Forcepoint CASB and Splunk

Table of contents
  1. Forcepoint CASB and Splunk
  2. Summary
  3. Demo
    1. Source Code
    2. Caveats
    3. Implementation
  4. Setup Forcepoint App inside Splunk
    1. Setup receiving port on the Splunk instance.
    2. Extra steps for distributed Splunk components
  5. Implementation – Docker
    1. Setup Splunk Universal Forwarder for Forcepoint Products
    2. Setup CASB SIEM Logs Importer
  6. Troubleshooting
    1. Docker Implementation
      1. Validate the prerequisites
      2. Check network connectivity
      3. Check dependencies are installed
      4. Check all components are configured and running properly
License

These contents are licensed under Apache License, Version 2.0. http://www.apache.org/licenses/LICENSE-2.0

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE SITE AND ITS CONTENT IS PROVIDED TO YOU ON AN “AS IS,” “AS AVAILABLE” AND “WHERE-IS” BASIS. ALL CONDITIONS, REPRESENTATIONS AND WARRANTIES WITH RESPECT TO THE SITE OR ITS CONTENT, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT OF THIRD PARTY RIGHTS, ARE HEREBY DISCLAIMED

Document Revision
Version Date Author Notes
0.1 17 May 2021 Rabih Abou Fakher First draft

Summary

This guide provides step by step instructions to configure an integration between Forcepoint Cloud Access Security Broker and Splunk so that insights and data contained into Cloud Access Security Broker logs are automatically exported, indexed and visualized in Splunk.

A description of the workflow between the components involved in this POC is depicted in this diagram:

Demo

 

Source Code

fp-bd-splunk-app

fp-bd-splunk-universal-forwarder

Caveats

These implementation instructions are tested with the following product versions:

  • Forcepoint CASB SIEM Tool - Linux version as of 2020-12-10

  • Splunk Enterprise 8.0.4.1

The following activities are out of the scope of this document and therefore left to the system administrator, as part of ordinary maintenance procedures to be put in place within the existing infrastructure:

  • Monitoring of the scripts, services and applications involved in the solution

Implementation

  • Docker: leverages a docker image where the integration component is already installed with all necessary dependencies: the user must only edit the configuration files and run the container on an existing docker setup

The docker images have been tested working with the following requirements

  • Docker 19.03.5

  • The docker host machine should meet the minimum hardware requirements of at least 50 GB of free storage, 2 GB of RAM and a 64-bit system

  • User needs sudo permissions in the docker host machine

The files needed to set up the integration are available at the following links:

Setup Forcepoint App inside Splunk

In order to install the Forcepoint app in Splunk

  1. Login to the machine hosting Splunk Enterprise with a user who has administrative privileges.

  2. Download the fp-splunk-app package and extract its contents into the /opt/ directory by executing the command below:

    PUBLIC_REPO_NAME=fp-bd-splunk-app; \
DEPLOYMENT_NAME=fp-splunk-app-v.*.tar.gz; \
LATEST_VERSION=$(curl -sL "https://github.com/Forcepoint/$PUBLIC_REPO_NAME/releases/latest" | grep "$DEPLOYMENT_NAME" | head -1 | grep -E -o "/v.{0,5}" | cut -c 3-); \
CODE_VERSION=$(curl -sL "https://github.com/Forcepoint/$PUBLIC_REPO_NAME/releases/latest" | grep -E -o "$DEPLOYMENT_NAME" | head -1 | rev | cut -c 8- | awk -F\v- '{print $1}'); \
DEPLOYMENT_NAME_WITH_VERSION=$(echo "${DEPLOYMENT_NAME::-9}$CODE_VERSION.tar.gz"); \
wget --content-disposition "https://github.com/Forcepoint/$PUBLIC_REPO_NAME/releases/download/v$LATEST_VERSION/$DEPLOYMENT_NAME_WITH_VERSION" && \
sudo tar -zxvf $DEPLOYMENT_NAME_WITH_VERSION -C /opt/ && rm -f ./$DEPLOYMENT_NAME_WITH_VERSION*

  3. Copy forcepoint-solutions directory in the Splunk instance apps directory, then restart Splunk service by executing the command below:

    sudo cp -r /opt/fp-splunk-app/forcepoint-solutions $SPLUNK_HOME/etc/apps/; \
sudo $SPLUNK_HOME/bin/splunk restart

Once Splunk has restarted you’ll be able to see Forcepoint under the Apps tab.

Setup receiving port on the Splunk instance.

Forcepoint logs are ingested into Splunk using a port on the local Splunk machine necessary to receive traffic generated by the Universal Forwarder component. In order to configure the receiving port

  1. Click on Settings > Forwarding and receiving > Configure receiving

  2. Click New Receiving Port > Type the port number (e.g. 9997) > Save

Note: the receiving port must be accessible from the network location of the Universal Forwarder component. Make sure any firewall or network device is configured appropriately to allow the necessary traffic.

Extra steps for distributed Splunk components

If Splunk is deployed in a distributed environment where the search head and the indexer components are deployed in different machines, please follow these additional instructions and repeat the following steps for each indexer machine deployed on the cluster:

  1. If it does not exist already, create the props.conf file in the folder $SPLUNK_HOME/etc/system/local/

  2. Edit props.conf and append the following configurations:

    [cloud-access-security-broker]
category=Custom
description=Forcepoint Cloud Access Security Broker Logs
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
CHARSET=UTF-8
disabled=false
KV_MODE = none
EXTRACT-cef-message = CEF:\d\|(?<vendor>[^\|]+)\|(?<product>[^\|]+)\|(?<version>[^\|]+)\|(?<signature_id>[^\|]+)\|(?<signature>[^\|]+)\|(?<vendor_severity>[^\|]+)\|(?<cef_message>.*)
REPORT-parse_cef = cef_auto_kv_fp,cef_auto_kv_fp_last
TIME_FORMAT=%s%3N
TIME_PREFIX=start\=

[next-generation-firewall]
SEDCMD-remove = s/(<6>)//g
NO_BINARY_CHECK = 1
pulldown_type = 1
REPORT-xmlkv = xmlkv-alternative
TIME_PREFIX=<TIMESTAMP>
category=Custom
description=Forcepoint Next Generation Firewall Logs

[cloud-security-gateway]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
CHARSET=UTF-8
INDEXED_EXTRACTIONS=CSV
KV_MODE=none
category=Custom
description=Forcepoint Cloud Security Gateway Logs
disabled=false
pulldown_type=true

[private-access]
TRANSFORMS-null=setnull
LINE_BREAKER=([\r\n]+)
SHOULD_LINEMERGE=false
NO_BINARY_CHECK=true
category=Custom
description=Forcepoint Private Access Logs
disabled=false
pulldown_type=true
TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3N%Z
TIME_PREFIX="timestamp": "

  3. If it does not exist already, create the indexes.conf file in the folder $SPLUNK_HOME/etc/system/local/

  4. Edit indexes.conf and append the following configurations:

    [forcepoint]
coldPath = $SPLUNK_DB/forcepoint/colddb
enableDataIntegrityControl = 0
enableTsidxReduction = 0
homePath = $SPLUNK_DB/forcepoint/db
maxTotalDataSizeMB = 512000
thawedPath = $SPLUNK_DB/forcepoint/thaweddb

  5. If it does not exist already, create the transforms.conf file in the folder $SPLUNK_HOME/etc/system/local/

  6. Edit transforms.conf and append the following configurations:

    [setnull]
 REGEX = Node-internal
 DEST_KEY = queue
 FORMAT = nullQueue

[xmlkv-alternative]
 REGEX = <([^\s\>]*)[^\>]*\>([^<]*)\<\/\1\>
 FORMAT = $1::$2

[cef_auto_kv_fp]
 SOURCE_KEY = cef_message
 REGEX = (AD.\w+|\w+)=([^=]+)(?=\s+\w+=*)
 FORMAT = $1::$2

[cef_auto_kv_fp_last]
 SOURCE_KEY = cef_message
 REGEX = (AD.\w+|\w+)=([^=]+)$
 FORMAT = $1::$2

  7. Log in with the user account running Splunk processes and run the below command:

      $SPLUNK_HOME/bin/splunk restart

Implementation – Docker

Setup Splunk Universal Forwarder for Forcepoint Products

The Splunk Universal Forwarder is used to forward Forcepoint Products logs to the Splunk indexer.

Note: The Splunk Universal Forwarder for Forcepoint Products must be able to access the receiving host on the port defined in the Setup receiving port on the Splunk instance chapter.

  1. Login into docker repository, you’ll be asked to enter your username and password (provided below):

      docker login docker.frcpnt.com

      $ Username: fp-integrations
  $ Password: t1knmAkn19s

  2. Run the container with the command below, replacing:

    1. <universal-forwarder-password-of-your-choice> with a password of your choice (minimum of 8 characters)
    2. <splunk-indexer-ip-address> with the Splunk indexer receiving IP address
    3. <splunk-indexer-receiving-port> with the splunk indexer receiving port number
     docker run --detach \
     --env "SPLUNK_START_ARGS=--accept-license" \
     --env "SPLUNK_PASSWORD=<universal-forwarder-password-of-your-choice>" \
     --env "SPLUNK_INDEXER_IP_ADDRESS=<splunk-indexer-ip-address>" \
     --env "SPLUNK_INDEXER_RECEIVING_PORT=<splunk-indexer-receiving-port>" \
     --env "FP_ENABLE_CASB_FORWARD=true" \
     --name fp-casb-splunk-universal-forwarder \
     --restart always \
     --volume FpLogsVolume:/app/forcepoint-logs:ro \
     docker.frcpnt.com/fp-splunk-universal-forwarder

Setup CASB SIEM Logs Importer

The docker implementation described in this chapter requires one preparatory step before the docker container can be run: the creation of a credentials file which is used by CASB SIEM Tool (already installed within the container) to connect securely to CASB.

  1. Login into docker repository, you’ll be asked to enter your username and password:

    docker login docker.frcpnt.com

      $ Username: fp-integrations
  $ Password: t1knmAkn19s

  2. Replace <casb-username> and <casb-password> in the first two lines with the actual credentials of a CASB user, then run the command below

    The command below will create a file called casb-credentials-store in the current directory.

    username="<casb-username>"; \
password="<casb-password>"; \
docker run --rm \
  --entrypoint /bin/bash \
  docker.frcpnt.com/fp-casb-siem-importer -c "cd /usr/SIEM-Tool-Linux-* && \
  ./SIEMClient.sh --set.credentials --username \"$username\" --password \"$password\" --credentials.file casb-credentials-store 1>/dev/null; \
  cat casb-credentials-store" > ./casb-credentials-store; \
unset username password

  3. Replace <casb-credentials-store-path> with the path of casb-credentials-store file created in the first step, then run the command below, this will run the container.

    Note: the environment variables below can be changed, by default CASB_HOST is set to my.skyfence.com and TRIGGER_PERIOD is set to trigger at every 30 minutes.

    docker run --detach \
 --env CASB_HOST='my.skyfence.com' \
 --env TRIGGER_PERIOD='30' \
 --name fp-casb-siem-importer \
 --restart always \
 --volume <casb-credentials-store-path>/casb-credentials-store:/usr/fp-casb-siem-importer/casb-credentials-store \
 --volume FpLogsVolume:/forcepoint-logs \
 docker.frcpnt.com/fp-casb-siem-importer

Note: Depending on the TRIGGER_PERIOD picked above, the user should start seeing data in that period, if TRIGGER_PERIOD is not changed, the default is set to trigger at every 30 minutes.

Troubleshooting

Follow these steps to identify issues impacting the normal operation of the integration described in this document.

Docker Implementation

Validate the prerequisites

Make sure the prerequisites described in the Summary chapter are all satisfied:

  • Check the version of Splunk and Forcepoint CASB SIEM Tool in use is compatible:

    Splunk Enterprise 8.0.4.1

Forcepoint CASB SIEM Tool - Linux version as of 2020-12-10

  • User must use a CASB account with admin role for this integration

  • The host machine should have Docker 19.03.5 installed

  • The docker host machine should meet the minimum hardware requirements of 2GB RAM, 50GB free storage and the system needs to be 64-bit

  • User needs sudo permissions in the docker host machine

  • Check the user can download the required files with the link below:

      https://github.com/Forcepoint/fp-bd-splunk-app/releases/latest

Check network connectivity

Make sure firewalls or other security appliances are not impacting the network connectivity necessary for the operation of all components involved in this integration:

  • Check the host machine has connectivity to the internet: execute the following command on the Docker host machine:

    ping -c 2* *www.splunk.com

Once done check the result is similar to below:

PING www.splunk.com (10.10.120.12) 56(84) bytes of data.
64 bytes from 10.10.120.12 (10.10.120.12): icmp\_seq=1 ttl=128 time=179 ms
64 bytes from 10.10.120.12 (10.10.120.12): icmp\_seq=1 ttl=128 time=181 ms

Check dependencies are installed

Make sure the software dependencies needed by the components involved in this integration are installed:

  • Check the host machine has docker installed: Execute the following command on the host machine:

docker info

Check the first few lines of the output are similar to below:

Client:
Debug Mode: false

Server:
Containers: 3
Running: 2
Paused: 0
Stopped: 1
Images: 3
**Server Version: 19.03.5**

Check all components are configured and running properly

Make sure the products and services involved in this integration are configured as expected and they are running:

  • Check the splunk fp-casb-splunk-universal-forwarder service is running.

      docker exec -it -u splunk fp-casb-splunk-universal-forwarder /bin/bash -c "/opt/splunkforwarder/bin/splunk status"

Check the output is similar to the picture below:

  • Check if the connection between the forwarder and the Splunk instance is active: Execute the following command on the host machine:

      docker exec -it fp-casb-splunk-universal-forwarder /bin/bash -c "/opt/splunkforwarder/bin/splunk list forward-server"

    It might prompt you for username (admin) and password (the one you setup in step 3 of Setup Splunk Universal Forwarder for Forcepoint Products. Verify the output is similar to below:

  • Check the splunk fp-casb-splunk-universal-forwarder is forwarding data with no errors.

      docker exec -it fp-casb-splunk-universal-forwarder /bin/bash -c "cat /opt/splunkforwarder/var/log/splunk/health.log"

Check the output of tail health.log does not contain error messages.

  • Check after running the integration, depending on the SIEM Logs Importer scheduler time, the user should start seeing data in 30 minutes or so on Splunk.

    Check the output is similar to the one shown below: