🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Imperva WAF Integration Guide

integrations network imperva waf


Imperva should be configured to send logs to the Taegis™ XDR Collector via syslog by following the logging instructions below.

Connectivity Requirements

Source Destination Port/Protocol
Imperva WAF Taegis™ XDR Collector (mgmt IP) UDP/514

Data Provided from Integrations

  Auth DNS HTTP Management Netflow NIDS Process Thirdparty
Imperva WAF     D          

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

Note

Taegis™ XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Configuration Instructions

To configure Imperva to send logs to Secureworks® Taegis™ XDR via syslog, follow these instructions.

Security Events

Create a Custom Action Set

Create a custom action set for security events by following the instructions provided by Imperva. Consider the following requirements when completing the configuration steps:

    SecSphWeb--OriginGW=${Event.originGWDn};AlertInformation=${Alert.alertMetadata.alertName};displayName=${Rule.parent.displayName};AlertType=${Alert.alertType};Severity=${Alert.severity};AlertNumber=${Alert.dn};EventNumber=${Event.dn};AlertCreateTime=${Alert.createTime};EventCreateTime=${Event.createTime};ServerGroup=${Alert.serverGroupName};AttackedApp=${Alert.applicationName};AttackedService=${Alert.serviceName};AlertDescription=${Alert.description};AlertAction=${Alert.immediateAction};SimulationMode=${Alert.simulationMode};Alert.username=${Alert.username};Alert.aggregationInfo.occurrences=${Alert.aggregationInfo.occurrences};SourceIP=${Event.sourceInfo.sourceIp};SourcePort=${Event.sourceInfo.sourcePort};DestinationIP=${Event.destInfo.serverIp};DestinationPort=${Event.destInfo.serverPort};httpRequest.url.method=${Event.struct.httpRequest.url.method};httpRequest.url.path=${Event.struct.httpRequest.url.path};httpRequest.url.host=${Event.struct.httpRequest.url.host};httpRequest.url.queryString=${Event.struct.httpRequest.url.queryString};httpRequest.url.fullPath=${Event.struct.httpRequest.url.fullPath};httpResponse.responseCode=${Event.struct.httpResponse.responseCode};httpResponse.responseSize=${Event.struct.responseSize};httpResponse.responseTime=${Event.struct.responseTime};Event.struct.user.available=${Event.struct.user.available};Event.rawData=${Event.struct.rawData};HTTPRequestHeaders=#list(${Event.struct.httpRequest.headers} "${item.name} ${item.value}");

Set Followed Action for Web Policies

Apply the TDR-SecurityEvents action set created in the preceding section as the Followed Action to all Web policies by following the instructions provided by Imperva.

Ensure that you filter the Security Policies window to display only Web policies prior to selecting the policies and setting the Followed Action.

Note

You can only set the Followed Action for enabled Policy Rules.

System Events

Create a Custom Action Set

Create a custom action set for system events by following the instructions provided by Imperva. Consider the following requirements when completing the configuration steps:

    SecureSphere category=SystemEvent${Event.createTime}${Event.eventType}${Event.message}${Event.severity.displayName}${Event.username}

Create System Events Policies and Set Followed Action

Create a System Events policy for each system event type by following the instructions provided by Imperva. Ensure that you create a policy for each system event type.

For each policy, select the Followed Action tab, choose the TDR-SystemEvents action set created in the preceding section, and select Save.

Network Policies

Apply the TDR-SecurityEvents action set created in the first section as the Followed Action to all Network policies by following the instructions provided by Imperva.

Ensure that you filter the Security Policies window to display only Network policies prior to selecting the policies and setting the Followed Action.

Note

You can only set the Followed Action for enabled Policy Rules.

 

On this page: