Forcepoint Web Security
Description¶
-
Constructor : Forcepoint
-
Product : Web security
-
log types : Forcepoint_Web_Security
log sample¶
- Forcepoint
1 | ["2018/12/12","14:42:34","Wednesday","https://images-na.ssl-images-amazon.com:443/images/G/01/orderApplication/aui/jquery-164-20131028.CB511593317.js","Allowed","Web Images","Miscellaneous","Compagny-DefaultPolicy","None","user@Compagny.com","aaabbb","ssl-images-amazon.com","images-na.ssl-images-amazon.com","HTTPS","None","10.10.10.10","Boxborough","United States","Unknown","10.10.10.10","United States","10.10.10.10","None","None","None","None","jquery-164-20131028.CB511593317.js","Text","application/x-javascript","x-javascript","application","ssl-images-amazon.com","www.amazon.com","443","None","https://www.amazon.com:443/gp/buy/prefetch/pipeline-assets.html","IE 11.0","Windows 10","Mozilla/5.0(Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko","Browser","Endpoint (ProxyConnect)","Static Classification","United States - New York (NYCA)","Endpoint Web (Proxy)","200","443","Get","33608","65","33131","477","11","82"] |
Parsing strategy¶
-
The aim is to parse the rest of the log in a string array. So we take off the [ and ], and split the string with the .split("\\",\\"") method in a string array.Finally we take off the first and the last " in the string array.
-
We can now normalize the fields
Fields normalization¶
- Forcepoint_Web_Security
| Normalized fields | Parsed fields |
|---|---|
| [action] | values[4] (=Action) |
| [prx][target[uri][parent][category] | values[6] (=Parent Category) |
| [prx][risk][Class] | values[8] (=Risk Class) |
| [rule][name] | values[7] (=Policy) |
| [init][uri][urn] | values[34] (=Referrer Query) |
| [init][uri][full] | values[35] (=Referrer URL Full) |
| [init][uri][full] | values[3] (=URL Full) |
| [init][uri][url] | values[32] (=Referrer Host) |
| [init][usr][fullname] | values[9] (=User) |
| [init][usr][domain] | values[11] (=Domain) |
| [init][host][port] | values[33] (=Referrer Port) |
| [init][host][name] | values[10] (=Workstation) |
| [init][host][ip] | values[21] (=Source IP) |
| [init][host][loc][city] | values[16] (=Connection IP City) |
| [init][host][loc][country] | values[17] (=Connection IP Country) |
| [target][uri][url] | values[12] (=Host) |
| [target][uri][urn] | values[14] (=Query) |
| [target]uri[category] | values[5] (=Category) |
| [target][host][port] | values[45] (=Port) |
| [target][host][ip] | values[19] (=Destination IP) |
| [target][host][loc][country] | values[20] (=Destination IP Country) |
| [alarm][sev] | values[23] (=Severity) |
| [alarm][name] | values[24] (=Threat Name) |
| [alarm][description] | values[25] (=Threat Type) |
| [obs][host][ip] | values[15] (=Connection IP) |
| [web][header][user_agent] | values[38] (=User Agent) |
| [app][return][code] | values[44] (=HTTP Status Code) |
| [app][method] | values[46] (=Request Method) |
| [app][proto][name] | values[13] (=Protocol) |
| [session][in][byte] | values[49] (=Bytes received) |
| [session][out][byte] | values[50] (=Bytes sent) |
| [session][count] | values[51] (=Server response time) |
| [session][duration] | values[52] (=Total time) |
| [session][file][name] | values[26] (=Filename) |
| [session][file][type] | values[27] (=File Type) |
| [session][id] | values[28] (=Full MIME Type) |