Extend Cortex XDR visibility into logs from Forcepoint DLP.
Ingesting logs and data requires a Cortex XDR Pro per GB license.
If you use Forcepoint DLP to prevent data loss over endpoint channels, you can take advantage of Cortex XDR investigation and detection capabilities by forwarding your logs to Cortex XDR. This enables Cortex XDR to help you expand visibility into data violation by users and hosts in the organization, correlate and detect DLP incidents, and query Forcepoint DLP logs using XQL Search.
As soon as Cortex XDR starts to receive logs, Cortex XDR can analyze your logs in XQL Search and you can create new Correlation Rules.
To integrate your logs, you first need to set up an applet in a Broker VM within your network to act as a Syslog Collector. You then configure forwarding on your log devices to send logs to the Syslog Collector in a CEF or LEEF format.
Configure Forcepoint DLP collection in Cortex XDR.
Verify that your Forcepoint DLP meet the following requirements.
Must use version 126.96.36.1997 or a later release.
On premise installation only.
Activate the Syslog Collector applet on a Broker VM in your network.
Ensure the Broker VM is configured with the following settings.
Format—Select either a CEF or LEF Syslog format.
Vendor—Specify the Vendor as
Product—Specify the Product as
Increase log storage for Forcepoint DLP logs.
As an estimate for initial sizing, note the average Forcepoint DLP log size. For proper sizing calculations, test the log sizes and log rates produced by your Forcepoint DLP. For more information, see Manage Your Log Storage.
Configure the log device that receives Forcepoint DLP logs to forward syslog events to the Syslog Collector in a CEF or LEEF format.
For more information, see the Forcepoint DLP documentation.
After Cortex XDR begins receiving data from Forcepoint DLP, you can use XQL Search to search your logs using the