To send database audit records from Imperva SecureSphere V11.0 to V13 IBM
QRadar, create a custom action
set, add an action interface, and then configure an audit policy.
Procedure
-
Create a custom action set:
-
Log in to your Imperva SecureSphere system.
-
In the Main workspace, select .
-
In the Action Sets pane, click the green plus sign icon.
-
In the Action Set text box, type a name for the action set. For example,
QRadar SIEM.
-
From the Apply to event type list, select
Audit.
-
Click Create.
-
Add the action interface that you want to be part of the action set to the Selected
Actions pane:
-
Click the green up arrow icon, and then select .
-
Configure the following action interface parameters:
Parameter |
Value |
Name |
Type the name that you created for the action set. For example, QRadar
SIEM. |
Protocol |
Select UDP. |
Host |
Type the IP address or the host name of the QRadar appliance for which you
want to send events. |
Port |
514 |
Syslog Log Level |
Info |
Facility |
syslog |
Message |
Tip: The line breaks in the code example might cause this configuration to fail. For
each alert, copy the code block below into a text editor, remove the line breaks, and paste as a
single line in the Message field.
LEEF:1.0|Imperva|SecureSphere|${SecureSphereVersion}|${Alert.alertType} ${Alert.immediateAction}|Alert ID=${Alert.dn}|devTimeFormat=yyyy-MM-dd HH:mm:ss.S|devTime=${Alert.createTime}|Alert type=${Alert.alertType}|src=${Alert.sourceIp}|usrName=${Event.struct.user.user}|Application name=${Alert.applicationName}|dst=${Event.destInfo.serverIp}|Alert Description=${Alert.description}|Severity=${Alert.severity}|Immediate Action=${Alert.immediateAction}|SecureSphere Version=${SecureSphereVersion}
|
-
Select the Run on Every Event check box.
-
Configure an audit policy for the events that you want to send to QRadar:
-
In the Main workspace, click .
-
Click Create DB Service.
-
Type a name for the policy.
-
Select Use Existing, and then select a policy from the list.
-
Click the Match Criteria tab, and then enter the criteria for the
policy.
-
Click the Apply To tab, and then select the server group.
-
Click the External Logger tab.
-
From the Syslog list, select the QRadar SIEM that
you configured.
- Optional:
If you select a pre-defined policy from the Syslog list, configure the
Apply to and External Logger fields.
-
Click Save.
What to do next
You must define an audit policy or configure a pre-defined policy for each type of audit
event that you want to send to QRadar.