Configuring a System Event Action for Imperva SecureSphere
Configure your Imperva SecureSphere appliance to forward syslog system policy events to JSA.
Use the following list to define a message string in the Message field for each event type you want to forward:
Line breaks in code examples can cause configurations to fail. For each alert, copy the code blocks into a text editor, remove any line breaks, and paste as a single line in the Custom Format column.
System events (v9.5 and v10 to v13)--
LEEF:1.0|Imperva|SecureSphere|${SecureSphereVersion}|${Event.eventType} |Event ID=${Event.dn}|devTimeFormat=[see note]|devTime=${Event.createTime} |Event Type=${Event.eventType}|Message=${Event.message} |Severity=${Event.severity.displayName}|usrName=${Event.username} |SecureSphere Version=${SecureSphereVersion}Database audit records (v9.5 and v10 to v13) —
LEEF:1.0|Imperva|SecureSphere|${SecureSphereVersion} |${Event.struct.eventType}|Server Group=${Event.serverGroup} |Service Name=${Event.serviceName}|Application Name=$ {Event.applicationName}|Source Type=${Event.sourceInfo.eventSourceType} |User Type=${Event.struct.user.userType}|usrName=$ {Event.struct.user.user}|User Group=${Event.struct.userGroup} |Authenticated=${Event.struct.user.authenticated}|App User=$ {Event.struct.applicationUser}|src=${Event.sourceInfo.sourceIp} |Application=${Event.struct.application.application}|OS User= ${Event.struct.osUser.osUser}|Host=${Event.struct.host.host} |Service Type=${Event.struct.serviceType}|dst=$ {Event.destInfo.serverIp}|Event Type=${Event.struct.eventType} |Operation=${Event.struct.operations.name}|Operation type= ${Event.struct.operations.operationType}|Object name=$ {Event.struct.operations.objects.name}|Object type=$ {Event.struct.operations.objectType}|Subject= ${Event.struct.operations.subjects.name}|Database=$ {Event.struct.databases.databaseName}|Schema= ${Event.struct.databases.schemaName}|Table Group=$ {Event.struct.tableGroups.displayName}|Sensitive= ${Event.struct.tableGroups.sensitive}|Privileged=$ {Event.struct.operations.privileged}|Stored Proc=$ {Event.struct.operations.storedProcedure}|Completed Successfully =${Event.struct.complete.completeSuccessful}|Parsed Query=$ {Event.struct.query.parsedQuery}|Bind Vaiables=$ {Event.struct.rawData.bindVariables}|Error=$ {Event.struct.complete.errorValue}|Response Size=$ {Event.struct.complete.responseSize}|Response Time=$ {Event.struct.complete.responseTime}|Affected Rows= ${Event.struct.query.affectedRows}| devTimeFormat=[see note] |devTime=${Event.createTime}All alerts (v6.2 and v7.x to v13 Release Enterprise Edition)--
DeviceType=ImpervaSecuresphere Event|et=$!{Event.eventType} |dc=Securesphere System Event|sp=$!{Event.sourceInfo.sourcePort} |s=$!{Event.sourceInfo.sourceIp}|d=$!{Event.destInfo.serverIp} |dp=$!{Event.destInfo.serverPort}|u=$!{Event.username}|t=$! {Event.createTime}|sev=$!{Event.severity}|m=$!{Event.message}
The devTimeFormat parameter does not include a value because you can configure the time format on the SecureSphere appliance. Review the time format of your SecureSphere appliance and specify the appropriate time format.