Imperva SecureSphere Certified CEF Configuration Guide

Summary:

The document provides a configuration guide for integrating Imperva SecureSphere appliances with ArcSight using the Common Event Format (CEF). It explains how to configure SecureSphere to send syslog messages based on CEF standards when specific security or system events occur. Four types of events are covered: Security, Custom Security, Firewall Security, and System Events. The guide includes configuration steps for defining an Action Set with parameters like name, Syslog host, log level, and the CEF message template. It also provides examples for building syslog messages to be reported to ArcSight using the CEF format.

Details:

The provided document is a configuration guide for integrating Imperva SecureSphere appliances with ArcSight using the Common Event Format (CEF). The guide explains how to configure SecureSphere to send syslog messages based on CEF standards when specific security or system events occur. It outlines four types of events - Security, Custom Security, Firewall Security, and System Events - each requiring different configurations. Key points from the document include: 1. **Integration with ArcSight**: The integration is facilitated by sending syslog messages formatted according to the CEF standard, which includes placeholders for detailed event information. 2. **Syslog Integration**: Utilizes the most common interface among SIM/SEIM products due to its broad compatibility. It supports alert and system events integration across various systems for better threat identification and centralized logging. 3. **CEF Standard Usage**: SecureSphere, starting from version 6.0.6, can use CEF for syslog messages, allowing administrators to define the message format with placeholders that capture essential event details such as type, severity, affected user, IP addresses, ports, protocol used, and more. 4. **Configuration Steps**: Describes how to set up SecureSphere to send these syslog messages by defining an Action Set with specific parameters like name, Syslog host, log level, and the CEF message template. 5. **Event Types Configuration**: Provides detailed steps for configuring each type of event (Security, Custom Security, Firewall Security, System Events) based on their respective requirements and configurations. This guide is crucial for administrators looking to enhance security information management by integrating disparate systems through a standardized syslog messaging format. This document outlines how to configure SecureSphere to send Syslog messages in the Common Event Format (CEF) standard for different types of events, including security events and system events. The process involves defining a new Action Set with specific parameters and setting up policies to trigger Syslog messages when these events occur. The supported event types include Security Events, Custom Security Events, Firewall Security Events, and System Events. Examples are provided for building syslog messages for reporting these events to ArcSight using the CEF format. This document explains how to create syslog messages using the Common Event Format (CEF) for reporting firewall and system events to ArcSight. CEF is used to standardize log data, making it easier for different systems to communicate and share security event information. The syntax for both types of events follows a similar pattern in the CEF format: 1. **Device Vendor**: Identifies the company providing the device (e.g., Imperva Inc.). 2. **Device Product**: Specifies the product name, such as SecureSphere. 3. **Device Version**: Indicates the version of the device software (e.g., 6.0). 4. **Device Event Class ID**: A unique identifier for each type of event, which can be either a string or an integer and is specific to the event type reported by the device (e.g., ${Alert.alertType} for security alerts, ${Event.eventType} for system events). 5. **Severity**: The severity level of the event, as indicated by `${Event.severity.displayName}` for system events or `${Alert.severity}` for firewall events. 6. **Standard and Extended Fields**: Standard fields include device vendor, product, version, and type; extended fields provide additional details like action (act), destination IP/port (dst, dpt), source IP/port (src, spt), protocol (proto), user (suser or duser), category (cat), and descriptions. The article also provides specific configurations for SecureSphere in Imperva Inc., where the device vendor is specified as "Imperva Inc.", and the product name is SecureSphere with versions ranging from 6.0 to 6.0.6+. The device event class ID varies based on whether it's a security alert or a system event, using `${Alert.alertType}` for alerts not covered by custom policies and `${Rule.parent.displayName}` for custom policy alerts, while for system events, it is `${Event.eventType}`. This standardization helps in the interoperability of different devices and systems used in network security management, allowing for better integration and automated analysis of log data across diverse platforms. This document outlines how to configure and use specific placeholders in SecureSphere for different types of alerts and events when integrating with CEF (Common Event Format). Placeholders like `${Alert.immediateAction}`, `${Event.destInfo.serverIp}`, `${Event.sourceInfo.sourcePort}`, and others are used to map event details to predefined keys in the CEF standard, allowing for interoperability between different security tools. For **security alerts other than custom policies**, placeholders like `${Rule.parent.displayName}` and `${Alert.alertMetadata.alertName}` are used to define the alert name. For **custom policy security alerts**, `${Rule.parent.displayName}` is specified, while for **system events**, `${Event.message}` or `${Event.severity.displayName}` can be utilized depending on the severity of the event. **Severity** is a critical aspect in CEF mapping and should not be set to 'Informative'; instead, use 'Low' as its equivalent. The placeholder `${Alert.severity}` defines the severity level in text format: Low, Medium, or High. Similarly, `${Event.severity.displayName}` sets the severity of an event on a scale from Low to High. **Extension fields** allow adding additional information to events by using key-value pairs that can be customized according to specific needs. The table provided details which CEF keys correspond to SecureSphere placeholders and describes their functions, such as identifying the action (`${Alert.immediateAction}` for security events), destination IP (`${Event.destInfo.serverIp}`) or source port (`${Event.sourceInfo.sourcePort}`). This document is part of ArcSight's technical notes on event interoperability and contains confidential information, emphasizing its importance in managing secure communications within systems. This document provides a summary of key fields used in the Common Event Format (CEF) for mapping security and system events from various devices, specifically focusing on those related to firewall and non-firewall security events, as well as system events. The CEF format is designed to standardize event data across different vendors and systems, making it easier for network management software like ArcSight to interpret and process the information. Key fields include: 1. **Protocol**: Indicates whether TCP or UDP was used (CEF Key `rt`). 2. **Alert Time**: The time when the alert was created in a specific format (MMM dd yyyy HH:mm:ss) (CEF Key `cat`). 3. **Violated Policy’s Name**: The name of the policy violated by the event (CEF Key `cs1`) and other custom fields (`cs2`, `cs3`, etc.) which are used for additional details not fitting into standard CEF categories. 4. **Server Group Name**: Identified from alerts, useful for categorization (CEF Key `cs2`). 5. **Service/Application Name**: Describes the service or application involved in the event; varies based on type (firewall vs non-firewall) (CEF Keys `cs3`, `cs4`; specific to firewall and non-firewall events respectively). 6. **Alert Description**: Detailed description of what occurred, used for both firewall and non-firewall alerts (CEF Key `cs1` for firewall, `cs4` for non-firewall). 7. **System User**: The user associated with the event on a system level (CEF Key `Suser`), which can be an individual user or a system account. 8. **Event Category**: Represents the category assigned by the device, reflecting its internal categorization scheme (CEF Key `cat`). 9. **Event Time**: The time when the activity related to the event started, formatted as MMM dd yyyy HH:mm:ss (CEF Key `rt`). 10. **Label Descriptions**: Custom fields have corresponding label fields for better understanding of what each field represents (CEF Keys `cs1Label`, `cs2Label`, etc.). This standard helps in interoperability between different security devices and solutions, allowing for consistent parsing and processing of event data across diverse vendor platforms like ArcSight. The document "Imperva SecureSphere Connector Field Mappings" is a guide that explains how to send event definitions from various vendors to the ArcSight SmartConnector. These events are then mapped to specific fields in the ArcSight system based on the vendor's data, allowing for interoperability and integration between different systems. This mapping process helps ensure that the information captured by each vendor's event is correctly interpreted and displayed within the ArcSight platform.