From 660943b623bf68059f895fdc331bfb872a9fe23a Mon Sep 17 00:00:00 2001 From: "Mahir Chavda (C)" Date: Thu, 21 May 2020 12:48:15 +0530 Subject: [PATCH] Update Imperva document for Product - On-Premises WAF (SecureSphere WAF) --- docs/sources/Imperva/index.md | 54 +++++++++++++++++++++++++++++++++-- 1 file changed, 52 insertions(+), 2 deletions(-) diff --git a/docs/sources/Imperva/index.md b/docs/sources/Imperva/index.md index 1ba0667..083fe1c 100644 --- a/docs/sources/Imperva/index.md +++ b/docs/sources/Imperva/index.md @@ -40,7 +40,7 @@ Note listed for reference processing utilizes the Microsoft ArcSight log path as | SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | | SC4S_LISTEN_CEF_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | | SC4S_ARCHIVE_CEF | no | Enable archive to disk for this specific source | -| SC4S_DEST_CEF_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | +| SC4S_DEST_CEF_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | * NOTE: Set only _one_ set of CEF variables for the entire SC4S deployment, regardless of how many ports are in use by this CEF source (or any others). See the "Common Event Format" source @@ -50,8 +50,58 @@ documentation for more information. An active site will generate frequent events use the following search to check for new events -Verify timestamp, and host values match as expected +Verify timestamp, and host values match as expected ``` index= (sourcetype=cef source="Imperva:Incapsula") ``` + +--- + +## Product - On-Premises WAF (SecureSphere WAF) + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/2874/ | +| Product Manual | https://community.microfocus.com/dcvta86296/attachments/dcvta86296/partner-documentation-h-o/22/2/Imperva_SecureSphere_11_5_CEF_Config_Guide_2018.pdf | + +### Sourcetypes + +| sourcetype | notes | +|--------------------------|-------| +| imperva:waf | none | +| imperva:waf:firewall:cef | none | +| imperva:waf:security:cef | none | + +### Index Configuration + +| key | index | notes | +|----------------------------|----------|----------------| +| Imperva Inc._SecureSphere | netwaf | none | + +### Filter type + +MSG Parse: This filter parses message content + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_CEF_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_ARCHIVE_CEF | no | Enable archive to disk for this specific source | +| SC4S_DEST_CEF_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +* NOTE: Set only _one_ set of CEF variables for the entire SC4S deployment, regardless of how +many ports are in use by this CEF source (or any others). See the "Common Event Format" source +documentation for more information. + +### Verification + +An active site will generate frequent events use the following search to check for new events + +Verify timestamp, and host values match as expected + +``` +index= (sourcetype=imperva:waf*) +```