In the previous blog, I have described several Data Risk Analytics (DRA) integration use cases. In this blog I will dive deeper into how you can integrate your DRA with Syslog. DRA can send Syslog messages to products that use Syslog. For example: SIEM, SOAR, ELK and others.
There are several options that can be configured based on your operational/business requirements including the target server, message format and what you actually want to send.
Syslog server target
You need to configure the target to which messages will be sent. This includes the IP, Port, Protocol (UDP/TCP) and facility. It is recommended that once you configure the Syslog server setting you test the connection by pressing the ‘Send Test Syslog Message button. As seen in figure 1.
Events to be sent
After configuring the Syslog server, it is time for you to decide which event types to send by choosing ‘Breach Detection’ and/or ‘Risk Reduction’ class (these classes can be manually configured by you via the ‘Security Events settings’ page as described here). Default is both.
Then you need to decide which types of notifications you want to send to Syslog. These include incident open/close/reopen actions and their Severity. Syslog messages will be sent with severity equal or higher than the one selected.
Per notification type, you can select the message format that should be sent. DRA currently supports the following “standard” formats:
- Raw - Suitable for SIEM vendors such as Splunk.
- CEF (Common Event Format) – Suitable for SIEM vendors such as HP ArcSight.
- LEEF (Log Event Extended Format) - Suitable for IBM QRADAR
Each message format has a template. Definitions of the placeholders can be found here.
For more details on Syslog server configuration see SIEM Integration documentation.
* New * The new DRA version 4.1 now provides users with the ability to send events to the Imperva Sonar platform. You can now utilize the advanced ability to build and customize dashboards and reports based on DRA incidents information.
Sonar (Reporting) server configuration is quite similar to Syslog configuration with the exception that server configuration is only an IP address and message format is always JSON.
For more details on Reporting server configuration see Reporting Server documentation.
DRA “Issues” Notifications – special case
I recommend not to send the Issues notification to your SIEM system.
Issues are great when using the DRA GUI as they provide a common narrative to investigate and manage.
Due to their dynamic nature they can change over time as new incidents are open and present incidents are closed.
When an issue is created, if you choose, a notification will be sent to your SIEM system, however no notification is sent when they change. This means that over time issues in DRA will look differently than those in your SIEM system. Therefore it is recommended not to use ‘Issues’ notifications in Syslog. Use only the incidents.
DRA provides you with the ability to integrate it with your SIEM and now Imperva Sonar systems. You can configure different options per your operational and business needs.
If there is any information that you think is missing, please let us know by opening a feature request on the Imperva uservoice platform. Our product managers will take them into account when building the future roadmap DRA.
Missed the other blogs in this series? Click below to view...
7 Key Use Cases for Data Risk Analytics (DRA) Integration with Syslog and API
Data Risk Analytics (DRA) Integration with API - The Final Deep Dive!
Or click the image to watch the webinar...