Outgoing feed - Forcepoint


This article describes the specific configuration options to set up the feed.

To configure the general options for the feed, see Configure outgoing feeds general options.


Specifications

Transport type

Forcepoint Web and Email Security

Content type

Forcepoint JSON

Ingested data

URL, IP addresses (ipv4 and ipv6), and domains.

Published data

The outgoing feeds send observables to categories within the Forcepoint appliance.

Description

Forcepoint Web and Email Security offers real-time protection against advanced threats and data theft with multiple deployment options and modules to help tailor your web protection package to your organization’s needs.

Configure the outgoing feed

  1. Create or edit an outgoing feed.

  2. From the Transport type drop-down menu, select the preferred Forcepoint outgoing feed.

  3. From the Content type drop-down menu, select Forcepoint JSON.

  4. From the Datasets drop-down menu, select one or more existing datasets to use as sources to populate the outgoing feed content.
    For the feed not to be empty, at least one selected dataset should contain entities and observables in the same format as the configured content type for the feed.

  5. From the Update strategy drop-down menu, select the preferred method to populate the outgoing feed with data before publishing it.
    Update strategies help define how content is aggregated and packaged for publication when an outgoing feed task runs:

    • Append: every time the outgoing feed task runs, it fetches only new, unpublished data to generate the content for publication.
      The published packages contain only new entities and observables ingested in the platform after the previous execution of the outgoing feed.

    • Replace: every time the outgoing feed task runs, it fetches new and existing data to generate the content for publication.
      The published packages contain new and existing entities and observables included also in the previous execution of the outgoing feed.

    • Diff : this option is available only for the EclecticIQ Entities CSV and EclecticIQ Observables CSV content types.
      Every time the outgoing feed task runs, new data is compared against existing data to identify any differences between the two datasets:

      • At entity level: any entities added to or removed from the set, if EclecticIQ Entities CSV is the designated content type for the feed.

      • At observable level: any observable added to or removed from the entities in the set, if EclecticIQ Observables CSV is the designated content type for the feed.

      Depending on the selected CSV content option, each row in the CSV output contains information about one entity being added or removed, or one observable being added or removed.
      An extra diff column is added to the output CSV to indicate if a row, and therefore either an entity or an observable, has been added to or removed from the set.
      This option enables identifying changes in a feed between two executions without downloading the whole feed every time.

      Update strategies help define how content is aggregated and packaged for publication when an outgoing feed task runs:

      Update strategies rely on the last_updated_at database field to identify entities whose timestamp value was updated since the previous execution of the outgoing feed.
      Entities with a more recent timestamp value compared to the previous execution of the outgoing feed are packaged and included in the published content of the outgoing feed.

      • Changes to the data section of an entity create a new version of the entity.
        They also add a new log entry to the entity history to record the changes.

      • Changes to the meta section of an entity do not create a new version of the entity.
        However, they do update the timestamp value of the last_update_at database field.

  6. The API URL field is automatically filled in with the default location on the Forcepoint Web Security server to upload the outgoing feed content to, so as to make it available for retrieval.

  7. In the Username field, enter your Forcepoint Web Security username.

  8. In the Password field, enter your Forcepoint Web Security password.

  9. To store your changes, click Save; to discard them, click Cancel.

View and retrieve outgoing feed content

  1. In the top navigation bar click Data configuration > Outgoing feeds.

  2. In the Outgoing feeds view, click anywhere in the row corresponding to the outgoing feed whose content you want to view or retrieve.

  3. In the selected outgoing feed detail pane, click the Created packages tab.

  4. In the Created packages tab, under the Download column header, click the name of a package to download it, and to save it to a target location.