Organizations that use Forcepoint next-generation firewalls usually have the following challenges:
This workbook(dashboard) helps organizations who use Forcepoint next-generation firewall, by providing deep security insights, application protocol analytics, as well as monitoring the admin activities and logger server(s) health.
Managed security service provider (MSSP) organizations managing Forcepoint next-generation firewalls for their customers can also leverage this solution, to provide their customers with deep insights analytics on their security posture and help them mitigate various kinds of threats.
Workbook sections:
Forcepoint Logging Configuration Requirements:
Forcepoint SMC should be configured to activate the following logging containers:
Workbook Template Location:
This workbook template is available on this GitHub link: Azure-Sentinel/ForcepointNGFWAdvanced.json at master · Azure/Azure-Sentinel (github.com)
Enabling The Workbook from Microsoft Sentinel:
Navigate to the "Workbooks" in Microsoft Sentinel's blade, select "Templates" then filter on the “Forcepoint Next Generation Firewall (NGFW) Advanced Workbook”
Ensure the three tables below have data ingested into them:
Save the workbook to the active workbooks.
Different Forcepoint NGFW models and firmware, produce slightly different parameters in the “DeviceVendor” facility, if it is any different than “Forcepoint”, you will need to modify this line in the workbook queries:
| where DeviceVendor =~ 'Forcepoint'
Below are further details on each tab.
Overview Tab
The first part of the overview tab shows the top reporting firewall engines by ingestion size as well as top events by facility type (alerts, audit events or firewall events). It also helps spot any sudden increase of activities with specific type, which might indicate a threat or unusual event such as huge number of open connections or DNS queries.
The second part of the overview tab helps to spot an increase of events with a specific severity or associated with a source IP address which can also indicate an anomaly that would warrant further analysis.
Events and Protocols Tab
The first visualization helps in drilling down to specific events, filtered by an action type, such as finding all the events with firewall “terminate” action within a specific timeframe.
The second group of visualizations drills down into the application protocol insights, where we can understand the application protocol usage in terms of number of connections, sent or received data size. In addition to interactively filtering the “Data flow” and “Aggregated connections” visualizations to understand the flow details of a specific application between different source and destination IP addresses.
The third group of visualizations helps to understand the top reasons for discarded packets. Here you can interactively filter the “Top source IP addresses for discards” chart and the log table to capture specific events with all the artifacts. This helps identify internal source IP addresses that perform layer-4 attacks such as active port scanning, forged TCP packets and other attack types.
The last part of the tab identifies the top application downloads by firewall engines and source IP addresses, which impacts the network utilization within a firewall site.
Security Insights
The first visualization aggregates the communications and applies geolocation mechanism to help show communications with suspicious countries of interest, and then correlates with Microsoft threat intelligence to identify the malicious actors within those communications, such as Botnets or Command and Control centres.
The second part of the visualization helps identify all malicious connections as correlated with Microsoft threat intelligence feeds, as well as discovering potential attacks using risky ports, such as SSH and RDP brute force attempts. It provides partial mechanism to detect DDoS attack artifacts using UDP, DNS, NTP reflection attacks and others.
The below chart shows which malware detections took place by the firewall and provides granular details on the selected part of the chart.
The last chart analyses the connections and provides vulnerability related connections.This can help customers mitigate threats by remediating the identified vulnerabilities in their systems.
Audit tab
These sets of visualizations help to monitor and filter different admin activities taking place on the Forcepoint management platform (SMC). The time brush chart helps us visualize and filter on sudden admin event spikes which can indicate malicious admin access and possible changes to the configurations, such as adding allow rules, removing or manipulating IPS policies.
The below tables monitor the admin sign-in and sign-out events from the SMC platform.
Logger Health
This tab monitors the health and performance of the Forcepoint logging servers’ infrastructure. In large environments with multiple logger servers, an increase of traffic patterns, anomaly events, server performance issues can result in an operational impact.
The first chart monitors the number of daily events per second (EPS). This helps to establish whether we need to add more Microsoft sentinel CEF collector servers as a result of introducing new Forcepoint logger servers or an increase in the amount of traffic.
The second one monitors the number of daily reporting logger servers.
The charts below show the average processor utilization, as well as loggers which need immediate attention or resource upgrades due to reaching multiple 100% spikes. This helps avoid operational issues such as having one or more logger servers crashing.
The below charts help understand and diagnose patterns of high processor utilization due to a certain event, for example, an an issue that is causing group of loggers to spike their processor utilization.
Hope this workbook is helpful for you. For more resources on how to create and customize workbooks using KQL, checkout the section below.
Additional Resources:
Let’s make the world safer with Microsoft Sentinel!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.