Configuring an alert action for Imperva SecureSphere
Configure your Imperva SecureSphere appliance to forward syslog events for firewall policy alerts to QRadar.
About this task
Use the following list to define a message string in the Message field
for each event type you want to forward:
Tip: Due to formatting issues, paste the message
format into a text editor and then remove any carriage return or line feed characters. Paste as a
single line in the Custom Format column.
- Database alerts (V9.5 and V10 to V13)
-
LEEF:1.0|Imperva|SecureSphere|${SecureSphereVersion}|${Alert.alertType} ${Alert.immediateAction}|Alert ID=${Alert.dn}|devTimeFormat=[see note]|devTime=${Alert.createTime}|Alert type=${Alert.alertType}|src=${Alert.sourceIp}|usrName=${Event.struct.user.user}|Application name=${Alert.applicationName}|dst=${Event.destInfo.serverIp}|Alert Description=${Alert.description}|Severity=${Alert.severity}|Immediate Action=${Alert.immediateAction}|SecureSphere Version=${SecureSphereVersion}
- File server alerts (V9.5 and V10 to V13)
-
LEEF:1.0|Imperva|SecureSphere|${SecureSphereVersion}|${Alert.alertType} ${Alert.immediateAction}|Alert ID={Alert.dn}|devTimeFormat=[see note]|devTime=${Alert.createTime}|Alert type=${Alert.alertType}|src=${Alert.sourceIp} |usrName=${Event.struct.user.username}|Domain=${Event.struct.user.domain}|Application name=${Alert.applicationName}|dst=${Event.destInfo.serverIp}|Alert Description=${Alert.description}|Severity=${Alert.severity} |Immediate Action=${Alert.immediateAction} |SecureSphere Version=${SecureSphereVersion}
- Web application firewall alerts (V9.5 and V10 to V13)
-
LEEF:1.0|Imperva|SecureSphere|${SecureSphereVersion}|${Alert.alertType} ${Alert.immediateAction}|Alert ID=${Alert.dn}|devTimeFormat=[see note]|devTime=${Alert.createTime}|Alert type=${Alert.alertType}|src=${Alert.sourceIp}|srcPort=$!{Event.sourceInfo.sourcePort}|usrName=${Alert.username}|Application name=${Alert.applicationName}|dst=${Event.destInfo.serverIp}|dstPort=$!{Event.destInfo.serverPort}|Service name=${Alert.serviceName}|Event Description=${Alert.description}|Severity=${Alert.severity}|Simulation Mode=${Alert.simulationMode}|Immediate Action=${Alert.immediateAction}
- All alerts (V6.2 and V7 to V13 Release Enterprise Edition)
-
DeviceType=ImpervaSecuresphere Alert|an=$!{Alert.alertMetadata.alertName}|at=SecuresphereAlert|sp=$!{Event.sourceInfo.sourcePort}|s=$!{Event.sourceInfo.sourceIp}|d=$!{Event.destInfo.serverIp}|dp=$!{Event.destInfo.serverPort}|u=$!{Alert.username}|g=$!{Alert.serverGroupName}|ad=$!{Alert.description}
Tip: The devTimeFormat parameter does not include a value
because you can configure the time format on the SecureSphere appliance. Review the time format of
your SecureSphere appliance and specify the appropriate time format.