Imperva Incapsula
The IBM QRadar DSM for Imperva Incapsula collects logs from an Imperva Incapsula service.
The following table describes the specifications for the Imperva Incapsula DSM:
Specification | Value |
---|---|
Manufacturer | Imperva |
DSM name | Imperva Incapsula |
RPM file name | DSM-ImpervaIncapsula-QRadar_version-build_number.noarch.rpm |
Supported versions | N/A |
Protocol | Syslog |
Event format | LEEF |
Recorded event types | Access events and Security alerts |
Automatically discovered? | Yes |
Includes identity? | No |
Includes custom properties? | No |
More information | Imperva Incapsula website (https://www.incapsula.com/) |
To integrate Imperva Incapsula with QRadar, complete the following steps:
- If automatic updates are not enabled, download and install the most recent version of the
following RPMs from the IBM® Support Website onto your QRadar
Console:
- DSMCommon RPM
- Imperva Incapsula DSM RPM
- Configure the Log download utility to collect logs and then forward the logs to QRadar.
- If QRadar does not
automatically detect the log source, add an Imperva Incapsula log source on the QRadar Console. The following
table describes the parameters that require specific values to collect event from Imperva
Incapsula:
Table 2. Imperva Incapsula log source parameters Parameter Value Log Source type Imperva Incapsula Protocol Configuration Syslog - Verify that QRadar is
configured correctly.Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.The following table shows a sample normalized event message from Imperva Incapsula:
Table 3. Imperva Incapsula sample message Event name Low level category Sample log message REQ_PASSED Information LEEF:1.0|Incapsula|SIEMintegration|1.0|Normal|fileId=fidsourceServiceName=ssnamesiteid=siteidsuid=suidrequestClientApplication=reqcliappcs2=truecs2Label=Javascript Supportcs3=truecs3Label=COSupportsrc=<Source_IP_address>cs1=NAcs1Label=CapSupportcs5Label=clappsigdproc=Browsercs6=InternetExplorercs6Label=clappcalCountryOrRegion=[XX]cs7=xx.xxcs7Label=latitudecs8=xx.xxcs8Label=longitudeCustomer=customerstart=startrequestMethod=GETcn1=200proto=HTTPcat=REQ_PASSED