When you configure Imperva SecureSphere to send log data to USM Anywhere, you can use the Imperva SecureSphere CEF plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin:
|Device Type||Appliance Firewall|
Integrating Imperva SecureSphere
Before you configure the Imperva SecureSphere integration, you must have the IP Address of the USM Anywhere Sensor.
Imperva SecureSphere offers four different types of events that you can capture, each requiring a slightly different configuration:
- Security Events
- Custom Security Events
- Firewall Security Events
- System Events
Note: See the Imperva SecureSphere Configuration Guide for more information.
To configure Imperva SecureSphere to send log data to USM Anywhere
To configure Imperva SecureSphere to send syslog messages, based on the CEF standard, whenever a new event occurs:
- Define a new Action Set and configure the following parameters:
- Name: The action set name, for example, "security_syslog".
- Syslog Host: The IP address or host name of the Syslog server.
- Syslog Log Level: The Syslog log level.
- Message: The CEF message for a security event (alert).
- Facility: The facility name that you want.
Note: For the Syslog Host entry, the IP address or host name you specify is the IP address or host name of the
When a security violation occurs, Imperva SecureSphere will generate an alert and send a Syslog message to USM Anywhere.
The Imperva SecureSphere CEF plugin automatically processes all messages when the raw message contains |Imperva Inc.|SecureSphere|.
Available Plugin Fields
The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.
Additional Resources and Troubleshooting
For troubleshooting, refer to the vendor documentation: