diff --git a/docs/sources/Imperva/index.md b/docs/sources/Imperva/index.md index 1ba0667..083fe1c 100644 --- a/docs/sources/Imperva/index.md +++ b/docs/sources/Imperva/index.md @@ -40,7 +40,7 @@ Note listed for reference processing utilizes the Microsoft ArcSight log path as | SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | | SC4S_LISTEN_CEF_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | | SC4S_ARCHIVE_CEF | no | Enable archive to disk for this specific source | -| SC4S_DEST_CEF_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | +| SC4S_DEST_CEF_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | * NOTE: Set only _one_ set of CEF variables for the entire SC4S deployment, regardless of how many ports are in use by this CEF source (or any others). See the "Common Event Format" source @@ -50,8 +50,58 @@ documentation for more information. An active site will generate frequent events use the following search to check for new events -Verify timestamp, and host values match as expected +Verify timestamp, and host values match as expected ``` index= (sourcetype=cef source="Imperva:Incapsula") ``` + +--- + +## Product - On-Premises WAF (SecureSphere WAF) + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/2874/ | +| Product Manual | https://community.microfocus.com/dcvta86296/attachments/dcvta86296/partner-documentation-h-o/22/2/Imperva_SecureSphere_11_5_CEF_Config_Guide_2018.pdf | + +### Sourcetypes + +| sourcetype | notes | +|--------------------------|-------| +| imperva:waf | none | +| imperva:waf:firewall:cef | none | +| imperva:waf:security:cef | none | + +### Index Configuration + +| key | index | notes | +|----------------------------|----------|----------------| +| Imperva Inc._SecureSphere | netwaf | none | + +### Filter type + +MSG Parse: This filter parses message content + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_CEF_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_ARCHIVE_CEF | no | Enable archive to disk for this specific source | +| SC4S_DEST_CEF_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +* NOTE: Set only _one_ set of CEF variables for the entire SC4S deployment, regardless of how +many ports are in use by this CEF source (or any others). See the "Common Event Format" source +documentation for more information. + +### Verification + +An active site will generate frequent events use the following search to check for new events + +Verify timestamp, and host values match as expected + +``` +index= (sourcetype=imperva:waf*) +```