Documentation Center
AlienVault® USM Anywhere™

Imperva SecureSphere Web Gateway

When you configure the Imperva Securesphere Web Gateway integration to send log data to USM Anywhere, you can use the Imperva Securesphere Web Gateway plugin to translate the raw log data into normalized events for analysis.

Device Details
Device vendor Imperva
Device type WAF
Connection type syslog
Vendor link https://www.imperva.com/Products/WebApplicationFirewall-WAF

Integrating Securesphere

Before you configure the integration, you must have the IP Address of the USM AnywhereUSM Appliance Sensor.

The integration of Securesphere consists of the following tasks:

Defining a New Action Set

To configure SecureSphere to send log data to USM Anywhere

  1. Define a new Action Set and configure the parameters as follows:

    1. Name — The action set name, for example, security_syslog.
    2. Syslog Host — The IP address or hostname of your USM Anywhere Sensor.
    3. Syslog Log Level — Syslog log level.
    4. Facility — Any facility.
  2. On the Policies page under Policy Rules, select the appropriate items in the Followed Action column.

    Note: Use the action set defined for security events in step 1.

    This is the action that you want to send to syslog when a violation occurs. When a security violation occurs, an alert is generated and a syslog message is sent.

Configuring a Custom Policy Security Event

To configure SecureSphere to send syslog messages when a custom policy event occurs

  1. Define a new Action Set and configure the parameters as follows:

    1. Name — The action set name, for example, security_syslog.
    2. Syslog Host — The IP address or hostname of your USM Anywhere Sensor.
    3. Syslog Log Level — Syslog log level.
    4. Facility — Any facility.
  2. On the Policies page under Policy Rules, select the appropriate items in the Followed Action column.

    Note: Use the action set defined for security events in step 1.

    These are the custom security policies that you want to send to syslog when a violation occurs.

Configuring a Firewall Security Event

To configure SecureSphere to send syslog messages when a firewall security event occurs

  1. Define a new Action Set and configure the parameters as follows:

    1. Name — The action set name, for example, firewall_security_syslog.
    2. Syslog Host — The IP address or hostname of your USM Anywhere Sensor.
    3. Syslog Log Level — Syslog log level.
    4. Facility — Any facility.
  2. On the Policies page under Policy Rules, select the firewall policies you want in the Followed Action column.

    Note: Use the action set defined for security events in step 1.

    These are the firewall security policies that you want to send to syslog when a violation occurs.

Configuring a System Event

To configure SecureSphere to send syslog messages when system event occurs

  1. Define a new Action Set and configure the parameters as follows:

    1. Name — The action set name, for example, system_syslog.
    2. Syslog Host — The IP address or hostname of your USM Anywhere Sensor.
    3. Syslog Log Level — Syslog log level.
    4. Facility — Any facility.
  2. On the Policies page under Policy Rules, create the system event policy you want in the Followed Action column.

    Note: Use the action set defined for security events in step 1.

    These are the system event policies that you want to send to syslog when a violation occurs.

Plugin Enablement

For plugin enablement information, see Manual Plugin Management.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • customfield_2
  • customfield_3
  • customfield_4
  • customheader_0
  • customheader_1
  • customheader_2
  • customheader_3
  • customheader_4
  • destination_address
  • destination_hostname
  • destination_port
  • device_direction
  • event_action
  • event_category
  • event_description
  • event_name
  • event_severity
  • http_hostname
  • policy
  • request_method
  • request_url
  • response_code
  • security_group_name
  • session
  • source_address
  • source_hostname
  • source_port
  • source_username
  • timestamp_occured
  • timestamp_received
  • transport_protocol

Troubleshooting

For troubleshooting, refer to the vendor documentation:

https://expertsecure.wordpress.com/2012/06/20/guide-to-imperva-securesphere-network-installation/