs to Cortex Cloud. This enables Cortex Cloud to help you expand visibility into data violation by users and hosts in the organization, correlate and detect DLP incidents, and query Forcepoint DLP logs using XQL Search.
When Cortex Cloud starts to receive logs, Cortex Cloud can analyze your logs in XQL Search and you can create new Correlation Rules.
To integrate your logs, you first need to set up an applet in a Broker VM within your network to act as a Syslog Collector. You then configure forwarding on your log devices to send logs to the Syslog Collector in a CEF or LEEF format.
Configure Forcepoint DLP collection in Cortex Cloud.
Verify that your Forcepoint DLP meet the following requirements.
Must use version 8.8.0.347 or a later release.
On premise installation only.
Activate the Syslog Collector applet on a Broker VM in your network.
Ensure the Broker VM is configured with the following settings.
Format: Select either a CEF or LEEF Syslog format.
Vendor: Specify the Vendor as
forcepoint.Product: Specify the Product as
dlp_endpoint.
Increase log storage for Forcepoint DLP logs.
As an estimate for initial sizing, note the average Forcepoint DLP log size. For proper sizing calculations, test the log sizes and log rates produced by your Forcepoint DLP. For more information, see Manage Your Log Storage.
Configure the log device that receives Forcepoint DLP logs to forward syslog events to the Syslog Collector in a CEF or LEEF format.
For more information, see the Forcepoint DLP documentation.
After Cortex Cloud begins receiving data from Forcepoint DLP, you can use XQL Search to search your logs using the
forcepoint_dlp_endpointdataset.