Skip to content

Forcepoint Web Security

Description

  • Constructor : Forcepoint

  • Product : Web security

  • log types : Forcepoint_Web_Security

log sample

  • Forcepoint
1
["2018/12/12","14:42:34","Wednesday","https://images-na.ssl-images-amazon.com:443/images/G/01/orderApplication/aui/jquery-164-20131028.CB511593317.js","Allowed","Web Images","Miscellaneous","Compagny-DefaultPolicy","None","user@Compagny.com","aaabbb","ssl-images-amazon.com","images-na.ssl-images-amazon.com","HTTPS","None","10.10.10.10","Boxborough","United States","Unknown","10.10.10.10","United States","10.10.10.10","None","None","None","None","jquery-164-20131028.CB511593317.js","Text","application/x-javascript","x-javascript","application","ssl-images-amazon.com","www.amazon.com","443","None","https://www.amazon.com:443/gp/buy/prefetch/pipeline-assets.html","IE 11.0","Windows 10","Mozilla/5.0(Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko","Browser","Endpoint (ProxyConnect)","Static Classification","United States - New York (NYCA)","Endpoint Web (Proxy)","200","443","Get","33608","65","33131","477","11","82"]

Parsing strategy

  • The aim is to parse the rest of the log in a string array. So we take off the [ and ], and split the string with the .split("\\",\\"") method in a string array.Finally we take off the first and the last " in the string array.

  • We can now normalize the fields

Fields normalization

  • Forcepoint_Web_Security
Normalized fields Parsed fields
[action] values[4] (=Action)
[prx][target[uri][parent][category] values[6] (=Parent Category)
[prx][risk][Class] values[8] (=Risk Class)
[rule][name] values[7] (=Policy)
[init][uri][urn] values[34] (=Referrer Query)
[init][uri][full] values[35] (=Referrer URL Full)
[init][uri][full] values[3] (=URL Full)
[init][uri][url] values[32] (=Referrer Host)
[init][usr][fullname] values[9] (=User)
[init][usr][domain] values[11] (=Domain)
[init][host][port] values[33] (=Referrer Port)
[init][host][name] values[10] (=Workstation)
[init][host][ip] values[21] (=Source IP)
[init][host][loc][city] values[16] (=Connection IP City)
[init][host][loc][country] values[17] (=Connection IP Country)
[target][uri][url] values[12] (=Host)
[target][uri][urn] values[14] (=Query)
[target]uri[category] values[5] (=Category)
[target][host][port] values[45] (=Port)
[target][host][ip] values[19] (=Destination IP)
[target][host][loc][country] values[20] (=Destionation IP Country)
[alarm][sev] values[23] (=Severity)
[alarm][name] values[24] (=Threat Name)
[alarm][description] values[25] (=Threat Type)
[obs][host][ip] values[15] (=Connection IP)
[web][header][user_agent] values[38] (=User Agent)
[app][return][code] values[44] (=HTTP Sttus Code)
[app][method] values[46] (=Resquest Method)
[app][proto][name] values[13] (=Protocol)
[session][in][byte] values[49] (=Bytes received)
[session][out][byte] values[50] (=Bytes sent)
[session][count] values[51] (=Server response time)
[session][duration] values[52] (=Total time)
[session][file][name] values[26] (=Filename)
[session][file][type] values[27] (=File Type)
[session][id] values[28] (=Full MIME Type)