Websense

Websense Web Security Gateway is a web proxy event source that will send logs to a SIEM.

Before You Begin

Before setting up this event source within InsightIDR, you must configure Websense to send syslog to the InsightIDR collector. You can find instructions here: http://www.websense.com/content/support/library/web/v80/triton_web_help/settings_siem_explain.aspx

Note that when configuring the syslog, select CEF as the log format.

Example Parseable Log Format

The following is an example log that InsightIDR can parse:

 
1
Sep 18 07:45:58 10.20.26.80 vendor=Websense product=Security product_version=7.7.3 action=permitted severity=1 category=17 user=LDAP://adserver.ad.company OU=West Coast,OU=employees,DC=ad,DC=company/John Doe src_host=10.20.100.228 src_port=0 dst_host=72.21.215.232:443 dst_ip=72.21.215.232 dst_port=443 bytes_out=3301 bytes_in=5357 http_response=0 http_method=GET http_content_type=- http_user_agent=- http_proxy_status_code=0 reason=- disposition=1026 policy=role-8**Standard_Access role=8 duration=0 url=HTTPS://72.21.215.232:443

Example CEF Format

The following is an example of a parseable log in CEF format:

 
1
Sep 18 05:48:53 10.30.26.80 CEF:0|Websense|Security|7.7.3|76|Transaction permitted|1| act=permitted app=http dvc=10.30.26.80 dst=206.190.60.138 dhost=l.yimg.com dpt=80 src=10.30.100.104 spt=0 suser=LDAP://adserver.ad.company OU\\=West Coast,OU\\=employees,DC\\=ad,DC\\=company/John Doe destinationTranslatedPort=0 rt=1379508533000 in=660 out=13281 requestMethod=GET requestClientApplication=- reason=- cs1Label=Policy cs1=role-8**Standard Access cs2Label=DynCat cs2=0 cs3Label=ContentType cs3=- cn1Label=DispositionCode cn1=1026 cn2Label=ScanDuration cn2=0 request=http://l.yimg.com/rd/combine/en-US/1379417477/vendor/rapid.js

Example LEEF Format

The following is an example of a parseable log in LEEF format:

 
1
Sep 18 08:01:17 10.20.26.80 LEEF:1.0|Websense|Security|7.7.3|transaction:permitted|sev=1<009>cat=29<009>usrName=LDAP://adserver.ad.company OU=Branches,OU=employees,DC=ad,DC=company/John Doe<009>src=10.20.100.193<009>srcPort=0<009>srcBytes=954<009>dstBytes=1150<009>dst=68.67.151.15<009>dstPort=80<009>proxyStatus-code=0<009>serverStatus-code=0<009>duration=0<009>method=GET<009>disposition=1026<009>contentType=-<009>reason=-<009>policy=role-8**Standard Access<009>role=8<009>userAgent=-<009>url=http://ib.adnxs.com/seg?add\\=826953&t\\=2

How to Configure This Event Source

  1. From your dashboard, select Data Collection on the left hand menu.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the “Security Data” section, click the Web Proxy icon. The “Add Event Source” panel appears.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. Optionally choose to send unparsed logs.
  6. Choose the timezone that matches the location of your event source logs.
  7. Select a collection method and specify a port and a protocol.
    • Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
  8. Click Save.