Triton AP-Websense SIEM Logstash Output Configuration

The following configuration will make it easier to parse Syslog messages sent from your Websense appliance to your ELK stack.

If you need assistance setting up SIEM integration with Websense you may follow their official guide which is fairly straightforward.

Additionally here’s the documentation for category IDs and classifications which helped tremendously in trying to identify what event IDs correlated to what events:

TRITON AP-WEB and Web Filter & Security, v8.3.x

Finally: Here’s the Logstash configuration:

Note: you may un-comment the Geo-Mapping information to get Geo-Ip information about the outbound connections.

Here’s an Kibana query to identify potential threats based on the outbound connection category:

Here’s an example of a dashboard created based on the information collected.

Hope this helps!

 

Leave a Reply

Be the First to Comment!

avatar
  Subscribe  
Notify of