EventTracker: Integrating Imperva SecureSphere



Similar documents
Integrating Trend Micro OfficeScan 10 EventTracker v7.x

Integrating Symantec Endpoint Protection

Integrate Cisco IronPort Security Appliance (ESA)

Integrate Websense Web Security Gateway (WSG)

Integrating Juniper Netscreen (ScreenOS)

Integrate Cisco IronPort Web Security Appliance (WSA)

Integrating Barracuda Web Application Firewall

Integrate Astaro Security Gateway

Integrate Microsoft Windows Hyper V

EventTracker Knowledge Update

Integrate Check Point Firewall

EventTracker: Support to Non English Systems

EventTracker: Configuring DLA Extension for AWStats Report AWStats Reports

LepideAuditor Suite for File Server. Installation and Configuration Guide

Secure IIS Web Server with SSL

owncloud Configuration and Usage Guide

Non-ThinManager Components

NSi Mobile Installation Guide. Version 6.2

EventTracker: Configuring DLA Extension for AWStats report AWStats Reports

Delegated Administration Quick Start

How do I Configure, Enable, and Schedule Reports?

Monitor Mobile Devices via ActiveSync Using EventTracker

Knowledge Base Articles

Installing GFI Network Server Monitor

Secrets of Event Viewer for Active Directory Security Auditing Lepide Software

Releasing blocked in Data Security

Trend ScanMail. for Microsoft Exchange. Quick Start Guide

How To Create An Easybelle History Database On A Microsoft Powerbook (Windows)

SonicWALL CDP 5.0 Microsoft Exchange InfoStore Backup and Restore

ENABLE LOGON/LOGOFF AUDITING

Setting Up Alarms in a HOBO ZW Wireless Network

BusinessObjects Enterprise XI Release 2

Setting up Hyper-V for 2X VirtualDesktopServer Manual

EXPRESSCLUSTER X for Windows Quick Start Guide for Microsoft SQL Server Version 1

Setting up VMware ESXi for 2X VirtualDesktopServer Manual

Client for Macintosh

StarWind iscsi SAN Software: Tape Drives Using StarWind and Symantec Backup Exec

HELP DOCUMENTATION E-SSOM BACKUP AND RESTORE GUIDE

APNS Certificate generating and installation

Tenrox and Microsoft Dynamics CRM Integration Guide

Installing and Configuring Login PI

Windows Service Monitoring

Exchange Granular Restore Instructional User Guide

Microsoft SQL Server Staging

IIS Web Server Configuration Guide

NETWRIX EVENT LOG MANAGER

BioWin Network Installation

ProjectWise Explorer V8i User Manual for Subconsultants & Team Members

Remedy ITSM Service Request Management Quick Start Guide

Managing Identities and Admin Access

How to Connect to Berkeley College Virtual Lab Using Windows

MICROSOFT OUTLOOK 2011 READ, SEARCH AND PRINT S

Novell ZENworks Asset Management 7.5

Instructions for Configuring a SAS Metadata Server for Use with JMP Clinical

Monitoring SharePoint 2007/2010/2013 Server Using Event Tracker

Integrating with IBM Tivoli TSOM

Cloud Services MDM. Reports & Alerts Admin Guide

Appendix B Lab Setup Guide

EventTracker Windows syslog User Guide

NETWRIX EVENT LOG MANAGER

Configuring MassTransit Server to listen on ports less than 1024 using WaterRoof on Macintosh Workstations

System Administration Training Guide. S100 Installation and Site Management

Hardening Guide for EventTracker Server

IIS, FTP Server and Windows

How to - Install EventTracker and Change Audit Agent

Advanced Outlook Tutorials

Setting up Hyper-V for 2X VirtualDesktopServer Manual

How to backup with R1soft

File Auditor for NAS, Net App Edition

CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC

Deploying Windows Streaming Media Servers NLB Cluster and metasan

BDR for ShadowProtect Solution Guide and Best Practices

Secure File Transfer Training Guide. Secure File Transfer Training Guide. Author: Glow Team Page 1 of 15 Ref: GC265_v1.1

TSM Studio Server User Guide

Installing Windows Server Update Services (WSUS) on Windows Server 2012 R2 Essentials

EventTracker Enterprise v7.3 Installation Guide

Getting Started. A Getting Started Guide for Locum RealTime Monitor. Manual Version 2.1 LOCUM SOFTWARE SERVICES LIMITED

4cast Client Specification and Installation

Operation Error Management

CONFIGURING TARGET ACTIVE DIRECTORY DOMAIN FOR AUDIT BY NETWRIX AUDITOR

Net Report Configuration Guide for WMI on Windows 2000 & XP

Upgrading from MSDE to SQL Server 2005 Express Edition with Advanced Services SP2

NAS 272 Using Your NAS as a Syslog Server

Installation Guide. Novell Storage Manager for Active Directory. Novell Storage Manager for Active Directory Installation Guide

Note: With v3.2, the DocuSign Fetch application was renamed DocuSign Retrieve.

ProSystem fx Document

Create, Link, or Edit a GPO with Active Directory Users and Computers

How to integrate Verax NMS & APM with Verax Service Desk

Virtual Office Remote Installation Guide

Scheduling Data Import from Avaya Communication Manager into Avaya Softconsole MasterDirectory

Exchange Granular Restore. User Guide

PC Agent Quick Start. Open the Agent. Autonomy Connected Backup. Version 8.8. Revision 0

Administering Cisco ISE

Scan to Quick Setup Guide

WhatsUp Event Alarm v10.x Listener Console User Guide

SWP-0003 tconsult Server Active Directory Integration. Revision: 3. Effective Date: 7/28/2010

Setup and configuration for Intelicode. SQL Server Express

USING STUFFIT DELUXE THE STUFFIT START PAGE CREATING ARCHIVES (COMPRESSED FILES)

523 Non-ThinManager Components

LogLogic Trend Micro OfficeScan Log Configuration Guide

Transcription:

EventTracker: Integrating Imperva SecureSphere Publication Date: June 14, 2012 EventTracker 8815 Centre Park Drive Columbia MD 21045 www.eventtracker.com

About This Guide Abstract This guide provides instructions to configure Imperva SecureSphere to send the syslog events to EventTracker Enterprise. Audience Imperva SecureSphere users, who wish to forward syslog events to EventTracker manager. Scope The configurations detailed in this guide are consistent with EventTracker Enterprise version 7.X and later, and Imperva SecureSphere 8 and later. 1

Table of Contents Pre-requisite... 3 Configurations... 3 To create audit events action set... 3 To create security events action set... 6 Configure audit policies to send the events to EventTracker... 9 Configure security policies to send the events to EventTracker... 10 Import Imperva Knowledge Pack into EventTracker... 11 To import Category... 11 To import Alerts... 11 To import Scheduled Reports... 12 Verify Imperva Knowledge Pack in EventTracker... 13 Verify Imperva categories... 13 Verify Imperva alerts... 13 Verify Imperva Scheduled Reports... 15 2

Pre-requisite EventTracker should be installed Imperva SecureSphere 8 (or later) should be installed Per Imperva console needs one Syslog Device license. Configurations SecureSphere can send security events and audit events to EventTracker. The following section describes how to configure SecureSphere to send syslog messages to EventTracker. For this, the required configurations are as below, Create Audit Events action set Create Security Events action set Configure Audit polices Configure security policies To create audit events action set 1. Log on to IMPERVA SECURE SPHERE. 2. Click the Policy tab, and select Action Sets. 3. Click Create new icon on the Action Set pane. IMPERVA opens Action set dialog box. 3

Figure 1 4. Enter the Name of the action set. For example: Forward audit events to EventTracker. 5. From the Apply to event type dropdown, select an event type as Audit, and then click the Create button. The newly created action set appears in the Action Set pane. Figure 2 6. Click the green arrow to expand Gateway Syslog > Log audit events to System Log (Gateway Syslog) action interface. 4

Figure 3 7. Expand Selected Actions, and type EventTracker in the Name field. 8. Configure the action parameters as given in below table. Parameter name Protocol Primary Host Value Select UDP\TCP option IP address of EventTracker server. Primary Port By default, EventTracker will listen to port number 514. Secondary Host Secondary Port Syslog Log Level Message Optional Optional Select log level from the dropdown. In case of Audit event, enter the placeholder as below: Imperva Inc. SecureSphere ${SecureSphereVersion} Event Time=${Event.createTime}; Event Type=${Event.struct.eventType}; Server Group=${Event.serverGroup}; Service Name=${Event.serviceName}; Application Name=${Event.applicationName}; Database UserName=${Event.struct.user.user}; User Group=${Event.struct.userGroup}; User Authenticated=${Event.struct.user.authenticated}; Application UserName=${Event.struct.applicationUser}; Source IP=${Event.sourceInfo.sourceIp}; Source Port=${Event.sourceInfo.sourcePort}; Source Application=${Event.struct.application.application}; OS UserName=${Event.struct.osUser.osUser}; Source HostName=${Event.struct.host.host}; Service Type=${Event.struct.serviceType} ; Destination IP=${Event.destInfo.serverIp}; Destination Port=${Event.destInfo.serverPort}; Operation=${Event.struct.operations.name}; Operation 5

Type=${Event.struct.operations.operationType}; Object Name=${Event.struct.operations.objects.name}; Object Type=${Event.struct.operations.objectType}; Subject=${Event.struct.operations.subjects.name}; Database Name=${Event.struct.databases.databaseName}; Schema Name=${Event.struct.databases.schemaName}; Table Group=${Event.struct.tableGroups.displayName}; Sensitive Operation=${Event.struct.tableGroups.sensitive}; Privileged Operation=${Event.struct.operations.privileged}; Stored Procedure=${Event.struct.operations.storedProcedure}; Exception=${Event.struct.complete.completeSuccessful}; Response size=${event.struct.complete.responsesize}; Response time=${event.struct.complete.responsetime}; Effected rows=${event.struct.query.affectedrows}; Exception Message=${Event.struct.complete.errorValue}; Parsed Query=${Event.struct.query.parsedQuery}; Raw Query=${Event.struct.rawData.rawData} Facility Select appropriate option from the dropdown. 9. Click the Save icon. 10. Click the Save icon. The settings are saved and newly created action set will appear under Select Actions. Figure 4 To create security events action set 1. Log on to IMPERVA SECURE SPHERE. 2. Click the Policy tab, and select Action Sets. 3. Click Create new icon on the Action Set pane. 6

IMPERVA opens Action set dialog box. 4. Enter the name of the action set. For example: Forward security events to EventTracker. 5. From the Apply to event type dropdown, select an event type as Security, and then click the Create button. The newly created action set appears in the Action Set pane. Figure 5 6. Click the green arrow to expand Log to System Log (syslog) (System Log > EventTracker) action interface. Figure 6 7. Expand Selected Actions, and type EventTracker in the Name field. 8. Configure the action parameters as given in below table. Parameter name Syslog Host Syslog Log Level Value IP address of EventTracker server. Select log level from the dropdown. 7

Message Facility Run on Every Event In case of Security event, enter the placeholder as below: Imperva Inc. SecureSphere ${SecureSphereVersion} AlertTime=${Alert.cr eatetime} AlertType=${Alert.alertType}; Alert Name=${Alert.alertMetadata.alertName}; Alert Severity=${Alert.severity}; Alert Action=${Alert.immediateAction}; Destination IP=${Event.destInfo.serverIp}; Destination Port=${Event.destInfo.serverPort}; User=${Alert.username}; Source IP=${Event.sourceInfo.sourceIp}; Source Port=${Event.sourceInfo.sourcePort}; Protocol=${Event.sourceInfo.ipProtocol}; category=alert; Policy=${Rule.parent.displayName}; Server Group=${Alert.serverGroupName}; Service Name=${Alert.serviceName}; Application=${Alert.applicationName}; Description=${Alert.description} Select appropriate option from the dropdown. Click this checkbox, to get the notification on every security alert. 9. Click the Save icon. 10. Click the Save icon. The settings are saved and newly created action set will appear under Select Actions. Figure 7 8

Configure audit policies to send the events to EventTracker 1. Click the Policy tab, and select Audit. Figure 8 2. In the Audit Polices pane, select Default Rule All Events option. 3. Move to right pane, and click Apply to tab. 4. Select the systems/sites, for which you wish to send the events. 5. Click External logger tab. Figure 9 6. Select the newly created audit event action set (Ex. Forward audit events to EventTracker) in the dropdown. 7. Click Save icon to save the settings. 9

Configure security policies to send the events to EventTracker The Syslog message can be sent with the following action upon the occurrence of a security or an audit event. The action set defined for audit/security events, will be used as following action. 1. Click the Policy tab, and select Security. 2. In the Policies pane, select the policy for which you wish to enable following action. 3. In the Policy Rules tab, select the appropriate policy rule. 4. Click the Enabled checkbox next to the policy rule. 5. Select the Severity level. 6. Select Action from the dropdown. 7. In the Followed Action dropdown, select the custom created action set for audit\security events. Figure 10 8. Click Save icon to save the settings. 10

Import Imperva Knowledge Pack into EventTracker 1. Launch EventTracker Control Panel. 2. Double click Import Export Utility icon, and then click the Import tab. 3. Import Category/ Alert/ Scheduled reports as given below. To import Category 1. Click Category option, and then click the browse button. 2. Locate the All Imperva DAM group of categories.iscat file, and then click the Open button. 3. Click the Import button to import the categories. EventTracker displays success message. Figure 11 4. Click the OK button and then click the Close button. To import Alerts 1. Click Alert option, and then click the browse button. 2. Locate the All Imperva DAM group of alerts.isalt file, and then click the Open button. 3. Click the Import button to import the alerts. EventTracker displays success message. 11

Figure 12 4. Click the OK button and then click the Close button. To import Scheduled Reports 1. Click Scheduled Report option, and then click the browse button. 2. Locate the All Imperva DAM defined analysis report.issch file, and then click the Open button. 3. Click the Import button to import the scheduled reports. EventTracker displays success message. Figure 13 5. Click the OK button, and then click the Close button. 12

Verify Imperva Knowledge Pack in EventTracker Verify Imperva categories 1. Logon to EventTracker Enterprise. 2. Click the Admin dropdown, and then click Categories. 3. In the Category Tree, expand Imperva group folder to see the imported categories. Figure 14 Verify Imperva alerts 1. Logon to EventTracker Enterprise. 2. Click the Admin dropdown, and then click Alerts. 3. In the Search field, type Imperva, and then click the Go button. Alert Management page will display all the imported Imperva alerts. 13

Figure 15 4. To activate the imported alerts, select the respective checkbox in the Active column. EventTracker displays message box. Figure 16 5. Click the OK button, and then click the Activate now button. NOTE: You can select alert notification such as Beep, Email, and Message etc. For this, select the respective checkbox in the Alert management page, and then click the Activate Now button. 14

Verify Imperva Scheduled Reports 1. Logon to EventTracker Enterprise. 2. Click the Analysis. 3. In the Actions pane, click Defined. EventTracker displays Defined Analysis page. Figure 17 Here you can find imported scheduled reports such as Imperva DAM-Database native auditing change report. 4. Select the imported analysis, and then click the Schedule button. 5. Select the Groups/Systems/ All Systems for analysis, and then click the Next button. 6. Select the Schedule and Format options, and then click the Next button. 7. Select or add column(s) to display, and then click the Next button. 8. Enter Refine and Filter criteria, and then click the Next button. 9. Enter Title and description for the analysis, and then click the Next button. 10. Crosscheck Disk cost analysis details. 15

11. Configure the Publishing options as required, and then click the Next button. 12. Click the Schedule button. EventTracker displays message box. Figure 18 13. Click the OK button. 16

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information