This quick start guide will help Accenture MDR customers configure Imperva® Web Application Firewall (WAF) to send logs to the Log Collection Platform (LCP).
...
The document includes the following topics:
...
Supported Versions
...
Port Requirements
...
Configuring the Imperva WAF
...
| Table of Contents |
|---|
Supported Versions
A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found in Accenture MDR Portal - https://mss.accenture.com/PortalNextGen/Reports/Documents
Port Requirements
Table 1-1: Port requirements for LCP communication.
Source | Destination | Port | Description |
Imperva WAF | LCP | 514 (UDP) or 601 (TCP) | Default port |
...
Configuring the Imperva WAF
You must configure the SecureSphere WAF server to send syslog messages in the Common Event Format (CEF) standard when an alert or a system event occurs.
...
5. Edit the message field for all the above 3 events and add the following.
| Code Block |
|---|
#Log custom security event to System Log (syslog) using the CEF standard. |
...
#Log network security event to System Log (syslog) using the CEF standard. |
...
#Log security event to System Log (syslog) using the CEF standard. |
...
CEF:0|Imperva Inc.|SecureSphere|${SecureSphereVersion}|#cefEscapeMessage(${Rule.parent.displayName})|#cefEscapeMessage(${Rule.parent.displayName})|${Alert.severity}|act=${Alert.immediateAction} dst=${Event.destInfo.serverIp} dpt=${Event.destInfo.serverPort} duser=#cefEscapeExtension(${Alert.username}) src=${Event.sourceInfo.sourceIp} spt=${Event.sourceInfo.sourcePort} proto=${Event.sourceInfo.ipProtocol} rt=#arcsightDate(${Event.createTime}) cat=Alert cs1=#cefEscapeExtension(${Rule.parent.displayName}) cs1Label=Policy cs2=#cefEscapeExtension(${Alert.serverGroupName}) cs2Label=ServerGroup cs3=#cefEscapeExtension(${Alert.serviceName}) cs3Label=ServiceName cs4=#cefEscapeExtension(${Alert.applicationName}) cs4Label=ApplicationName cs5=#cefEscapeExtension(${Alert.description}) cs5Label=Description cs8=#cefEscapeExtension(${Event.struct.httpRequest.url.method}) cs8Label=HTTPMethod cs9=#cefEscapeExtension(${Event.struct.httpRequest.url.fullPath}) cs9Label= |
...
HTTPFullpath cs10=#cefEscapeExtension(${Event.struct.httpRequest.url.queryString}) cs10Label=QueryString cs11=#cefEscapeExtension(${Event.struct.httpResponse.responseCode}) cs11Label=HTTPResponseCode cs12=#cefEscapeExtension(${Event.struct.networkDirection}) cs12Label=NetworkDirection |
...
6. Select the System event by enable the below :
...
7. Edit the message field and add the following.
| Code Block |
|---|
#Log custom System event to System Log (syslog) using the CEF standard |
...
CEF:0|ImpervaInc.|SecureSphere|${SecureSphereVersion}|${Event.eventType}|#cefEscapeMessage(${Event.message})|${Event.severity.displayName}|suser=#cefEscapeExtension(${Event.username}) rt=#arcsightDate(${Event.createTime}) cat=SystemEvent |
8. Click Save.
To configure Imperva on the Main interface, follow the steps below.
...
Go to the Policies > Security page.
For all the policies, select the created action set name from the Followed Action list.
LCP Configuration Parameters
Table 1-2: The Imperva WAF event collector (Syslog-3689) properties to be configured by MDR are shown in the table.
Property | Default Value | Description |
Protocol | UDP | The default protocol for syslog. The collector can also accept logs in TCP. Note: While TCP offers guaranteed delivery of log packets, it places a larger overhead on the LCP. To balance TCP for reliability over UDP for speed/simplicity, contact the Accenture Security MSS MDR onboarding team. |
IP Address | Imperva WAF IP address | Logging device IP address mentioned in the Pre-Installation Questionnaire (PIQ). Note: If the device sends logs using multiple interfaces, contact the Accenture Security MSS MDR onboarding team. |
Signatures | SecureSphere | MSS MDR recommended signatures processed by the Imperva WAF event collector. |
Port Number | 514 | The default port for UDP. For TCP, the default port is 601. Note: The LCP can be configured to listen on a non-standard port. Please advise the Accenture MDR onboarding team if this is a requirement. |
...