Websense

Websense Web Security Gateway is a web proxy event source that will send logs to a SIEM.

Before You Begin

Before setting up this event source within InsightIDR, you must configure Websense to send syslog to the InsightIDR collector. You can find instructions here: http://www.websense.com/content/support/library/web/v80/triton_web_help/settings_siem_explain.aspx

Note that when configuring the syslog, select CEF as the log format.

Example Parseable Log Format

The following is an example log that InsightIDR can parse:

1
Sep 18 07:45:58 10.20.26.80 vendor=Websense product=Security product_version=7.7.3 action=permitted severity=1 category=17 user=LDAP://adserver.ad.company OU=West Coast,OU=employees,DC=ad,DC=company/John Doe src_host=10.20.100.228 src_port=0 dst_host=72.21.215.232:443 dst_ip=72.21.215.232 dst_port=443 bytes_out=3301 bytes_in=5357 http_response=0 http_method=GET http_content_type=- http_user_agent=- http_proxy_status_code=0 reason=- disposition=1026 policy=role-8**Standard_Access role=8 duration=0 url=HTTPS://72.21.215.232:443

Example CEF Format

The following is an example of a parseable log in CEF format:

1
Sep 18 05:48:53 10.30.26.80 CEF:0|Websense|Security|7.7.3|76|Transaction permitted|1| act=permitted app=http dvc=10.30.26.80 dst=206.190.60.138 dhost=l.yimg.com dpt=80 src=10.30.100.104 spt=0 suser=LDAP://adserver.ad.company OU\\=West Coast,OU\\=employees,DC\\=ad,DC\\=company/John Doe destinationTranslatedPort=0 rt=1379508533000 in=660 out=13281 requestMethod=GET requestClientApplication=- reason=- cs1Label=Policy cs1=role-8**Standard Access cs2Label=DynCat cs2=0 cs3Label=ContentType cs3=- cn1Label=DispositionCode cn1=1026 cn2Label=ScanDuration cn2=0 request=http://l.yimg.com/rd/combine/en-US/1379417477/vendor/rapid.js

Example LEEF Format

The following is an example of a parseable log in LEEF format:

1
Sep 18 08:01:17 10.20.26.80 LEEF:1.0|Websense|Security|7.7.3|transaction:permitted|sev=1<009>cat=29<009>usrName=LDAP://adserver.ad.company OU=Branches,OU=employees,DC=ad,DC=company/John Doe<009>src=10.20.100.193<009>srcPort=0<009>srcBytes=954<009>dstBytes=1150<009>dst=68.67.151.15<009>dstPort=80<009>proxyStatus-code=0<009>serverStatus-code=0<009>duration=0<009>method=GET<009>disposition=1026<009>contentType=-<009>reason=-<009>policy=role-8**Standard Access<009>role=8<009>userAgent=-<009>url=http://ib.adnxs.com/seg?add\\=826953&t\\=2

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Websense Web Security Gateway in the event sources search bar.
    • In the Product Type filter, select Web Proxy.
  3. Select the Websense Web Security Gateway event source tile.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. Optionally choose to send unparsed logs.
  6. Choose the timezone that matches the location of your event source logs.
  7. Select a collection method and specify a port and a protocol.
    • Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
  8. Click Save.