Using Forcepoint NGFW advanced workbook to gain deep security analytics and insights
Published Jun 03 2022 05:54 AM 1,591 Views


Organizations that use Forcepoint next-generation firewalls usually have the following challenges:

  • Gaining advanced security analytics coupled with threat intelligence feeds.
  • Comprehensively monitor the administration activities on Forcepoint management platform (SMC)
  • Monitoring the Forcepoint logger infrastructure for service health issues, to mitigate and avoid operational impact.

This workbook(dashboard) helps organizations who use Forcepoint next-generation firewall, by providing deep security insights, application protocol analytics, as well as monitoring the admin activities and logger server(s) health.


Managed security service provider (MSSP) organizations managing Forcepoint next-generation firewalls for their customers can also leverage this solution, to provide their customers with deep insights analytics on their security posture and help them mitigate various kinds of threats.


Workbook sections:

  • Overview: provides high level overview on the data ingestion amount, health, and statistics. It will be easy to identify ingestion health issues or anomalies from this tab.
  • Events and Protocols: Provides deep visibility into the firewall events with several types (permit, discard, terminate). It also provides insights on the application protocols statistics, with the ability to interactively filter and drill down to a single connection, URL, or IP address.
  • Security Insights: Provides insights that are correlated with Microsoft threat intelligence feeds on malicious connections to specific countries of interest, botnet connections, potential attacks using common ports, vulnerability related connections, connections including compromised file hashes and URLs.
  • Audit: Helps monitor the administrative activities in terms of sign-in and sign-out events as well as configuration changes.
  • Logger Health: Helps monitoring the Forcepoint logger servers’ health, including average and maximum processor utilization, flagging out any loggers that need immediate attention.


Forcepoint Logging Configuration Requirements:

Forcepoint SMC should be configured to activate the following logging containers:

  • IP traffic logs
  • URL logging
  • File artifacts logging (file name, file hash, …etc.)
  • Threat detection logs
  • Vulnerability information.

Workbook Template Location:

This workbook template is available on this GitHub link: Azure-Sentinel/ForcepointNGFWAdvanced.json at master · Azure/Azure-Sentinel (





Enabling The Workbook from Microsoft Sentinel:

Navigate to the "Workbooks" in Microsoft Sentinel's blade, select "Templates" then filter on the “Forcepoint Next Generation Firewall (NGFW) Advanced Workbook”



Ensure the three tables below have data ingested into them:

  1. CommonSecurityLog: this table will become active as result of forwarding CEF logs.
  2. ThreatIntelligenceIndicator: this table will become active as result of connecting the "Microsoft Threat Intelligence" data connector.
  3. Perf: this table will become active as result of ingesting performance logs from the Forcepoint logger . You may want to have this table available in a non-Microsoft sentinel workspace in order to avoid the ingestion costs of performance logs. In this case, you should replace the “Perf” statement in the workbook KQL query with the cross workspace statement “workspace(“Your-Perf-Logs-Workspace”).Perf”





Save the workbook to the active workbooks.

  • Ensure accuracy of the “DeviceVendor” parameter:

Different Forcepoint NGFW models and firmware, produce slightly different parameters in the “DeviceVendor” facility, if it is any different than “Forcepoint”, you will need to modify this line in the workbook queries:




| where DeviceVendor =~ 'Forcepoint'





Below are further details on each tab.


Overview Tab

The first part of the overview tab shows the top reporting firewall engines by ingestion size as well as top events by facility type (alerts, audit events or firewall events). It also helps spot any sudden increase of activities with specific type, which might indicate a threat or unusual event such as huge number of open connections or DNS queries.



The second part of the overview tab helps to spot an increase of events with a specific severity or associated with a source IP address which can also indicate an anomaly that would warrant  further analysis.



Events and Protocols Tab

The first visualization helps in drilling down to specific events, filtered by an action type, such as finding all the events with firewall “terminate” action within a specific timeframe.



The second group of visualizations drills down into the application protocol insights, where we can understand the application protocol usage in terms of number of connections, sent or received data size. In addition to interactively filtering the “Data flow” and “Aggregated connections” visualizations to understand the flow details of a specific application between different source and destination IP addresses.



The third group of visualizations helps to understand the top reasons for discarded packets. Here you can interactively filter the “Top source IP addresses for discards” chart and the log table to capture specific events with all the artifacts. This helps identify internal source IP addresses that perform layer-4 attacks such as active port scanning, forged TCP packets and other attack types.




The last part of the tab identifies the top application downloads by firewall engines and source IP addresses, which impacts the network utilization within a firewall site.



Security Insights

The first visualization aggregates the communications and applies geolocation mechanism to help show communications with suspicious countries of interest, and then correlates with Microsoft threat intelligence to identify the malicious actors within those communications, such as Botnets or Command and Control centres.



The second part of the visualization helps identify all malicious connections as correlated with Microsoft threat intelligence feeds, as well as discovering potential attacks using risky ports, such as SSH and RDP brute force attempts. It provides partial mechanism to detect DDoS attack artifacts using UDP, DNS, NTP reflection attacks and  others.




The below chart shows which  malware detections took place by the firewall and provides granular details on the selected part of the chart.



The last chart analyses the connections and provides vulnerability related connections.This can help customers mitigate threats by remediating the identified  vulnerabilities in  their systems.




Audit tab

These sets of visualizations help to monitor and filter different admin activities taking place on the Forcepoint management platform (SMC). The time brush chart helps us visualize and filter on sudden admin event spikes which can indicate malicious admin access and possible changes to the configurations, such as adding allow rules, removing or manipulating IPS policies.



The below tables monitor the admin sign-in and sign-out events from the SMC platform.



Logger Health

 This tab monitors the health and performance of the Forcepoint logging servers’ infrastructure. In large environments with multiple logger servers, an increase of traffic patterns, anomaly events, server performance issues can result in an operational impact.

The first chart monitors the number of daily events per second (EPS). This helps to establish whether we need to add more Microsoft sentinel CEF collector servers as a result of introducing new Forcepoint logger servers or an increase in the amount of traffic.

The second one monitors the number of daily reporting logger servers.




The charts below show the average processor utilization, as well as loggers which need immediate attention or  resource upgrades due to reaching multiple 100% spikes. This helps avoid operational issues such as having one or more logger servers crashing.



The below charts help understand and diagnose patterns of high processor utilization due to a certain event, for example, an an issue that is causing group of loggers to spike their processor utilization.



Hope this workbook is helpful for you. For more resources on how to create and customize workbooks using KQL, checkout the section below.


Additional Resources:

Let’s make the world safer with Microsoft Sentinel!

Version history
Last update:
‎Jun 03 2022 02:47 AM
Updated by: