Skip to content

Vendor - Imperva

Product - Incapsula

Ref Link
Splunk Add-on CEF https://bitbucket.org/SPLServices/ta-cef-for-splunk/downloads/
Splunk Add-on Source Specific https://bitbucket.org/SPLServices/ta-cef-imperva-incapsula/downloads/
Product Manual https://docs.imperva.com/bundle/cloud-application-security/page/more/log-configuration.htm

Sourcetypes

sourcetype notes
cef Common sourcetype

Source

sourcetype notes
Imperva:Incapsula Common sourcetype

Index Configuration

key source index notes
Incapsula_SIEMintegration Imperva:Incapsula netwaf none

Filter type

MSG Parse: This filter parses message content

Options

Note listed for reference processing utilizes the Microsoft ArcSight log path as this format is a subtype of CEF

Variable default description
SC4S_LISTEN_CEF_TCP_PORT empty string Enable a TCP port for this specific vendor product using a comma-separated list of port numbers
SC4S_LISTEN_CEF_UDP_PORT empty string Enable a UDP port for this specific vendor product using a comma-separated list of port numbers
SC4S_ARCHIVE_CEF no Enable archive to disk for this specific source
SC4S_DEST_CEF_HEC no When Splunk HEC is disabled globally set to yes to enable this specific source
  • NOTE: Set only one set of CEF variables for the entire SC4S deployment, regardless of how many ports are in use by this CEF source (or any others). See the “Common Event Format” source documentation for more information.

Verification

An active site will generate frequent events use the following search to check for new events

Verify timestamp, and host values match as expected

index=<asconfigured> (sourcetype=cef source="Imperva:Incapsula")

Product - On-Premises WAF (SecureSphere WAF)

Ref Link
Splunk Add-on https://splunkbase.splunk.com/app/2874/
Product Manual https://community.microfocus.com/dcvta86296/attachments/dcvta86296/partner-documentation-h-o/22/2/Imperva_SecureSphere_11_5_CEF_Config_Guide_2018.pdf

Sourcetypes

sourcetype notes
imperva:waf none
imperva:waf:firewall:cef none
imperva:waf:security:cef none

Index Configuration

key index notes
Imperva Inc._SecureSphere netwaf none

Filter type

MSG Parse: This filter parses message content

Options

Variable default description
SC4S_LISTEN_CEF_TCP_PORT empty string Enable a TCP port for this specific vendor product using a comma-separated list of port numbers
SC4S_LISTEN_CEF_UDP_PORT empty string Enable a UDP port for this specific vendor product using a comma-separated list of port numbers
SC4S_ARCHIVE_CEF no Enable archive to disk for this specific source
SC4S_DEST_CEF_HEC no When Splunk HEC is disabled globally set to yes to enable this specific source
  • NOTE: Set only one set of CEF variables for the entire SC4S deployment, regardless of how many ports are in use by this CEF source (or any others). See the “Common Event Format” source documentation for more information.

Verification

An active site will generate frequent events use the following search to check for new events

Verify timestamp, and host values match as expected

index=<asconfigured> (sourcetype=imperva:waf*)