Configuring an Alert Action for Imperva SecureSphere
Configure your Imperva SecureSphere appliance to forward syslog events for firewall policy alerts to JSA.
Use the following list to define a message string in the Message field for each event type you want to forward:
Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters. Paste as a single line in the Custom Format column.
Database alerts (v9.5 and v10 to v13)--
LEEF:1.0|Imperva|SecureSphere|${SecureSphereVersion}| ${Alert.alertType}${Alert.immediateAction}|Alert ID=${Alert.dn} |devTimeFormat=[see note]|devTime=${Alert.createTime} |Alert type=${Alert.alertType}|src=${Alert.sourceIp}|usrName=$ {Event.struct.user.user}|Application name=${Alert.applicationName} |dst=${Event.destInfo.serverIp}|Alert Description=${Alert.description} |Severity=${Alert.severity}|Immediate Action=${Alert.immediateAction} |SecureSphere Version=${SecureSphereVersion}
File server alerts (v9.5 and v10 to v13)--
LEEF:1.0|Imperva|SecureSphere|${SecureSphereVersion}| ${Alert.alertType} ${Alert.immediateAction}|Alert ID={Alert.dn} |devTimeFormat=[see note] |devTime=${Alert.createTime} |Alert type=${Alert.alertType}|src=${Alert.sourceIp} |usrName= ${Event.struct.user.username}|Domain=${Event.struct.user.domain} |Application name=${Alert.applicationName}|dst=${Event.destInfo.serverIp} |Alert Description=${Alert.description}|Severity=${Alert.severity} |Immediate Action=${Alert.immediateAction} |SecureSphere Version=${SecureSphereVersion}
Web application firewall alerts (v9.5 and v10 to v13)--
LEEF:1.0|Imperva|SecureSphere|${SecureSphereVersion}| ${Alert.alertType} ${Alert.immediateAction}|Alert ID=${Alert.dn} |devTimeFormat=[see note]|devTime=${Alert.createTime} |Alert type=${Alert.alertType}|src=${Alert.sourceIp} |srcPort=$!{Event.sourceInfo.sourcePort}|usrName=${Alert.username} |Application name=${Alert.applicationName}|dst=${Event.destInfo.serverIp} |dstPort=$!{Event.destInfo.serverPort}|Service name=${Alert.serviceName} |Event Description=${Alert.description}|Severity=${Alert.severity} |Simulation Mode=${Alert.simulationMode}|Immediate Action=${Alert.immediateAction}
All alerts (v6.2 and v7 to v13 Release Enterprise Edition)--
DeviceType=ImpervaSecuresphere Alert|an=$! {Alert.alertMetadata.alertName}|at=SecuresphereAlert|sp=$!{Event.sourceInfo.sourcePort}|s=$! {Event.sourceInfo.sourceIp}|d=$!{Event.destInfo.serverIp}|dp=$!{Event.destInfo.serverPort}| u=$!{Alert.username}|g=$!{Alert.serverGroupName}|ad=$!{Alert.description}
The devTimeFormat parameter does not include a value because you can configure the time format on the SecureSphere appliance. Review the time format of your SecureSphere appliance and specify the appropriate time format.