Integrating Imperva SecureSphere
Publication Date: November 30, 2015
1
Integrate Imperva SecureSphere
Abstract This guide provides instructions to configure Imperva SecureSphere to send the syslog events to
EventTracker.
Scope The configurations detailed in this guide are consistent with EventTracker version 7.X and later, and Imperva
SecureSphere 8 and later.
Audience Imperva SecureSphere users, who wish to forward syslog events to EventTracker manager.
The information contained in this document represents the current view of EventTracker. on the
issues discussed as of the date of publication. Because EventTracker must respond to changing
market conditions, it should not be interpreted to be a commitment on the part of EventTracker,
and EventTracker cannot guarantee the accuracy of any information presented after the date of
publication.
This document is for informational purposes only. EventTracker MAKES NO WARRANTIES,
EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the
rights under copyright, this paper may be freely distributed without permission from
EventTracker, if its content is unaltered, nothing is added to the content and credit to
EventTracker is provided.
EventTracker may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from EventTracker, the furnishing of this document does not give you
any license to these patents, trademarks, copyrights, or other intellectual property.
The example companies, organizations, products, people and events depicted herein are fictitious.
No association with any real company, organization, product, person or event is intended or
should be inferred.
© 2017 EventTracker Security LLC. All rights reserved. The names of actual companies and
products mentioned herein may be the trademarks of their respective owners.
2
Integrate Imperva SecureSphere
Table of Contents Abstract ................................................................................................................................................................. 1
Pre-requisites ........................................................................................................................................................ 3
Configurations ..................................................................................................................................................... 3
To create audit events action set ...................................................................................................................... 3
To create security events action set .................................................................................................................. 6
Configure audit policies to send the events to EventTracker ...................................................................... 9
Configure security policies to send the events to EventTracker ............................................................... 10
Import Imperva Knowledge Pack into EventTracker ................................................................................... 11
To import Category.......................................................................................................................................... 11
To import Alerts ............................................................................................................................................... 12
To import Scheduled Reports .......................................................................................................................... 14
Verify Imperva Knowledge Pack in EventTracker ....................................................................................... 15
Verify Imperva categories ............................................................................................................................... 15
Verify Imperva alerts ....................................................................................................................................... 16
Verify Imperva Scheduled Reports .................................................................................................................. 17
3
Integrate Imperva SecureSphere
Pre-requisites EventTracker should be installed
Imperva SecureSphere 8 (or later) should be installed.
Per Imperva console needs one ‘Syslog Device’ license.
Configurations SecureSphere can send security events and audit events to EventTracker. The following section describes how
to configure SecureSphere to send syslog messages to EventTracker. For this, the required configurations are
as below:
Create Audit Events action set
Create Security Events action set
Configure Audit polices
Configure security policies
To create audit events action set 1. Log on to IMPERVA SECURE SPHERE.
2. Click the Policy tab, and select Action Sets.
3. Click Create new icon on the Action Set pane.
IMPERVA opens Action set dialog box.
Figure 1
4. Enter the Name of the action set.
For example: Forward audit events to EventTracker.
5. From the Apply to event type dropdown, select an event type as Audit, and then click the Create
button.
The newly created action set appears in the Action Set pane.
4
Integrate Imperva SecureSphere
Figure 2
6. Click the green arrow to expand Gateway Syslog > Log audit events to System Log (Gateway Syslog) action interface.
Figure 3
7. Expand Selected Actions, and type EventTracker in the Name field.
8. Configure the action parameters as given in below table.
5
Integrate Imperva SecureSphere
Parameter name Value
Protocol Select UDP\TCP option
Primary Host IP address of EventTracker server.
Primary Port By default, EventTracker will listen to port number 514.
Secondary Host Optional
Secondary Port Optional
Syslog Log Level Select log level from the dropdown.
Message
In case of ‘Audit’ event, enter the placeholder as below:
Imperva Inc.|SecureSphere|${SecureSphereVersion}|Event
Time=${Event.createTime}; Event Type=${Event.struct.eventType}; Server
Group=${Event.serverGroup}; Service Name=${Event.serviceName}; Application
Name=${Event.applicationName}; Database UserName=${Event.struct.user.user};
User Group=${Event.struct.userGroup}; User
Authenticated=${Event.struct.user.authenticated}; Application
UserName=${Event.struct.applicationUser}; Source
IP=${Event.sourceInfo.sourceIp}; Source Port=${Event.sourceInfo.sourcePort};
Source Application=${Event.struct.application.application}; OS
UserName=${Event.struct.osUser.osUser}; Source
HostName=${Event.struct.host.host}; Service Type=${Event.struct.serviceType} ;
Destination IP=${Event.destInfo.serverIp}; Destination
Port=${Event.destInfo.serverPort}; Operation=${Event.struct.operations.name};
Operation Type=${Event.struct.operations.operationType}; Object
Name=${Event.struct.operations.objects.name}; Object
Type=${Event.struct.operations.objectType};
Subject=${Event.struct.operations.subjects.name}; Database
Name=${Event.struct.databases.databaseName}; Schema
Name=${Event.struct.databases.schemaName}; Table
Group=${Event.struct.tableGroups.displayName}; Sensitive
Operation=${Event.struct.tableGroups.sensitive}; Privileged
Operation=${Event.struct.operations.privileged}; Stored
Procedure=${Event.struct.operations.storedProcedure};
Exception=${Event.struct.complete.completeSuccessful}; Response
size=${Event.struct.complete.responseSize}; Response
time=${Event.struct.complete.responseTime}; Effected
rows=${Event.struct.query.affectedRows}; Exception
Message=${Event.struct.complete.errorValue}; Parsed
6
Integrate Imperva SecureSphere
Query=${Event.struct.query.parsedQuery}; Raw
Query=${Event.struct.rawData.rawData}
Facility Select appropriate option from the dropdown.
9. Click the Save icon .
10. Click the Save icon .
The settings are saved and newly created action set will appear under Selected Actions.
Figure 4
To create security events action set 1. Log on to IMPERVA SECURE SPHERE.
2. Click the Policy tab, and select Action Sets.
3. Click Create new icon on the Action Set pane.
IMPERVA opens Action set dialog box.
4. Enter the name of the action set.
For example: Forward security events to EventTracker.
5. From the Apply to event type dropdown, select an event type as Security, and then click the Create
button.
The newly created action set appears in the Action Set pane.
7
Integrate Imperva SecureSphere
Figure 5
6. Click the green arrow to expand Log to System Log (syslog) (System Log > EventTracker) action interface.
Figure 6
7. Expand Selected Actions, and type EventTracker in the Name field.
8. Configure the action parameters as given in below table.
8
Integrate Imperva SecureSphere
Parameter name Value
Syslog Host IP address of EventTracker server.
Syslog Log Level Select log level from the dropdown.
Message
In case of ‘Security’ event, enter the placeholder as below:
Imperva Inc.|SecureSphere|${SecureSphereVersion}|AlertTime=${Alert.createTime}
AlertType=${Alert.alertType}; Alert Name=${Alert.alertMetadata.alertName}; Alert
Severity=${Alert.severity}; Alert Action=${Alert.immediateAction}; Destination
IP=${Event.destInfo.serverIp}; Destination Port=${Event.destInfo.serverPort};
User=${Alert.username}; Source IP=${Event.sourceInfo.sourceIp}; Source
Port=${Event.sourceInfo.sourcePort}; Protocol=${Event.sourceInfo.ipProtocol};
category=Alert; Policy=${Rule.parent.displayName}; Server
Group=${Alert.serverGroupName}; Service Name=${Alert.serviceName};
Application=${Alert.applicationName}; Description=${Alert.description}
Facility Select appropriate option from the dropdown.
Run on Every Event Click this checkbox, to get the notification on every security alert.
9. Click the Save icon .
10. Click the Save icon .
The settings are saved and newly created action set will appear under Selected Actions.
Figure 7
9
Integrate Imperva SecureSphere
Configure audit policies to send the events to
EventTracker
1. Click the Policy tab, and select Audit.
Figure 8
2. In the Audit Polices pane, select Default Rule – All Events option.
3. Move to right pane, and click Apply to tab.
4. Select the systems/sites, for which you wish to send the events.
5. Click External logger tab.
Figure 9
6. Select the newly created audit event action set (Ex. Forward audit events to EventTracker) in the dropdown.
7. Click Save icon to save the settings.
10
Integrate Imperva SecureSphere
Configure security policies to send the events
to EventTracker
The Syslog message can be sent with the following action upon the occurrence of a security or an audit
event. The action set defined for audit/security events, will be used as following action.
1. Click the Policy tab, and select Security.
2. In the Policies pane, select the policy for which you wish to enable following action.
3. In the Policy Rules tab, select the appropriate policy rule.
4. Click the Enabled checkbox next to the policy rule.
5. Select the Severity level.
6. Select Action from the dropdown.
7. In the Followed Action dropdown, select the custom created action set for audit\security events.
Figure 10
8. Click Save icon to save the settings.
11
Integrate Imperva SecureSphere
Import Imperva Knowledge Pack into
EventTracker
1. Launch EventTracker Control Panel.
2. Double click Import Export Utility icon, and then click the Import tab.
3. Import Category/ Alert/Reports as given below.
To import Category
1. Click Category option, and then click the browse button.
Figure 11
2. Locate the All Imperva DAM group of categories.iscat file, and then click the Open button.
12
Integrate Imperva SecureSphere
3. Click the Import button to import the categories.
EventTracker displays success message.
Figure 11
4. Click the OK button and then click the Close button.
To import Alerts
1. Click Alert option, and then click the browse button.
Figure 13
13
Integrate Imperva SecureSphere
2. Locate the All Imperva DAM group of alerts.isalt file, and then click the Open button.
3. Click the Import button to import the alerts.
EventTracker displays success message.
Figure 14
4. Click the OK button and then click the Close button.
14
Integrate Imperva SecureSphere
To import Scheduled Reports
1. Click Reports option, and then click the browse button.
Figure 15
2. Locate the All Imperva DAM defined analysis report.issch file, and then click the Open button.
3. Click the Import button to import the scheduled reports.
EventTracker displays success message.
Figure 16
4. Click the OK button, and then click the Close button.
15
Integrate Imperva SecureSphere
Verify Imperva Knowledge Pack in
EventTracker
Verify Imperva categories 1. Logon to EventTracker Enterprise.
2. Click the Admin dropdown, and then click Categories.
3. In the Category Tree, expand Imperva group folder to see the imported categories.
Figure 17
16
Integrate Imperva SecureSphere
Verify Imperva alerts 1. Logon to EventTracker Enterprise.
2. Click the Admin dropdown, and then click Alerts.
3. In the Search field, type ‘Imperva’, and then click the Go button.
Alert Management page will display all the imported Imperva alerts.
Figure 18
4. To activate the imported alerts, select the respective checkbox in the Active column.
EventTracker displays message box.
Figure 19
17
Integrate Imperva SecureSphere
5. Click the OK button, and then click the Activate now button.
NOTE: You can select alert notification such as Beep, Email, and Message etc. For this, select the respective
checkbox in the Alert management page, and then click the Activate Now button.
Verify Imperva Scheduled Reports 1. Logon to EventTracker Enterprise.
2. Go to Reports.
3. Click the Defined option.
EventTracker displays the Defined reports.
Figure 20
Here you can find imported scheduled reports such as ‘Imperva DAM-Database native auditing change’
report.
4. Search ‘Imperva’ in search box.
5. EventTracker displays Flex reports of all Imperva reports.