Imperva WAF Integration Guide
integrations network imperva waf
Imperva should be configured to send logs to the Taegis™ XDR Collector via syslog by following the logging instructions below.
Connectivity Requirements ⫘
Source | Destination | Port/Protocol |
---|---|---|
Imperva WAF | XDR Collector (mgmt IP) | UDP/514 |
Data Provided from Integrations ⫘
Auth | CloudAudit | DNS | HTTP | Management | Netflow | NIDS | Process | Thirdparty | |
---|---|---|---|---|---|---|---|---|---|
Imperva WAF | D |
Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections
Note
XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.
Configuration Instructions ⫘
To configure Imperva to send logs to Secureworks® Taegis™ XDR via syslog, follow these instructions.
Security Events ⫘
Create a Custom Action Set ⫘
Create a custom action set for security events by following the instructions provided by Imperva. Consider the following requirements when completing the configuration steps:
- Name — Supply a descriptive name such as TDR-SecurityEvents.
- Apply to Event Type — Select Any Event Type.
- Action Interface — Select the green up arrow next to System Log > Log to System Log (syslog) to add this action interface to the Selected Actions pane. Configure this action interface with the following parameters (more information from Imperva):
- Name — TDR-Customer-Name-SecurityEvents
- Syslog Host — The IP address of the XDR Collector
- Syslog Log Level — INFO
- Facility — LOCAL6
- Run on Every Event — Check
- Message — Copy and paste the following:
SecSphWeb--OriginGW=${Event.originGWDn};AlertInformation=${Alert.alertMetadata.alertName};displayName=${Rule.parent.displayName};AlertType=${Alert.alertType};Severity=${Alert.severity};AlertNumber=${Alert.dn};EventNumber=${Event.dn};AlertCreateTime=${Alert.createTime};EventCreateTime=${Event.createTime};ServerGroup=${Alert.serverGroupName};AttackedApp=${Alert.applicationName};AttackedService=${Alert.serviceName};AlertDescription=${Alert.description};AlertAction=${Alert.immediateAction};SimulationMode=${Alert.simulationMode};Alert.username=${Alert.username};Alert.aggregationInfo.occurrences=${Alert.aggregationInfo.occurrences};SourceIP=${Event.sourceInfo.sourceIp};SourcePort=${Event.sourceInfo.sourcePort};DestinationIP=${Event.destInfo.serverIp};DestinationPort=${Event.destInfo.serverPort};httpRequest.url.method=${Event.struct.httpRequest.url.method};httpRequest.url.path=${Event.struct.httpRequest.url.path};httpRequest.url.host=${Event.struct.httpRequest.url.host};httpRequest.url.queryString=${Event.struct.httpRequest.url.queryString};httpRequest.url.fullPath=${Event.struct.httpRequest.url.fullPath};httpResponse.responseCode=${Event.struct.httpResponse.responseCode};httpResponse.responseSize=${Event.struct.responseSize};httpResponse.responseTime=${Event.struct.responseTime};Event.struct.user.available=${Event.struct.user.available};Event.rawData=${Event.struct.rawData};HTTPRequestHeaders=#list(${Event.struct.httpRequest.headers} "${item.name} ${item.value}");
Set Followed Action for Web Policies ⫘
Apply the TDR-SecurityEvents action set created in the preceding section as the Followed Action to all Web policies by following the instructions provided by Imperva.
Ensure that you filter the Security Policies window to display only Web policies prior to selecting the policies and setting the Followed Action.
Note
You can only set the Followed Action for enabled Policy Rules.
System Events ⫘
Create a Custom Action Set ⫘
Create a custom action set for system events by following the instructions provided by Imperva. Consider the following requirements when completing the configuration steps:
- Name — Supply a descriptive name such as TDR-SystemEvents.
- Apply to Event Type — Select System Events.
-
Action Interface — Select the green up arrow next to System Log > Log to System Log (syslog) to add this action interface to the Selected Actions pane. Configure this action interface with the following parameters (more information from Imperva):
- Name — TDR-Customer-Name-SystemEvents
- Syslog Host — The IP address of the XDR Collector
- Syslog Log Level — INFO
- Facility — LOCAL6
- Run on Every Event — Check
- Message — Copy and paste the following:
SecureSphere category=SystemEvent${Event.createTime}${Event.eventType}${Event.message}${Event.severity.displayName}${Event.username}
Create System Events Policies and Set Followed Action ⫘
Create a System Events policy for each system event type by following the instructions provided by Imperva. Ensure that you create a policy for each system event type.
For each policy, select the Followed Action tab, choose the TDR-SystemEvents action set created in the preceding section, and select Save.
Network Policies ⫘
Apply the TDR-SecurityEvents action set created in the first section as the Followed Action to all Network policies by following the instructions provided by Imperva.
Ensure that you filter the Security Policies window to display only Network policies prior to selecting the policies and setting the Followed Action.
Note
You can only set the Followed Action for enabled Policy Rules.