Imperva SecureSphere¶
About¶
Imperva SecureSphere management products deliver superior performance, scalability and unified management capabilities for any size deployment. Whether you’re running on-prem or in AWS, managing a small site or a large number of business units, SecureSphere management solutions give you the visibility and control to minimize administrative overhead and ensure a strong data security posture.
Product Details¶
Vendor URL: Imperva
Product Type: Data Security Management
Product Tier: Tier II
Integration Method: Syslog
Integration URL: Imperva SecureSphere Management
Parser Details¶
Log Format: CEF
Expected Normalization Rate: 95-100%
Data Label: IMPERVA_SECURESPHERE
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
cs10 | metadata.product_log_id |
USER_RESOURCE_ACCESS | metadata.event_type |
IMPERVA | metadata.vendor_name |
SECURESPHERE | metadata.product_name |
custom filter | metadata.product_version |
smb_stage1 | additional.smb_stage1 |
smb_uid | additional.smb_uid |
smb_host | additional.smb_host |
src | principal.ip |
spt | principal.port |
src | principal.asset.ip |
duser | target.user.userid |
dst | target.ip |
dpt | target.port |
cs4 | target.application |
dst | target.asset.ip |
custom filter | observer.hostname |
custom filter | observer.asset.hostname |
cat | security_result.category_details |
cs7 | security_result.summary |
custom filter | security_result.severity |
custom filter | security_result.rule_id |
Product Event Types¶
Event | UDM Event Classification |
---|---|
All | USER_RESOURCE_ACCESS |
Log Sample¶
Apr 22 09:05:40 hostname1 CEF: 0|Imperva Inc.|SecureSphere|13.6.0|Custom|Custom Violation|Informative|act=None dst=10.10.0.2 dpt=80 duser=username1 src=10.10.0.1 spt=80 rt=Apr 22 2022 09:05:40 cat=Alert cs1=Multiple Query Errors cs1Label=Policy cs2=Custom Rule Violation:rule-name Multiple Query Errors,rule-id=-2222111113333 Custom Rule Violation:rule-name=Failed SQL,rule-id=-2222111113333 cs2Label=Metadata cs4=MSSQL cs4Label=ServiceName cs5=MSSQL Default cs5Label=ApplicationName cs6=microsoft jdbc driver for sql server cs6Label=SrcApp cs7=Distributed Multiple Query Errors, Distributed Failed SQL cs7Label=AlertDesc cs8=1686 cs8Label=AggregateInfo cs9=231082 cs9Label=AlertID cs10=1111222233333344444 cs10Label=EventID cs11=hostname2 cs11Label=DatabaseName cs12= cs12Label=OSUser cs13=9f1f4444-f41c-aaaa-2eef-0511 cs13Label=HostName cs14=svs5557cdc cs14Label=Gateway cs15=0 cs15Label=AffectedRows cs16=EXEC BACKUP_UPDATE_RETRY @P0,@P1 cs16Label=RawQuery cs17=2812 cs17Label=Error smb_host=aaa-0000 smb_stage1=111122223333 smb_uid=aaaaaabbbbbbccccccc11111 smb_timezone=EDT
Sample Parsing¶
metadata.product_log_id = "1111222233333344444"
metadata.event_timestamp = "2022-04-22T13:05:40Z"
metadata.event_type = "USER_RESOURCE_ACCESS"
metadata.vendor_name = "IMPERVA"
metadata.product_name = "SECURESPHERE"
metadata.product_version = "13.6.0"
additional.smb_host = "aaa-0000"
additional.smb_uid = "aaaaaabbbbbbccccccc11111"
additional.smb_stage1 = "111122223333"
principal.ip = "10.10.0.1"
principal.port = 80
principal.asset.ip = "10.10.0.1"
target.user.userid = "username1"
target.process.command_line = "EXEC BACKUP_UPDATE_RETRY"
target.ip = "10.10.0.2"
target.port = 80
target.application = "MSSQL"
target.asset.ip = "10.10.0.2"
observer.hostname = "hostname1"
observer.asset.hostname = "hostname1"
security_result.category_details = "Alert"
security_result.summary = "Distributed SCHW Multiple Query Errors, Distributed SCHW Failed SQL"
security_result.severity = "INFORMATIONAL"
security_result.rule_id = "Custom Violation"
Parser Alerting¶
This product currently does not have any Parser-based Alerting