Update Imperva document for Product - On-Premises WAF (SecureSphere WAF)

CSVD · May 21, 2020 · 660943b · 660943b
1 parent cb2ddcd
commit 660943b
Showing 1 changed file with 52 additions and 2 deletions.
diff --git a/docs/sources/Imperva/index.md b/docs/sources/Imperva/index.md
@@ -40,7 +40,7 @@ Note listed for reference processing utilizes the Microsoft ArcSight log path as
 | SC4S_LISTEN_CEF_TCP_PORT      | empty string      | Enable a TCP port for this specific vendor product using the number defined |
 | SC4S_LISTEN_CEF_UDP_PORT      | empty string      | Enable a UDP port for this specific vendor product using the number defined |
 | SC4S_ARCHIVE_CEF | no | Enable archive to disk for this specific source |
-| SC4S_DEST_CEF_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | 
+| SC4S_DEST_CEF_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source |
 
 * NOTE:  Set only _one_ set of CEF variables for the entire SC4S deployment, regardless of how
 many ports are in use by this CEF source (or any others).  See the "Common Event Format" source
@@ -50,8 +50,58 @@ documentation for more information.
 
 An active site will generate frequent events use the following search to check for new events
 
-Verify timestamp, and host values match as expected    
+Verify timestamp, and host values match as expected
 
 ```
 index=<asconfigured> (sourcetype=cef source="Imperva:Incapsula")
 ```
+
+---
+
+## Product - On-Premises WAF (SecureSphere WAF)
+
+| Ref            | Link                                                                                                    |
+|----------------|---------------------------------------------------------------------------------------------------------|
+| Splunk Add-on  | https://splunkbase.splunk.com/app/2874/                                                                 |
+| Product Manual | https://community.microfocus.com/dcvta86296/attachments/dcvta86296/partner-documentation-h-o/22/2/Imperva_SecureSphere_11_5_CEF_Config_Guide_2018.pdf |
+
+### Sourcetypes
+
+| sourcetype               | notes |
+|--------------------------|-------|
+| imperva:waf              | none  |
+| imperva:waf:firewall:cef | none  |
+| imperva:waf:security:cef | none  |
+
+### Index Configuration
+
+| key                        | index    | notes          |
+|----------------------------|----------|----------------|
+| Imperva Inc._SecureSphere  | netwaf   | none           |
+
+### Filter type
+
+MSG Parse: This filter parses message content
+
+### Options
+
+| Variable       | default        | description    |
+|----------------|----------------|----------------|
+| SC4S_LISTEN_CEF_TCP_PORT      | empty string      | Enable a TCP port for this specific vendor product using the number defined |
+| SC4S_LISTEN_CEF_UDP_PORT      | empty string      | Enable a UDP port for this specific vendor product using the number defined |
+| SC4S_ARCHIVE_CEF | no | Enable archive to disk for this specific source |
+| SC4S_DEST_CEF_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source |
+
+* NOTE:  Set only _one_ set of CEF variables for the entire SC4S deployment, regardless of how
+many ports are in use by this CEF source (or any others).  See the "Common Event Format" source
+documentation for more information.
+
+### Verification
+
+An active site will generate frequent events use the following search to check for new events
+
+Verify timestamp, and host values match as expected
+
+```
+index=<asconfigured> (sourcetype=imperva:waf*)
+```