Powered by Zoomin Software. For more details please contactZoomin

Database Activity Monitoring User Guide

Source Type
Application Security
Data Security
Network Security
Application Performance
Product Versions
Hypervisor Installation
Document Type
Public Cloud
    Community Content Type
      Product Area
      This guide

      Configuring Imperva DAM to Export DB Audit Data to Imperva Sonar

      Table of Contents

      Configuring Imperva DAM to Export DB Audit Data to Imperva Sonar

       Configuring Imperva DAM to Export DB Audit Data to Imperva Sonar

      Exporting DB Audit and DB Security Events to Imperva Sonar enables you to leverage the powerful analysis tools available in Imperva Sonar. Indeed, it is recommended that you export all your audit data to Imperva Sonar for the purposes of archiving, reporting and forensics.

      Warning:

      • If you are using SOM, you should configure the audit policy in the SOM and the Sonar Archiver > Send to Sonar action set in each MX. You should not configure the Sonar Archiver > Send to Sonar action set in the SOM.

      In order to configure Imperva DAM to send DB audit data to Sonar, do one of the following:

      • Configure the Default Archive Action Set with the new Sonar Archiver action, in which case all policies configured with this action set will export their DB audit data to Sonar.
      • Create a new Archiving Action Set and configure it with the new Sonar Archiver action, and then configure individual policies to use it.

      After exporting the DB audit data to Imperva Sonar it will appear in SonarK, where you will be able to run reports, create dashboards and do forensics on all of the data according to the retention period you have purchased.

      Notes:

      • You may wish to perform Archive now before changing the Default Archive Action set, to prevent possible data loss.
      • Once you have configured an Archiving Action Set to archive to Sonar, security violations are no longer sent to the MX. To archive your security violations, configure Imperva DAM to export DB security violations to Sonar. For more information, see Configuring Imperva DAM to Export DB Security Violations to Imperva Sonar.
      • This feature is supported by Sonar version 4.5 and later.
      • If you are using a version of DRA that is earlier than v4.1 or you are using a version of Sonar that is earlier than v4.6, do not configure Counterbreach/DRA policies for export to Imperva Sonar. These policies should continue having an archiving action set which SCPs the data to DRA. For more information, see the Data Risk Analytics User Guide. If your version of DRA is v4.1 or later and your version of Sonar is v4.6 or later, you can configure Counterbreach/DRA policies for export to Imperva Sonar.
      • You cannot export FAM audit data to Sonar.
      • If the policy is set to collect aggregated data, the aggregation period for the data sent to Sonar will always be 30 minutes even if a different aggregation period is set on the policy (the aggregation period set on the policy will be relevant for the data sent and displayed in the MX).
      • Note the following limitations:
      • The maximum parsed query size for export to Sonar is 59kb.
      • The maximum raw query size for export to Sonar is 4kb.

      To configure an action set to export audit data to Imperva Sonar:

      1. In the Main workspace, select Policies > Action Sets. The Action Sets window appears.
      2. Either:

        Configure the Default Archive Action Set so that all policies using this action set export DB audit data to Sonar:

        1. Select the Default Archive Action Set.
        2. Remove any existing actions from the action set by clicking on the blue arrow.
        3. For the Sonar Archiver > Send to Sonar action, click the green arrow . The action appears at the top of the list.
        4. Click the expand button for the action to view its parameters.
        5. Type a Name for the new action, and then give values to its parameters as follows:
          • Host: The IP or hostname of the Sonar machine to which the audit is exported
          • Port: The connection port of the Sonar machine to which the audit is exported. The default value is 8443.
          • API token: The authentication token that provides access to the Sonar machine. It is a prebuilt token included in DSF Hub to facilitate authentication when exporting database audit data to DSF Hub. You can find information about this token in the Tokens Management window (see the token for which Token used by Archiver endpoints security is stated in the Reason column). For more information, see the Managing Authorization Tokens topic in the Sonar Administration Guide for your version.
          • Validate Server Side Certificate Against a CA: Check this box if you want to validate the Sonar machine's certificate against a Certificate Authority.
          • Internal CA Certificate: The certificate string for your internal CA if you have one.
          • Enrichment Document: This field should be empty unless you are instructed otherwise.
        6. Click Save.

        or:

        Configure a new Action Set so that selected polices export audit data to Sonar:

        1. In the Action Sets pane, click New. The Action Set dialog box appears.
        2. Type a Name for the action set.
        3. Select the Archiving option as the Action Set type.
        4. Find the Sonar Archiver action and click on the green arrow for it. The action set appears at the top of the list.
        5. Click the expand button for the action set to view its parameters.
        6. Type a Name for the new action, and then give values to its parameters as follows:
          • Host: The IP or hostname of the Sonar machine to which the audit is exported
          • Port: The connection port of the Sonar machine to which the audit is exported. The default value is 8443.
          • API token: The authentication token that allows the DAM Gateway to authenticate audit data files and update then update them to the DSF Hub machine. It is a prebuilt token included in DSF Hub to facilitate authentication when exporting DB Audit Data to DSF Hub. You can find information about this token in the Tokens Management window (see the token for which Token used by Archiver endpoints security is stated in the Reason column). For more information, see the Managing Authorization Tokens topic in the Sonar Administration Guide for your version.
          • Validate Server Side Certificate Against a CA: Check this box if you want to validate the Sonar machine's certificate against a Certificate Authority.
          • Internal CA Certificate: The certificate string for your internal CA if you have one.
          • Enrichment Document: This field should be empty unless you are instructed otherwise.
        7. Click Save.

          Notes:

          • You can add only one Sonar Archiver > Send to Sonar action to your action set.
          • An action set that has the Sonar Archiver > Send to Sonar action can have no other actions.
          • Only a single action set in the system can have a Sonar Archiver action in it.

      To configure a policy to use the action set to send audit data to Sonar:

      1. In the Main workspace, select Policies > Audit.
      2. Select the audit policy whose audit data you want to export.
      3. Click the Archiving tab.
      • From the Archiving Action Set drop down list, verify that the selected action set is either the action set which includes the Sonar Archiver action that you configured in the previous step, or the new action set you created to send audit data to Sonar. Note the following:
        • Archive Settings is unavailable.
        • Selecting Include audit response data in archiving process is unavailable, since audit responses cannot be sent to Sonar.
        • Scheduling is unavailable. Audit data is exported to Sonar continually.
        • Defining the Purge records older than value has no meaning in the context of policies that are configured to export data o Sonar since data is purged from the Gateway continually. On Sonar, everything is preserved according to the retention period defined in Sonar.
      1. Click Save.
      Was this topic helpful?