Forcepoint Stonesoft Management Center

The IBM QRadar DSM for Forcepoint Stonesoft Management Center collects events from a StoneGate device by using syslog.

The following table describes the specifications for the Stonesoft Management Center DSM:
Table 1. Stonesoft Management Center DSM specifications
Specification Value
Manufacturer FORCEPOINT
DSM name Stonesoft Management Center
RPM file name DSM-StonesoftManagementCenter-QRadar_version-build_number.noarch.rpm
Supported versions 5.4 to 6.1
Protocol Syslog
Event format LEEF
Recorded event types Management Center, IPS, Firewall, and VPN events
Automatically discovered? Yes
Includes identity? No
Includes custom properties? No
More information FORCEPOINT website (https://www.forcepoint.com)
To integrate FORCEPOINT Stonesoft Management Center with QRadar, complete the following steps:
  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs from the IBM® Support Website onto your QRadar Console:
    • DSMCommon RPM
    • Stonesoft Management Center DSM RPM
  2. Configure your StoneGate device to send syslog events to QRadar.
  3. If QRadar does not automatically detect the log source, add a Stonesoft Management Center log source on the QRadar Console. The following table describes the parameters that require specific values to collect events from Stonesoft Management Center:
    Table 2. Stonesoft Management Center log source parameters
    Parameter Value
    Log Source type Stonesoft Management Center
    Protocol Configuration Syslog
    Log Source Identifier Type a unique name for the log source.
  4. Verify that QRadar is configured correctly.
    The following table shows a sample normalized event message from Stonesoft Management Center:
    Table 3. Stonesoft Management Center sample message
    Event name Low level category Sample log message
    Generic_UDP-Rugged-Director-Denial-Of-Service Misc DoS
    LEEF:1.0|FORCEPOINT|IPS|5.8.5|Generic_UDP-Rugged-Director-Denial-Of-Service|devTimeFormat=MMM dd yyyy HH:mm:ss    srcMAC=00:00:00:00:00:00    sev=2    dstMAC=00:00:00:00:00:00    devTime=Feb 23 201710:13:58    proto=17    dstPort=00000    srcPort=00000    dst=127.0.0.1    src=127.0.0.1action=Permit    logicalInterface=NY2-1302-DMZ_IPS_ASA_Primary    sender="username" Sensor