AlienVault® USM Anywhere™

Websense Web Security Gateway

When you configure Websense Web Security Gateway to send log data to USM Anywhere, you can use the Websense plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin:

Plugin Information
Device Details
Vendor Websense
Device Type Application Firewall
Connection Type Syslog

Note: There is also atriton plugin provided for integration with versions of the Web Security Gateway product released after ForcePoint acquired Websense.

Integrating Web Security Gateway

Each Websense Web Security policy server instance in your deployment must be configured to send log data to a USM Anywhere Sensor over the Syslog protocol.

To configure Websense Web Security to send log data to USM Anywhere

Note: Before using this page to enable USM Anywhere integration, make sure that an instance of Websense Multiplexer is installed for each policy server in your environment.

  1. Go to Settings > General > SIEM Integration.
  2. Select Enable SIEM integration for this Policy Server to enable SIEM integration.
  3. Provide the IP address or hostname of the machine hosting USM Anywhere, as well as the communication port to use for sending data.
  4. Specify the Transport protocol (UDP) to use when sending data to the SIEM product (USM Anywhere).
  5. Select the SIEM format to use. This determines the syntax of the string used to pass log data to the integration.
    • The available formats are syslog/CEF (ArcSight), syslog/key-value pairs (Splunk and others), syslog/LEEF (QRadar), and Custom. Choose syslog/key-value pairs (Splunk and others).

      If you select a non-custom option, a sample Format string showing fields and value keys is displayed.

  6. Click OK to cache your changes. Changes are not implemented until you click Save and Deploy.

After you save your changes, Websense Multiplexer connects to the Filtering Service and takes over the job of distributing log data to both Log Server and the selected SIEM (USM Anywhere) integration.

Note: Although the same data is passed from the WebSense Filtering Service to both Log Server and the SIEM product, Log Server may be configured to perform data reduction processing tasks, like recording visits instead of hits, or consolidating log records. Because the SIEM product does not perform these data reduction tasks, there may be more SIEM entries than records in the Log Database.

Plugin Enablement

For plugin enablement information, see Manual Integration Management.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • bytes_in
  • bytes_out
  • content_category
  • customfield_1
  • customfield_2
  • destination_address
  • destination_hostname
  • destination_port
  • destination_username
  • duration
  • event_action
  • event_description
  • event_name
  • event_severity
  • policy
  • rep_device_model
  • rep_device_vendor
  • rep_device_version
  • request_content_type
  • request_http_version
  • request_method
  • request_url
  • request_user_agent
  • response_code
  • source_address
  • source_hostname
  • source_port

Additional Resources and Troubleshooting

For troubleshooting, see the vendor documentation.

For more detailed information about the data passed to the SIEM integrations, refer to the document "Integrating web protection solutions with third-party SIEM products". Subsections of this document provide mapping information for category numbers, disposition codes, reason strings, and other information included in the SIEM output.