Websense
Websense DLP (now Forcepoint DLP Endpoint) is a comprehensive, secure, and easy-to-use endpoint data loss prevention solution. It monitors real-time traffic and applies customized security policies over application and storage interfaces, as well as for data discovery. This solution allows security administrators to either block or monitor and log files that present a policy breach, and to create policies that don't restrict device usage, but allow full visibility of content traffic. Administrators can monitor user activity inside endpoint applications, endpoint web activities, Microsoft Outlook email, and when users are copying data to external drives and endpoint devices. In the Common Information Model,Websense DLP data can is mapped to the Alerts data model.
Configuration
Guidance for onboarding data can be found in the Spunk Documentation:
- Getting Data In (Splunk Enterprise)
- Getting Data In (Splunk Cloud)
- Get data into Splunk Observability Cloud
Refer to the documentation, and note the following:
- Source type:
websense:dlp:system:cef
- Add-on: Splunk Add-on for Websense DLP
Validation
Validate the input and confirm the data is being ingested by running the following search:
sourcetype=websense:dlp* | head
Application
When your Splunk deployment is ingesting Websense DLP data, you can use the data to achieve the following: