Versions Compared

Old Version 3

changes.mady.by.user KM (Unlicensed)

Saved on

compared with

New Version Current

changes.mady.by.user KS

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This quick start guide will help Accenture MDR customers configure Imperva® Web Application Firewall (WAF) to send logs to the Log Collection Platform (LCP).

...

5. Edit the message field for all the above 3 events and add the following.

Code Block
#Log custom security event to System Log (syslog) using the CEF standard.

...


#Log network security event to System Log (syslog) using the CEF standard.

...


#Log security event to System Log (syslog) using the CEF standard.

...


CEF:0|Imperva Inc.|SecureSphere|${SecureSphereVersion}|#cefEscapeMessage(${Rule.parent.displayName})|#cefEscapeMessage(${Rule.parent.displayName})|${Alert.severity}|act=${Alert.immediateAction} dst=${Event.destInfo.serverIp} dpt=${Event.destInfo.serverPort} duser=#cefEscapeExtension(${Alert.username}) src=${Event.sourceInfo.sourceIp} spt=${Event.sourceInfo.sourcePort} proto=${Event.sourceInfo.ipProtocol} rt=#arcsightDate(${Event.createTime}) cat=Alert cs1=#cefEscapeExtension(${Rule.parent.displayName}) cs1Label=Policy cs2=#cefEscapeExtension(${Alert.serverGroupName}) cs2Label=ServerGroup cs3=#cefEscapeExtension(${Alert.serviceName}) cs3Label=ServiceName cs4=#cefEscapeExtension(${Alert.applicationName}) cs4Label=ApplicationName cs5=#cefEscapeExtension(${Alert.description}) cs5Label=Description cs8=#cefEscapeExtension(${Event.struct.httpRequest.url.method}) cs8Label=HTTPMethod cs9=#cefEscapeExtension(${Event.struct.httpRequest.url.fullPath}) cs9Label=

...

HTTPFullpath cs10=#cefEscapeExtension(${Event.struct.httpRequest.url.queryString}) cs10Label=QueryString cs11=#cefEscapeExtension(${Event.struct.httpResponse.responseCode}) cs11Label=HTTPResponseCode cs12=#cefEscapeExtension(${Event.struct.networkDirection}) cs12Label=NetworkDirection

...

​ 6. Select the System event by enable the below :
...
7. Edit the message field and add the following.
 Code Block
#Log custom System event to System Log (syslog) using the CEF standard
...

CEF:0|ImpervaInc.|SecureSphere|${SecureSphereVersion}|${Event.eventType}|#cefEscapeMessage(${Event.message})|${Event.severity.displayName}|suser=#cefEscapeExtension(${Event.username}) rt=#arcsightDate(${Event.createTime}) cat=SystemEvent
 8. Click Save.
 To configure Imperva on the Main interface, follow the steps below.
...
Table 1-2: The Imperva WAF event collector (Syslog-3689) properties to be configured by MDR are shown in the table.
Property
Default Value
Description
Protocol
UDP
The default protocol for syslog. The collector can also accept logs in TCP.
Note: While TCP offers guaranteed delivery of log packets, it places a larger overhead on the LCP. 
To balance TCP for reliability over UDP for speed/simplicity, contact the Accenture MDR onboarding team.
IP Address
Imperva WAF IP address
Logging device IP address mentioned in the Pre-Installation Questionnaire (PIQ).
Note: If the device sends logs using multiple interfaces, contact the Accenture MDR onboarding team.
Signatures
SecureSphere
MDR recommended signatures processed by the Imperva WAF event collector.
Port Number
514
The default port for UDP. For TCP, the default port is 601.
Note: The LCP can be configured to listen on a non-standard port. Please advise the Accenture MDR onboarding team if this is a requirement.
...