Book IndexHideShow
Back to topic

Cloud Application Security

Installing a SIEM Package

Installing a SIEM Package

Install a predefined SIEM package and configure your SIEM to consume Imperva logs. For full details on log integration, see Log Integration.

In this topic:

Download the SIEM Package

To work with Imperva Log Integration, download and install a SIEM package on the machine on which your SIEM application is installed.

You can download a predefined package for one of the following SIEM applications. These packages include predefined rules, custom dashboards, and reports for viewing the incoming data. For download instructions, see Log Integration.

  • Micro Focus ArcSight (Express/ESM)
  • Splunk
  • McAfee Enterprise Security Manager
  • Graylog
  • Sumo Logic: Imperva App for Sumo Logic. Instructions for set up are available in the Sumo Logic documentation: Imperva-Incapsula Web Application Firewall .
  • LogRhythm

Several additional platforms provide SIEM integrations with Imperva:

Install the ArcSight Package

Note: Imperva supports ArcSight ESM version 5 or higher and ArcSight Express version 3 or higher.

  1. Log in to your ArcSight console.
  2. Select the Packages tab on the navigator.
  3. Select Import

    .

  4. Browse to the Incapsula.arb file and click Open. This is the file you downloaded from Imperva.
  5. After the package is imported, click Install.
  6. When the installation completes, click OK. The ArcSight package is now installed and its content is visible as various resources under the Navigator area: filters, rules, active channels and so on.

Install the Splunk Package

Note: Imperva supports Splunk version 6 or higher.

You can install the Splunk application package using one of the following methods:

Install the Splunk Package Using the Splunk UI

  1. Save the Incapsula.spl file in a folder accessible by Splunk. Incapsula.spl is located in the package that you downloaded via the Imperva Cloud Security Console.
  2. Login to Splunk. The following displays:

  3. Click Apps at the top of the left pane, as shown below:

    The following window displays:

  4. Select the Install app from file option, as shown below:

    The following window displays:

  5. Click the Choose File button and browse to select the Incapsula.spl file.
  6. Click the Upload button. The following window displays:

  7. Click the Restart Splunk button.

    The Splunk application now contains the Incapsula Splunk connector. Login to it. For example, as shown below:

Install the Splunk Package Using the CLI

  1. Log in to Splunk Management using Root credentials.
  2. Copy the application to the Splunk machine.
  3. Run the following command:

    tar -xvf SplunkPack.spl /$SPLUNK_HOME/etc/apps/

Install the McAfee Package

Note: Imperva supports McAfee Enterprise Security Manager versions 9.4.x, 9.5.x, and 9.6.x.

The McAfee package contains the following three files:

  • Parser
  • Dashboards
  • Rules

Each of these files should be installed separately in McAfee.

To install the predefined McAfee package, save the package that you downloaded locally in a folder that is accessible to McAfee. Then, follow the instructions below.

Create a New McAfee Receiver

  1. In McAfee Enterprise Security Manager, open the Add Data Source window to add a new data source.

  2. Fill in the following fields:
    • Data Source Vendor: Set the value to ArcSight.
    • Data Source Model: Set the value to Common Event Format (ASP).
    • Name: Assign any name. For example, Imperva.
    • IP Address: Enter the IP address of the server on which the Incapsula API script is running. That server should be located at the customer perimeter.
    • Port: This is number defined by the API Server. SysLog data stream can flow through that port.
  3. Click the OK button.
  4. Open the Rollout window to roll out the Incapsula policy.

  5. Click the OK button.

Install the Parser and Creating the Custom Fields

You must create the custom fields for first-time installation.

To create custom fields:

  1. In McAfee Enterprise Security Manager, click the button.

    The System Properties window displays:

  2. In the left pane, select Custom Types and then add the following types:
    • Incap_Captcha_Support:
      • Data Type: Random String
      • Event Field: Custom Field 1
    • Incap_UID:
      • Data Type: Random String
      • Event Field: Custom Field 2
    • Incap_JS_Support:
      • Data Type: Random String
      • Event Field: Custom Field 3

To install the McAfee Parser:

  1. In McAfee Enterprise Security Manager, click the button to open the Receiver Policy Editor and then click the receiver you created.

  2. Disable the ArcSight CEF Parser, as shown below:

  3. Select File > Import > Policy to import the Parser that you downloaded from Imperva.

  4. Verify that the Parser you imported is enabled, as shown below:

Install the Graylog Packager

Imperva provides a predefined Graylog package. The packager is a JSON file with a predefined dashboard included.

The package includes the following:

  • Syslog listener - UDP listener on port 514
  • Extractor - Format data from the received text messages to Graylog message fields
  • Dashboard - Visual view of Imperva logs data

To consume logs using Graylog :

  1. Download the Graylog package from the Cloud Security Console Log Setup page. For details, see Log Integration.

  2. In Graylog , go to System/Inputs (top left menu), and choose Content Packs.

    Note: Graylog administrator access required.

  3. Choose Import content pack > Choose file, and navigate to the content pack file that you downloaded to your computer.

  4. Click Upload.
  5. In the content packs page, click the Incapsula content pack you have just added, and then click on Apply content.

  6. The Graylog server now contains the Incapsula Graylog Extractor and Dashboard, and it is ready for use.

Install the Imperva App for Sumo Logic

You can install the Imperva App for Sumo logic to use the preconfigured searches and dashboards.

Process overview:

  1. Configure logging for your account in the Imperva Cloud Security Console.
  2. Configure Sumo Logic:
    1. Add a Sumo Logic Hosted Collector.
    2. Configure an AWS S3 Source.
  3. Install the Imperva App for Sumo Logic.

Instructions for set up are located in the Sumo Logic documentation: Imperva-Incapsula Web Application Firewall .

Consuming Logs

This section describes how to consume logs using one of the following packages: ArcSight, Splunk, McAfee.

The section includes:

Consuming the Imperva Logs in ArcSight

Note: The instructions presented in this section should only be used as a guideline, as there may be minor differences should the ArcSight application change or when using a different operating system.

Consume Logs via Syslog

Logs can be pushed through Syslog using a script, such as the sample Python script for Imperva log integration. For details, see the Connector section in Log Integration.

In order to consume the logs via Syslog, the IP of a Syslog server and its port must be defined. This is done in the configuration file downloaded together with the Python script.

The required fields are:

  • SYSLOG_ENABLE
  • SYSLOG_ADDRESS
  • SYSLOG_PORT

Consume logs from files

To consume logs from files using an ArcSight file-based reader:

  1. Start the ArcSight SmartConnector.

  2. Click Next. The following window displays:

  3. Select the folder in which to install the reader and click Next. For example, c:\arcsight\incapsula. The following window displays:

  4. Select the Typical radio button and click Next. The following window displays:

  5. Select the Don’t create icons radio button and click Next.

  6. Click Install. The installation process begins.

  7. In the following window, select the Add a connector radio button and click Next.

    The following window displays:

  8. In the Type field, select ArcSight FlexConnector Multiple Folder File and click Next. The following window displays:

  9. Insert the following values and click Next:

    • Folder: Enter the Processed folder, as defined in your configuration file.
    • Processing Mode: realtime
    • Configuration File: cef_file
    • Configuration Type: cef

    The following window displays:

  10. Register the connector to the manager by selecting the ArcSight Manager (encrypted) radio button and click Next.

    The following window displays:

  11. Enter the required information and then click Next.

    The following window displays:

  12. Enter any name for the connector. For example, Incapsula Folder Follower and click Next. The following window displays:

  13. Select the Import the certificate to connector from destination radio button and click Next. The following window displays:

  14. In the following window select the Install as a service radio button and click Next.

  15. The following window displays:

  16. Enter the following values and click Next.

    • Service Internal Name: sdkmultifolderreader_incap
    • Service Display Name: ArcSight FlexConnector Multiple Folder File – Incapsula

    The following window displays:

  17. Click Next. The following window displays:

  18. Select the Exit radio button and then click Next.
  19. Start the Service:
    • For Linux: Run the command - /etc/init.d/arcsight_servicename start.

Consuming the Imperva Logs in Splunk

Consume Logs via Syslog

Logs can be pushed through Syslog using a script, such as the sample Python script for Imperva log integration. For details, see the Connector section in Log Integration.

In order to consume the logs via Syslog, the IP and Port of the Syslog server must be defined.

Set Splunk to listen on the port defined in the Python script configuration file. By default, this port should be 443.

  1. Login to Splunk using Root credentials.
  2. Go to the Settings menu and click the Add Data button.
  3. Select monitor.
  4. Click the TCP/UDP option in the left pane.
  5. Select UDP and provide the port.
  6. Click Next and continue by selecting the Sourcetype, as described in step 7 below.

Consume Logs Via the Splunk Forwarder

  1. Download the latest version of the Splunk Forwarder.
  2. Double-click the downloaded Splunk Forwarder file. The following window displays:

  3. Click Next. The following window displays:

  4. Click Next. The following window displays:

  5. If you have your own CA, change the fields in the window according to your Splunk certificate and click Next. The following window displays:

  6. Select the Local System radio button and click Next. The following window displays:

  7. In the Path to monitor field, specify the path where Imperva downloads the log files.
  8. Click Next. The following window displays:

  9. Click Next. The following window displays:

  10. Click Next. The following window displays:

  11. In the Hostname or IP field, specify the address of your deployment server and click Next. The following window displays:

  12. In the Hostname or IP field, specify the address of your Receiving Indexer and click Next. The following window displays:

  13. Click the Install button. The following window displays:

  14. Wait until the following window displays:

  15. Click the Finish button.

Consume Logs from Files When the Connector Is Installed on the Splunk Management Machine

Follow the instructions below to consume the security log files using a Splunk Forwarder that points to the folder in which the processed log files reside.

  1. Login to Splunk using administrative credentials.
  2. Go to the Settings menu and click the Add Data button.
  3. Select Monitor.
  4. Select the Files & Directories option in the left pane.
  5. Click Browse and select the directory where the script processes its downloaded log files.
  6. Click Next.
  7. Click the Select button for the Sourcetype and select Uncategorized > Incapsula.
  8. Select an existing index or create a new index by following the instructions below:

    1. In the index, click the Create a new index link. This opens a new browser tab.
    2. Provide an index name. For example, Imperva.
    3. Click Save.
    4. Return to the Add Data browser tab and click the refresh link (located below the Create a new index link).
    5. Select the index created earlier.
  9. Click Review.
  10. Review the settings and click Submit.

Consuming the Imperva Logs in McAfee – Importing the Dashboard and Rules

To import the Dashboard:

  1. In McAfee Enterprise Security Manager, click the Manage Views button and then click the Import button, as shown below:

  2. Select the Dashboard file that you downloaded from Imperva.

To import the Rules:

  1. In McAfee Enterprise Security Manager, click the Policy Editor button to open the Policy Editor.
  2. Select File > Import > Rules and then select the file you downloaded from Imperva, as shown below:

    The McAfee application displays the Incapsula Package and its content.

Log File Rotation and Maintenance

By default, the Incapsula SIEM connector does not maintain or purge any files exported by the API. All files exported from the API should be maintained and purged by the applicable platform (Splunk, ArcSight, Graylog or Intel McAfee ESM).

Read More

Join the Discussion