Imperva Cyber Community

 View Only

Transitioning to Imperva's HEC Integration for Splunk: A Seamless Approach

By Ziv Rika posted 04-08-2024 06:48


As organizations continue to enhance their security posture, the need for efficient and effective log management solutions becomes increasingly critical. Imperva recognizes this necessity and is excited to introduce the new HTTP Event Collector (HEC) integration for Splunk, offering a streamlined approach to log delivery and management.

Splunk's (HEC) offers a secure and simple integration method for all Imperva log types, including ABP, ATO, and also future ones. HEC complies with near real-time (NRT) delivery methods, with an SLA of less than 5 minutes. This ensures swift analysis and response to security events, enhancing overall security posture.

For customers who are already utilizing other delivery methods, transitioning to HEC can seem risky. However, with the right approach, this transition can be smooth and hassle-free. This article aims to provide guidance on how to make a seamless transition to HEC, ensuring minimal disruption to your existing log management processes.

Managing Interim Periods

One of the key considerations when transitioning to HEC is managing interim periods where logs need to be sent to both the old destination and HEC. Since Imperva only allows sending a specific log type to one destination at a time, careful planning is required.

During this interim period, it may be necessary to duplicate logs or use a log aggregation tool to send logs to both destinations simultaneously. This ensures that no logs are lost during the transition.

Understanding the Transition Process

The first step in transitioning to HEC is to understand the current log delivery methods being used within your Imperva accounts. Identify the types of logs being generated, the destinations to which they are currently being sent and at which Imperva account level SIEM is configured. This information will be handy in planning the transition process.

Setting Up HEC Integration

Create a New Connector: First, create a new connector. This will ensure the connectivity layer between Imperva and your Splunk instance. You can ensure the connectivity by pressing the "Test Connection" button.

Test with a Different Log Type: Send a different log type that is currently not in use, such as “Audit Logs”, to ensure that you can digest and save the logs into your Splunk index.

Configure Sub Accounts: If you manage your Imperva account in a multiple sub-account environment, you can configure Imperva to send logs both from the parent account level and at the sub-account level. This means that the same logs for the same site can be configured to be sent to different SIEM destinations at the same time. To go with this approach, first, identify which account level is configured to send your logs - the sub-account or the parent account. Then, configure the other account level to send logs to HEC. After a transition period, you can disable the other delivery method.

Monitoring and Troubleshooting

Throughout the transition process, it's essential to monitor the delivery of logs to ensure that everything is functioning as expected. Splunk provides robust monitoring and troubleshooting capabilities, allowing you to quickly identify and resolve any issues that may arise. You can refer to Splunk monitor center: