Fortinet black logo

External Systems Configuration Guide

Imperva Securesphere DB Security Gateway

Imperva Securesphere DB Security Gateway

What is Discovered and Monitored

The ImpervaParser parser collects syslog log events in CEF format.

Configuration

Setup in FortiSIEM

Complete these steps in the FortiSIEM UI:

  1. Go to the ADMIN > Setup > Credentials tab.
  2. In Step 1: Enter Credentials:
    1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box:

      SettingValue
      Name<set name>
      Device TypeImperva Securesphere DB Security Gateway
      Access ProtocolSee Access Credentials
      PortSee Access Credentials
      Password configSee Password Configuration
      User NameA user who has access credentials for the device
      PasswordThe password for the user
      Super PasswordPassword for Super
  3. In Step 2, Enter IP Range to Credential Associations:
    1. Select the name of your credential from the Credentials drop-down list.
    2. Enter a host name, an IP, or an IP range in the IP/Host Name field.
    3. Click Save.
  4. Click Test to test the connection to Imperva Securesphere DB Security Gateway.
  5. To see the jobs associated with Imperva, select ADMIN > Pull Events.
  6. To see the received events select ANALYTICS, then enter Imperva in the search box.

Sample Events

<14>CEF:0|Imperva Inc.|SecureSphere|11.5.0.20_0|Audit|Audit|Informative|dst=10.2.6.194 dpt=3306 duser=wf_settlement src=10.2.6.48 spt=59876 proto=TCP rt=11 April 2016 14:07:09 cat=Audit Default Rule - All cs2Label=ServerGroup cs3=ProcessMakerDBFX cs3Label=ServiceName cs4=Default MySql Application cs4Label=ApplicationName cs5=642697783064 cs5Label=EventId cs6=Query cs6Label=EventType cs7=Default MySql group cs7Label=UserGroup cs8=True cs8Label=UserAuthenticated cs9= cs9Label=ApplicationUser cs10= cs10Label=SourceApplication cs11= cs11Label=OSUser cs12= cs12Label=HostName cs13=wf_settlement cs13Label=Database cs14= cs14Label=Schema cs15=SELECT COUNT(APP_CACHE_VIEW.APP_UID) FROM APP_CACHE_VIEW LEFT JOIN USERS CU ON (APP_CACHE_VIEW.USR_UID=CU.USR_UID) LEFT JOIN USERS PU ON (APP_CACHE_VIEW.PREVIOUS_USR_UID=PU.USR_UID) LEFT JOIN APP_CACHE_VIEW APPCVCR ON (APP_CACHE_VIEW.APP_UID=APPCVCR.APP_UID AND APPCVCR.DEL_LAST_INDEX=1) LEFT JOIN USERS USRCR ON (APPCVCR.USR_UID=USRCR.USR_UID) WHERE APP_CACHE_VIEW.APP_STATUS='TO_DO' AND APP_CACHE_VIEW.USR_UID='2800810224bbdfe1cc8bb02024369548' AND APP_CACHE_VIEW.DEL_FINISH_DATE IS NULL  AND APP_CACHE_VIEW.APP_THREAD_STATUS='OPEN' AND APP_CACHE_VIEW.DEL_THREAD_STATUS='OPEN' cs15Label=RawQuery cs16=select count(app_cache_view.app_uid) from app_cache_view left join users cu on (app_cache_view.usr_uid=cu.usr_uid) left join users pu on (app_cache_view.previous_usr_uid=pu.usr_uid) left join app_cache_view appcvcr on (app_cache_view.app_uid=appcvcr.app_uid and appcvcr.del_last_index=?) left join users usrcr on (appcvcr.usr_uid=usrcr.usr_uid) where app_cache_view.app_status=? and app_cache_view.usr_uid=? and app_cache_view.del_finish_date is ? and app_cache_view.app_thread_status=? and app_cache_view.del_thread_status=? cs16Label=ParsedQuery cs17= cs17Label=BindVariables cs18= cs18Label=SQLError cs19=1 cs19Label=ResponseSize cs20=0 cs20Label=ResponseTime cs21=0 cs21Label=AffectedRows

Imperva Securesphere DB Security Gateway

What is Discovered and Monitored

The ImpervaParser parser collects syslog log events in CEF format.

Configuration

Setup in FortiSIEM

Complete these steps in the FortiSIEM UI:

  1. Go to the ADMIN > Setup > Credentials tab.
  2. In Step 1: Enter Credentials:
    1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box:

      SettingValue
      Name<set name>
      Device TypeImperva Securesphere DB Security Gateway
      Access ProtocolSee Access Credentials
      PortSee Access Credentials
      Password configSee Password Configuration
      User NameA user who has access credentials for the device
      PasswordThe password for the user
      Super PasswordPassword for Super
  3. In Step 2, Enter IP Range to Credential Associations:
    1. Select the name of your credential from the Credentials drop-down list.
    2. Enter a host name, an IP, or an IP range in the IP/Host Name field.
    3. Click Save.
  4. Click Test to test the connection to Imperva Securesphere DB Security Gateway.
  5. To see the jobs associated with Imperva, select ADMIN > Pull Events.
  6. To see the received events select ANALYTICS, then enter Imperva in the search box.

Sample Events

<14>CEF:0|Imperva Inc.|SecureSphere|11.5.0.20_0|Audit|Audit|Informative|dst=10.2.6.194 dpt=3306 duser=wf_settlement src=10.2.6.48 spt=59876 proto=TCP rt=11 April 2016 14:07:09 cat=Audit Default Rule - All cs2Label=ServerGroup cs3=ProcessMakerDBFX cs3Label=ServiceName cs4=Default MySql Application cs4Label=ApplicationName cs5=642697783064 cs5Label=EventId cs6=Query cs6Label=EventType cs7=Default MySql group cs7Label=UserGroup cs8=True cs8Label=UserAuthenticated cs9= cs9Label=ApplicationUser cs10= cs10Label=SourceApplication cs11= cs11Label=OSUser cs12= cs12Label=HostName cs13=wf_settlement cs13Label=Database cs14= cs14Label=Schema cs15=SELECT COUNT(APP_CACHE_VIEW.APP_UID) FROM APP_CACHE_VIEW LEFT JOIN USERS CU ON (APP_CACHE_VIEW.USR_UID=CU.USR_UID) LEFT JOIN USERS PU ON (APP_CACHE_VIEW.PREVIOUS_USR_UID=PU.USR_UID) LEFT JOIN APP_CACHE_VIEW APPCVCR ON (APP_CACHE_VIEW.APP_UID=APPCVCR.APP_UID AND APPCVCR.DEL_LAST_INDEX=1) LEFT JOIN USERS USRCR ON (APPCVCR.USR_UID=USRCR.USR_UID) WHERE APP_CACHE_VIEW.APP_STATUS='TO_DO' AND APP_CACHE_VIEW.USR_UID='2800810224bbdfe1cc8bb02024369548' AND APP_CACHE_VIEW.DEL_FINISH_DATE IS NULL  AND APP_CACHE_VIEW.APP_THREAD_STATUS='OPEN' AND APP_CACHE_VIEW.DEL_THREAD_STATUS='OPEN' cs15Label=RawQuery cs16=select count(app_cache_view.app_uid) from app_cache_view left join users cu on (app_cache_view.usr_uid=cu.usr_uid) left join users pu on (app_cache_view.previous_usr_uid=pu.usr_uid) left join app_cache_view appcvcr on (app_cache_view.app_uid=appcvcr.app_uid and appcvcr.del_last_index=?) left join users usrcr on (appcvcr.usr_uid=usrcr.usr_uid) where app_cache_view.app_status=? and app_cache_view.usr_uid=? and app_cache_view.del_finish_date is ? and app_cache_view.app_thread_status=? and app_cache_view.del_thread_status=? cs16Label=ParsedQuery cs17= cs17Label=BindVariables cs18= cs18Label=SQLError cs19=1 cs19Label=ResponseSize cs20=0 cs20Label=ResponseTime cs21=0 cs21Label=AffectedRows