Configuring a System Event Action for Imperva SecureSphere
Configure your Imperva SecureSphere appliance to forward syslog system policy events to JSA.
Use the following list to define a message string in the Message field for each event type you want to forward:
The line breaks in the code examples might cause this configuration to fail. For each alert, copy the code blocks into a text editor, remove the line breaks, and paste as a single line in the Custom Format column.
System events (v9.5 and v10 to v13)--
LEEF:1.0|Imperva|SecureSphere|${SecureSphereVersion}|${Event.eventType} |Event ID=${Event.dn}|devTimeFormat=[see note]|devTime=${Event.createTime} |Event Type=${Event.eventType}|Message=${Event.message} |Severity=${Event.severity.displayName}|usrName=${Event.username} |SecureSphere Version=${SecureSphereVersion}Database audit records (v9.5 and v10 to v13) —
LEEF:1.0|Imperva|SecureSphere|${SecureSphereVersion} |${Event.struct.eventType}|Server Group=${Event.serverGroup} |Service Name=${Event.serviceName}|Application Name=$ {Event.applicationName}|Source Type=${Event.sourceInfo.eventSourceType} |User Type=${Event.struct.user.userType}|usrName=$ {Event.struct.user.user}|User Group=${Event.struct.userGroup} |Authenticated=${Event.struct.user.authenticated}|App User=$ {Event.struct.applicationUser}|src=${Event.sourceInfo.sourceIp} |Application=${Event.struct.application.application}|OS User= ${Event.struct.osUser.osUser}|Host=${Event.struct.host.host} |Service Type=${Event.struct.serviceType}|dst=$ {Event.destInfo.serverIp}|Event Type=${Event.struct.eventType} |Operation=${Event.struct.operations.name}|Operation type= ${Event.struct.operations.operationType}|Object name=$ {Event.struct.operations.objects.name}|Object type=$ {Event.struct.operations.objectType}|Subject= ${Event.struct.operations.subjects.name}|Database=$ {Event.struct.databases.databaseName}|Schema= ${Event.struct.databases.schemaName}|Table Group=$ {Event.struct.tableGroups.displayName}|Sensitive= ${Event.struct.tableGroups.sensitive}|Privileged=$ {Event.struct.operations.privileged}|Stored Proc=$ {Event.struct.operations.storedProcedure}|Completed Successfully =${Event.struct.complete.completeSuccessful}|Parsed Query=$ {Event.struct.query.parsedQuery}|Bind Vaiables=$ {Event.struct.rawData.bindVariables}|Error=$ {Event.struct.complete.errorValue}|Response Size=$ {Event.struct.complete.responseSize}|Response Time=$ {Event.struct.complete.responseTime}|Affected Rows= ${Event.struct.query.affectedRows}| devTimeFormat=[see note] |devTime=${Event.createTime}All alerts (v6.2 and v7.x to v13 Release Enterprise Edition)--
DeviceType=ImpervaSecuresphere Event|et=$!{Event.eventType} |dc=Securesphere System Event|sp=$!{Event.sourceInfo.sourcePort} |s=$!{Event.sourceInfo.sourceIp}|d=$!{Event.destInfo.serverIp} |dp=$!{Event.destInfo.serverPort}|u=$!{Event.username}|t=$! {Event.createTime}|sev=$!{Event.severity}|m=$!{Event.message}
The devTimeFormat parameter does not include a value because you can configure the time format on the SecureSphere appliance. Review the time format of your SecureSphere appliance and specify the appropriate time format.
- Log in to SecureSphere by using administrative privileges.
- Click the Policies tab.
- Click the Action Sets tab.
- Generate events for each alert that the SecureSphere device
generates:
Click New to create a new action set for an alert.
Type a name for the new action set.
Move the action to the Selected Actions list.
Expand the System Log action group.
In the Action Name field, type a name for your alert action.
From the Apply to event type list, select Any event type.
Configure the following parameters:
In the Syslog host field, type the IP address of the JSA appliance to which you want to send events.
In the Syslog log level list, select INFO.
In the Message field, define a message string for your event type.
In the Facility field, type syslog.
Select the Run on Every Event check box.
Click Save.
- To trigger syslog events, associate each of your system
event policies to an alert action:
From the navigation menu, click Policies > System Events.
Select or create the system event policy that you want to use for the alert action.
Click the Followed Action tab.
From the Followed Action list, select your new action and configure the parameters.
Tip Configure established connections as either blocked, inbound, or outbound. Always allow applicable service ports.
Click Save.