Integrate a Websense On-Premises Devices

Configure a Websense on-premises device. IOCs are pushed from  Threat Command to the device.

To receive IOCs, you integrate the device with Threat Command, and then use Threat Command to configure an IOC group whose IOCs will be pushed to the device.  IOC groups for Websense devices can consist of the following types of IOCs: domains, URLs, and IP addresses.

When IOCs are pushed to Websense, all IOCs are sent (up to the maximum) each time that they are pushed.

Limitations

  • Websense v8.5 and later are supported.
  • Integration is with the Websense Linux Policy Enforcement server.
  • The AP-Web or web filters must be installed.

Prerequisites

  • You have administrative credentials to access Threat Command with a subscription to the Automation and TIP modules.
  • You have the credentials to access the Threat Command virtual appliance web interface.
  • You have the administrative credentials to access the device management console as a super admin user.

Integrate a Websense device

Use the Threat Command virtual appliance to integrate the device with Threat Command.

To integrate a Websense device:

  1. From an internet browser, navigate to https://<virtual appliance IP address>
  2. Log in to the Threat Command virtual appliance using the web access username and password.
  3. From the Devices page, click Devices (Push).
  4. Click Add new device.
  5. In the **Devices (Push)**screen, set up the new device:
    1. Type a user-defined, unique device name.
    2. Select the Websense AP-Web 8.3 device type. 
      temporary placeholder 
    3. Type values for User and Password
      These should be the same values used to access the Websense web management console.
    4. Type the URL or IP address of the Websense policy server.
    5. (Optional)(Optional) You can test the connection by clicking Test connection.
    6. Click Create.
    7. Review and approve messages.
  6. Verify that the new device is displayed in Threat Command :
    1. Log in to Threat Command at https://dashboard.ti.insight.rapid7.com
    2. From the main menu, selectAutomation > Integrations
      If this window is already open, refresh it by selecting Automation > Integrations  from the menu. 
      The new device is displayed in the On-Premises tab.

The following figure shows a newly added device in the Threat Command Automation > Integrations window: 
temporary placeholder

Configure an IOC group to push IOCs to the device

Once the Websense device has been added and is synching with the Threat Command virtual appliance, it is ready to receive IOCs that are pushed from Threat Command. IOCs are pushed by creating an IOC group for this device in Threat Command.

Creating IOC groups is described here.

When creating IOC groups, you can choose whether the matched IOCs should be monitored or blocked in the Websense device. This choice is transmitted to the device, together with the IOC identification.

IOC groups for Websense devices can consist of the following types of IOCs: domains, URLs, and IP addresses.

Verify that IOCs are being pushed to the device

You can verify that IOCs are being pushed to the Websense device. This can take several minutes after initial integration.

To verify IOCs are pushed to the device:

  1. SSH to the Threat Command virtual appliance.
  2. From the virtual appliance, send the following CURL command to the Websense Linux server:
1
curl -k -u <websense-api-username>:<websense-api-password> https://<websense-policy-server-ip>:15873/api/web/v1/categories/urls?catname=<device\_name\_lowercase>\_<ioc\_group\_name\_lowercase>