Skip to main content
Splunk Lantern

Websense

 

Websense DLP (now Forcepoint DLP Endpoint) is a comprehensive, secure, and easy-to-use endpoint data loss prevention solution. It monitors real-time traffic and applies customized security policies over application and storage interfaces, as well as for data discovery. This solution allows security administrators to either block or monitor and log files that present a policy breach, and to create policies that don't restrict device usage, but allow full visibility of content traffic. Administrators can monitor user activity inside endpoint applications, endpoint web activities, Microsoft Outlook email, and when users are copying data to external drives and endpoint devices. In the Common Information Model,Websense DLP data can is mapped to the Alerts data model.

Configuration

Guidance for onboarding data can be found in the Spunk Documentation: 

Refer to the documentation, and note the following:

Validation

Validate the input and confirm the data is being ingested by running the following search:

sourcetype=websense:dlp* | head

Application

When your Splunk deployment is ingesting Websense DLP data, you can use the data to achieve the following: