Vendor - Imperva
Product - Incapsula
Ref |
Link |
Splunk Add-on CEF |
https://bitbucket.org/SPLServices/ta-cef-for-splunk/downloads/ |
Splunk Add-on Source Specific |
https://bitbucket.org/SPLServices/ta-cef-imperva-incapsula/downloads/ |
Product Manual |
https://docs.imperva.com/bundle/cloud-application-security/page/more/log-configuration.htm |
Sourcetypes
sourcetype |
notes |
cef |
Common sourcetype |
Source
sourcetype |
notes |
Imperva:Incapsula |
Common sourcetype |
Index Configuration
key |
source |
index |
notes |
Incapsula_SIEMintegration |
Imperva:Incapsula |
netwaf |
none |
Filter type
MSG Parse: This filter parses message content
Options
Note listed for reference processing utilizes the Microsoft ArcSight log path as this format is a subtype of CEF
Variable |
default |
description |
SC4S_LISTEN_CEF_TCP_PORT |
empty string |
Enable a TCP port for this specific vendor product using a comma-separated list of port numbers |
SC4S_LISTEN_CEF_UDP_PORT |
empty string |
Enable a UDP port for this specific vendor product using a comma-separated list of port numbers |
SC4S_ARCHIVE_CEF |
no |
Enable archive to disk for this specific source |
SC4S_DEST_CEF_HEC |
no |
When Splunk HEC is disabled globally set to yes to enable this specific source |
- NOTE: Set only one set of CEF variables for the entire SC4S deployment, regardless of how
many ports are in use by this CEF source (or any others). See the “Common Event Format” source
documentation for more information.
Verification
An active site will generate frequent events use the following search to check for new events
Verify timestamp, and host values match as expected
index=<asconfigured> (sourcetype=cef source="Imperva:Incapsula")
Product - On-Premises WAF (SecureSphere WAF)
Ref |
Link |
Splunk Add-on |
https://splunkbase.splunk.com/app/2874/ |
Product Manual |
https://community.microfocus.com/dcvta86296/attachments/dcvta86296/partner-documentation-h-o/22/2/Imperva_SecureSphere_11_5_CEF_Config_Guide_2018.pdf |
Sourcetypes
sourcetype |
notes |
imperva:waf |
none |
imperva:waf:firewall:cef |
none |
imperva:waf:security:cef |
none |
Index Configuration
key |
index |
notes |
Imperva Inc._SecureSphere |
netwaf |
none |
Filter type
MSG Parse: This filter parses message content
Options
Variable |
default |
description |
SC4S_LISTEN_CEF_TCP_PORT |
empty string |
Enable a TCP port for this specific vendor product using a comma-separated list of port numbers |
SC4S_LISTEN_CEF_UDP_PORT |
empty string |
Enable a UDP port for this specific vendor product using a comma-separated list of port numbers |
SC4S_ARCHIVE_CEF |
no |
Enable archive to disk for this specific source |
SC4S_DEST_CEF_HEC |
no |
When Splunk HEC is disabled globally set to yes to enable this specific source |
- NOTE: Set only one set of CEF variables for the entire SC4S deployment, regardless of how
many ports are in use by this CEF source (or any others). See the “Common Event Format” source
documentation for more information.
Verification
An active site will generate frequent events use the following search to check for new events
Verify timestamp, and host values match as expected
index=<asconfigured> (sourcetype=imperva:waf*)