Skip to content

Imperva SecureSphere

Imperva SecureSphere

About

Imperva SecureSphere management products deliver superior performance, scalability and unified management capabilities for any size deployment. Whether you’re running on-prem or in AWS, managing a small site or a large number of business units, SecureSphere management solutions give you the visibility and control to minimize administrative overhead and ensure a strong data security posture.

Product Details

Vendor URL: Imperva

Product Type: Data Security Management

Product Tier: Tier II

Integration Method: Syslog

Integration URL: Imperva SecureSphere Management

Parser Details

Log Format: CEF

Expected Normalization Rate: 95-100%

Data Label: IMPERVA_SECURESPHERE

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
cs10 metadata.product_log_id
USER_RESOURCE_ACCESS metadata.event_type
IMPERVA metadata.vendor_name
SECURESPHERE metadata.product_name
custom filter metadata.product_version
smb_stage1 additional.smb_stage1
smb_uid additional.smb_uid
smb_host additional.smb_host
src principal.ip
spt principal.port
src principal.asset.ip
duser target.user.userid
dst target.ip
dpt target.port
cs4 target.application
dst target.asset.ip
custom filter observer.hostname
custom filter observer.asset.hostname
cat security_result.category_details
cs7 security_result.summary
custom filter security_result.severity
custom filter security_result.rule_id

Product Event Types

Event UDM Event Classification
All USER_RESOURCE_ACCESS

Log Sample

Apr 22 09:05:40 hostname1 CEF: 0|Imperva Inc.|SecureSphere|13.6.0|Custom|Custom Violation|Informative|act=None dst=10.10.0.2 dpt=80 duser=username1 src=10.10.0.1 spt=80 rt=Apr 22 2022 09:05:40 cat=Alert cs1=Multiple Query Errors cs1Label=Policy cs2=Custom Rule Violation:rule-name Multiple Query Errors,rule-id=-2222111113333 Custom Rule Violation:rule-name=Failed SQL,rule-id=-2222111113333 cs2Label=Metadata cs4=MSSQL cs4Label=ServiceName cs5=MSSQL Default cs5Label=ApplicationName cs6=microsoft jdbc driver for sql server cs6Label=SrcApp cs7=Distributed Multiple Query Errors, Distributed Failed SQL cs7Label=AlertDesc cs8=1686 cs8Label=AggregateInfo cs9=231082 cs9Label=AlertID cs10=1111222233333344444 cs10Label=EventID cs11=hostname2 cs11Label=DatabaseName cs12= cs12Label=OSUser cs13=9f1f4444-f41c-aaaa-2eef-0511 cs13Label=HostName cs14=svs5557cdc cs14Label=Gateway cs15=0 cs15Label=AffectedRows cs16=EXEC BACKUP_UPDATE_RETRY @P0,@P1 cs16Label=RawQuery cs17=2812 cs17Label=Error smb_host=aaa-0000 smb_stage1=111122223333 smb_uid=aaaaaabbbbbbccccccc11111 smb_timezone=EDT

Sample Parsing

metadata.product_log_id = "1111222233333344444"
metadata.event_timestamp = "2022-04-22T13:05:40Z"
metadata.event_type = "USER_RESOURCE_ACCESS"
metadata.vendor_name = "IMPERVA"
metadata.product_name = "SECURESPHERE"
metadata.product_version = "13.6.0"
additional.smb_host = "aaa-0000"
additional.smb_uid = "aaaaaabbbbbbccccccc11111"
additional.smb_stage1 = "111122223333"
principal.ip = "10.10.0.1"
principal.port = 80
principal.asset.ip = "10.10.0.1"
target.user.userid = "username1"
target.process.command_line = "EXEC BACKUP_UPDATE_RETRY"
target.ip = "10.10.0.2"
target.port = 80
target.application = "MSSQL"
target.asset.ip = "10.10.0.2"
observer.hostname = "hostname1"
observer.asset.hostname = "hostname1"
security_result.category_details = "Alert"
security_result.summary = "Distributed SCHW Multiple Query Errors, Distributed SCHW Failed SQL"
security_result.severity = "INFORMATIONAL"
security_result.rule_id = "Custom Violation"

Parser Alerting

This product currently does not have any Parser-based Alerting