Blog Viewer

7 Key Use Cases for Data Risk Analytics (DRA) Integration with Syslog and API

By Doron Tzur posted 05-12-2021 09:23

  

As the cybersecurity industry matures and modernizes, security products are required to integrate with a wider range of products within the customer ecosystem, this is also true for the Imperva Data Risk Analytics (DRA) product. We see more and more customers that want to use external products to manage the DRA incidents and in some cases do not even provide direct access to the DRA GUI to their users.

Based on these requirements Imperva invested even more into functionality development so that DRA will have the ability to integrate it into different processes using modern devops and automation methods, mainly Syslog and APIs. This first blog will describe 7 key use cases from our customer base. Later blogs in this series will provide more technical details on how it is actually done.

Use Case 1: Incident management and investigation by the SOC team

In this use case DRA sends incidents to the SOC SIEM system. The SOC engineer is solely responsible for handling and investigating these incidents.


Figure 1
describes the flow:

  1. DRA sends incidents into the SOC SIEM system using the Syslog protocol
  2. SOC engineer gets an indication from SIEM with relevant information and performs investigation
  3. Based on the investigation the SOC engineer manages the incidents within the DRA using the DRA API


Use Case 2: Division of responsibilities: Incident management by SOC, investigation by others.

In this use case DRA sends incidents to the SOC SIEM system. The SOC engineer dispatches the incidents to relevant parties within the customer organization for further investigation and handling. 


Figure 2 describes the following flow:

  1. DRA sends incidents into the SOC SIEM system using the Syslog protocol
  2. SOC engineer gets an indication from SIEM with relevant information and performs investigation
  3. SOC engineer assigns the incident for further investigation
  4. Based on the investigation the investigator manages the incidents within the DRA using the DRA API

Use Case 3: Division of responsibilities using SOAR

In this use case the customer is using a Security Orchestration Automation and Response (SOAR) system to manage different use cases and playbooks for incident response. 

Figure 3 describes the following flow:

  1. DRA sends incidents into the SOAR system using the Syslog protocol
  2. SOC engineer gets an indication from SOAR with relevant information
  3. SOC engineer, using SOAR assigns the incident to the relevant party
  4. Based on the investigation the investigator manages the incidents within the DRA using the DRA API
  5. Investigator sets investigation status as complete
Use Case 4: DRA User management
In this use case the customer user admin is adding/deleting DRA users in the Active Directory of the organization and automatically sets relevant permissions (e.g. assigned IP addresses) to that users. 


Figure 4 describes the following flow:

  1. IT engineer creates/deletes a DRA user in the organization Active Directory
  2. Using DRA API IP addresses are assigned/deleted to the DRA user

Use Case 5: Reports generated using logged information

In this use-case the customer wants to generate reports that can be used by management or other groups in the organization. In this case the customer uses information that was stored in the SIEM and generates them using off the shelf tools (such as Grafana). 


Figure 5
describes the following flow:

  1. DRA sends incidents into the SOC SIEM system using the Syslog protocol 
  2. Reports are generated and dispatched

Use Case 6: Reports generated using information stored in DRA

In this use case the customer wants to generate reports that can be used by management or other groups in the organization. In this case the customer uses information that is stored within the DRA and uses the DRA API in order to retrieve them.
An example of such a tool is the open source Imperva dra-reporter tool. 


Figure 6
describes the following flow:

  1. Incident information is retrieved from DRA using the API and a report is generated

Use Case 7: Reports generated using Imperva Sonar - New

This is a brand new use case that is relevant to the newly released DRA version 4.1.
Messages will be sent to the Imperva Sonar platform. Users then can utilize Sonar's advanced dashboard and reporting capabilities and build and customize dashboards and reports based on DRA incidents information.
Note - messages are composed as JSON without Syslog “wrapper”.


Figure 7
describes the following flow:

  1. DRA sends incidents into the Imperva Sonar system in JSON format
  2. Reports are generated and dispatched

The described use-cases show the capabilities of DRA integration and how customers can use them in order to enhance their security management. 

There are other use cases that were not described and if you wish you can share with everyone in the community how your organization is integrating DRA. Feel free to post below or start your own thread here.

If you have further questions please also post them in the community.

Click below to view the next blog posts in this series...

Integrating DRA with Syslog - The Deep Dive!
Data Risk Analytics (DRA) Integration with API - The Final Deep Dive!

Or click the image to watch the webinar...



#DataRiskAnalytics(formerlyCounterBreach)
#AllImperva

1 comment
370 views

Permalink

Comments

07-21-2021 13:08

You may also like to check out Doron's webinar in DRA and integration.

Check it out here:

Webinar: DRA Integration with API and Syslog (imperva.com)