When you configure your Imperva SecureSphere to send log data to USM Appliance, you can use the Imperva-securesphere plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin.
|Data Source Name
|Data Source ID
Integrating Imperva SecureSphere
Before you configure the Imperva SecureSphere integration, you must have the IP Address of the USM Appliance Sensor.
Imperva SecureSphere offers four different types of events that you can capture, each requiring a slightly different configuration:
- Security Events
- Custom Security Events
- Firewall Security Events
- System Events
Note: See the Imperva SecureSphere Configuration Guide for more information.
To configure Imperva SecureSphere to send log data to USM Appliance
To configure Imperva SecureSphere to send syslog messages, based on the CEF standard, whenever a new event occurs:
- Define a new Action Set and configure the following parameters:
- Name: The action set name, for example, "security_syslog".
- Syslog Host: The IP address or host name of the Syslog server.
- Syslog Log Level: The Syslog log level.
- Message: The CEF message for a security event (alert).
- Facility: The facility name that you want.
- Edit the security policies and modify the Followed Actions for those that you want to send to Syslog when a violation occurs. Use the action set defined for security events in step 1.
When a security violation occurs, Imperva SecureSphere will generate an alert and send a Syslog message to USM Appliance.
Note: For the Syslog Host entry, the IP address or host name you specify is the IP address or host name of the USM Appliance Sensor.
For plugin enablement information, see Enable Plugins.
Additional Resources and Troubleshooting
For troubleshooting, refer to the vendor documentation: