Configuring Imperva SecureSphere V11.0 to V13 to send database audit records to QRadar

To send database audit records from Imperva SecureSphere V11.0 to V13 IBM® QRadar®, create a custom action set, add an action interface, and then configure an audit policy.


  1. Create a custom action set:
    1. Log in to your Imperva SecureSphere system.
    2. In the Main workspace, select Policies > Action Sets.
    3. In the Action Sets pane, click the green plus sign icon.
    4. In the Action Set text box, type a name for the action set. For example, QRadar SIEM.
    5. From the Apply to event type list, select Audit.
    6. Click Create.
  2. Add the action interface that you want to be part of the action set to the Selected Actions pane:
    1. Click the green up arrow icon, and then select Gateway System Log > log audit event to System Log (Gateway System Log).
    2. Configure the following action interface parameters:
      Parameter Value
      Name Type the name that you created for the action set. For example, QRadar SIEM.
      Protocol Select UDP.
      Host Type the IP address or the host name of the QRadar appliance for which you want to send events.
      Port 514
      Syslog Log Level Info
      Facility syslog
      Tip: The line breaks in the code example might cause this configuration to fail. For each alert, copy the code block below into a text editor, remove the line breaks, and paste as a single line in the Message field.
      LEEF:1.0|Imperva|SecureSphere|${SecureSphereVersion}|${Alert.alertType} ${Alert.immediateAction}|Alert ID=${Alert.dn}|devTimeFormat=yyyy-MM-dd HH:mm:ss.S|devTime=${Alert.createTime}|Alert type=${Alert.alertType}|src=${Alert.sourceIp}|usrName=${Event.struct.user.user}|Application name=${Alert.applicationName}|dst=${Event.destInfo.serverIp}|Alert Description=${Alert.description}|Severity=${Alert.severity}|Immediate Action=${Alert.immediateAction}|SecureSphere Version=${SecureSphereVersion}
    1. Select the Run on Every Event check box.
  3. Configure an audit policy for the events that you want to send to QRadar:
    1. In the Main workspace, click Policies > Audit.
    2. Click Create DB Service.
    3. Type a name for the policy.
    4. Select Use Existing, and then select a policy from the list.
    5. Click the Match Criteria tab, and then enter the criteria for the policy.
    6. Click the Apply To tab, and then select the server group.
    7. Click the External Logger tab.
    8. From the Syslog list, select the QRadar SIEM that you configured.
    9. Optional: If you select a pre-defined policy from the Syslog list, configure the Apply to and External Logger fields.
    10. Click Save.

What to do next

You must define an audit policy or configure a pre-defined policy for each type of audit event that you want to send to QRadar.