AlienVault® USM Anywhere™

Imperva SecureSphere CEF

When you configure Imperva SecureSphere to send log data to USM Anywhere, you can use the Imperva SecureSphere CEF plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin:

Plugin Information
Device Details
Vendor Imperva
Device Type Appliance Firewall
Connection Type Syslog

Integrating Imperva SecureSphere

Before you configure the Imperva SecureSphere integration, you must have the IP Address of the USM Anywhere Sensor.

Imperva SecureSphere offers four different types of events that you can capture, each requiring a slightly different configuration:

  • Security Events
  • Custom Security Events
  • Firewall Security Events
  • System Events

Note: See the Imperva SecureSphere Configuration Guide for more information.

To configure Imperva SecureSphere to send log data to USM Anywhere

To configure Imperva SecureSphere to send syslog messages, based on the CEF standard, whenever a new event occurs:

  1. Define a new Action Set and configure the following parameters:
    • Name: The action set name, for example, "security_syslog".
    • Syslog Host: The IP address or host name of the Syslog server.
    • Syslog Log Level: The Syslog log level.
    • Message: The CEF message for a security event (alert).
    • Facility: The facility name that you want.

    Note: For the Syslog Host entry, the IP address or host name you specify is the IP address or host name of the USM Anywhere Sensor.

  2. Edit the security policies and modify the Followed Actions for those that you want to send to Syslog when a violation occurs. Use the action set defined for security events in step 1.

    When a security violation occurs, Imperva SecureSphere will generate an alert and send a Syslog message to USM Anywhere.

Plugin Enablement

The Imperva SecureSphere CEF plugin automatically processes all messages when the raw message contains |Imperva Inc.|SecureSphere|.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • destination_address
  • destination_port
  • destination_username
  • device_event_category
  • event_action
  • event_description
  • event_name
  • event_receipt_time
  • event_severity
  • rep_device_rule_id
  • rep_device_type
  • rep_device_vendor
  • rep_device_version
  • source_address
  • source_port
  • transport_protocol

Additional Resources and Troubleshooting

For troubleshooting, refer to the vendor documentation: