Imperva

This integration is for Imperva device logs. It includes the datasets for receiving logs over syslog or read from a file:

• securesphere dataset: supports Imperva SecureSphere logs.

The Imperva integration collects one type of data: securesphere.

Securesphere consists of alerts, violations, and system events. See more details about alerts, violations, and events

Elastic Agent must be installed. For more details, check the Elastic Agent installation instructions.

The minimum kibana.version required is 8.10.1.

1. The gateway and management server (MX) should have the relevant connectivity for sending logs using the Syslog server.

2. To send all security violations from the gateway to Elastic:

• Create a custom action set:

  • From a 'security violation–all', type and add the gateway security system log > gateway log security event to system log (syslog) using the CEF standard.
  • Configure the relevant name and parameters for the action set.

• Assign a followed action to a security - > policy rule.

3. To send all security alerts (aggregated violations) from the gateway to Elastic:

• Create a custom action set:

  • From an 'any event type', type and add the server system log > log security event to system log (syslog) using the CEF standard.
  • Configure the relevant name and parameters for the action set.

• Assign a followed action to a security - > policy rule.

4. To send all system events from the gateway to Elastic:

• Create a custom action set:

  • From an 'any event type', type and add the server system log > log system event to system log (syslog) using the CEF standard.
  • Configure the relevant name and parameters for the action set.

• Create system events policy.

• Assign a followed action to a system event policy.

For more information on working with action sets and followed actions, check the Imperva documentation.

1. In Kibana navigate to Management > Integrations.
2. In the search bar, type Imperva.
3. Select the Imperva integration and add it.
4. Enable the data collection mode from the following: Filestream, TCP, or UDP.
5. Add all the required configuration parameters, such as paths for the filestream or listen address and listen port for the TCP and UDP.
6. Save the integration.

This is the Securesphere dataset.

{
    "@timestamp": "2023-10-05T18:33:02.000Z",
    "agent": {
        "ephemeral_id": "94608df6-6778-4ec4-99dc-d0cd37d583d8",
        "id": "0412638f-dd94-4c0e-b349-e99a0886d9f0",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.10.1"
    },
    "data_stream": {
        "dataset": "imperva.securesphere",
        "namespace": "ep",
        "type": "logs"
    },
    "ecs": {
        "version": "8.17.0"
    },
    "elastic_agent": {
        "id": "0412638f-dd94-4c0e-b349-e99a0886d9f0",
        "snapshot": false,
        "version": "8.10.1"
    },
    "event": {
        "agent_id_status": "verified",
        "code": "User logged in",
        "dataset": "imperva.securesphere",
        "ingested": "2023-12-01T09:10:18Z",
        "kind": "event",
        "original": "<14>CEF:0|Imperva Inc.|SecureSphere|15.1.0|User logged in|User admin logged in from 81.2.69.142.|High|suser=admin rt=Oct 05 2023 18:33:02 cat=SystemEvent",
        "severity": 7
    },
    "imperva": {
        "securesphere": {
            "device": {
                "event": {
                    "category": "SystemEvent",
                    "class_id": "User logged in"
                },
                "product": "SecureSphere",
                "receipt_time": "2023-10-05T18:33:02.000Z",
                "vendor": "Imperva Inc.",
                "version": "15.1.0"
            },
            "name": "User admin logged in from 81.2.69.142.",
            "severity": "High",
            "source": {
                "user_name": "admin"
            },
            "version": "0"
        }
    },
    "input": {
        "type": "udp"
    },
    "log": {
        "source": {
            "address": "192.168.249.7:48857"
        }
    },
    "message": "User admin logged in from 81.2.69.142.",
    "observer": {
        "product": "SecureSphere",
        "vendor": "Imperva Inc.",
        "version": "15.1.0"
    },
    "related": {
        "user": [
            "admin"
        ]
    },
    "source": {
        "user": {
            "name": "admin"
        }
    },
    "tags": [
        "preserve_original_event",
        "preserve_duplicate_custom_fields",
        "forwarded",
        "imperva.securesphere"
    ]
}

This integration includes one or more Kibana dashboards that visualizes the data collected by the integration. The screenshots below illustrate how the ingested data is displayed.

×