Imperva Cyber Community

Hi All,

I have a query around configuring archive/backup in DAM. In my understanding we just need to backup alerts, warning in DAM and I am configuring log forwarding to capture these alerts warning in our SIEM where this data will be available for 6 months or more. wanted to understand if my approach is correct or do we need to have separate archiving method dedicated for DAM? 

Thanks in advance!
#DatabaseActivityMonitoring

------------------------------
[Karl] [barg]
------------------------------

Hi,

The best practice is to send all necessary security logs to SIEM. Still, all audit logs from the audit policies should be archiving every day by the native IMPERVA backup mechanism.
It is the best way because you do not lose your SIEM license for audit logs.

Have you thought about changing the license to a subscription model? There is JSonar - I think the best DAM tool on the market.
JSonar is implemented with KIBANA and MongoDB. It is more modern and faster than Imperva DAM. It is possible to send all DB Audit logs from MX to Jsonar as a syslog log.

------------------------------
Karol Gruszczynski
IT SECURITY EXPERT
Warsaw
------------------------------

Original Message:
Sent: 08-25-2021 06:15
From: sukhmeet singh
Subject: What to set as log forwarding or backup in DAM

Hi All,

I have a query around configuring archive/backup in DAM. In my understanding we just need to backup alerts, warning in DAM and I am configuring log forwarding to capture these alerts warning in our SIEM where this data will be available for 6 months or more. wanted to understand if my approach is correct or do we need to have separate archiving method dedicated for DAM? 

Thanks in advance!
#DatabaseActivityMonitoring

------------------------------
[Karl] [barg]
------------------------------

Thanks Karol,

May i ask, if these audit logs are specific to Imperva mgmt and gateways or it includes logs for the audit policies configured for database servers?

Regards

------------------------------
[Karl] [barg]
------------------------------

Original Message:
Sent: 08-25-2021 06:48
From: Karol Gruszczynski
Subject: What to set as log forwarding or backup in DAM

Hi,

The best practice is to send all necessary security logs to SIEM. Still, all audit logs from the audit policies should be archiving every day by the native IMPERVA backup mechanism.
It is the best way because you do not lose your SIEM license for audit logs.

Have you thought about changing the license to a subscription model? There is JSonar - I think the best DAM tool on the market.
JSonar is implemented with KIBANA and MongoDB. It is more modern and faster than Imperva DAM. It is possible to send all DB Audit logs from MX to Jsonar as a syslog log.

------------------------------
Karol Gruszczynski
IT SECURITY EXPERT
Warsaw

Original Message:
Sent: 08-25-2021 06:15
From: sukhmeet singh
Subject: What to set as log forwarding or backup in DAM

Hi All,

I have a query around configuring archive/backup in DAM. In my understanding we just need to backup alerts, warning in DAM and I am configuring log forwarding to capture these alerts warning in our SIEM where this data will be available for 6 months or more. wanted to understand if my approach is correct or do we need to have separate archiving method dedicated for DAM? 

Thanks in advance!
#DatabaseActivityMonitoring

------------------------------
[Karl] [barg]
------------------------------

Every audit policy that was configured for the database server is archiving separately to file.
You can copy the backup file via scp/cifs/nfs/ftp manually or automatically after backup is done.
So, when you create a new audit policy (menu Policies -> Audit) on ARCHIVING tab, you can attach archiving action set.

System logs from IMPERVA mgmt and gtws you can archive too, but it is another way.

------------------------------
Karol Gruszczynski
IT SECURITY EXPERT
Warsaw
------------------------------

Original Message:
Sent: 08-27-2021 05:54
From: sukhmeet singh
Subject: What to set as log forwarding or backup in DAM

Thanks Karol,

May i ask, if these audit logs are specific to Imperva mgmt and gateways or it includes logs for the audit policies configured for database servers?

Regards

------------------------------
[Karl] [barg]

Original Message:
Sent: 08-25-2021 06:48
From: Karol Gruszczynski
Subject: What to set as log forwarding or backup in DAM

Hi,

The best practice is to send all necessary security logs to SIEM. Still, all audit logs from the audit policies should be archiving every day by the native IMPERVA backup mechanism.
It is the best way because you do not lose your SIEM license for audit logs.

Have you thought about changing the license to a subscription model? There is JSonar - I think the best DAM tool on the market.
JSonar is implemented with KIBANA and MongoDB. It is more modern and faster than Imperva DAM. It is possible to send all DB Audit logs from MX to Jsonar as a syslog log.

------------------------------
Karol Gruszczynski
IT SECURITY EXPERT
Warsaw

Original Message:
Sent: 08-25-2021 06:15
From: sukhmeet singh
Subject: What to set as log forwarding or backup in DAM

Hi All,

I have a query around configuring archive/backup in DAM. In my understanding we just need to backup alerts, warning in DAM and I am configuring log forwarding to capture these alerts warning in our SIEM where this data will be available for 6 months or more. wanted to understand if my approach is correct or do we need to have separate archiving method dedicated for DAM? 

Thanks in advance!
#DatabaseActivityMonitoring

------------------------------
[Karl] [barg]
------------------------------

Hi Karol Gruszczynski 

Do you know how many Alerts and Violations can be saved on MX or how much is reserved for them before they start deleting?

• How many Alerts and Violations can Imperva MX store at maximum (in terms of storage capacity or the number of Alerts/Violations)?
  → We have researched and found a KB article mentioning that it only stores 2 x 250,000 alerts/events. However, we are unsure if the term "Alerts/Events" here refers to the number of Alerts displayed on the UI and whether the maximum is 500,000. Is that correct?
  KB: https://docs.imperva.com/bundle/z-kb-articles-knowledgebase-support/page/290197384.html

• Where is the storage partition for Alerts and Violations located on MX? How can we check the current number of Alerts, and at what threshold will they be deleted?

TKs

Nampp

------------------------------
Pham Phuong Nam
engineer
M-Security Technology Indochina Pte. Ltd
Ho Chi Minh
------------------------------

Original Message:
Sent: 08-27-2021 06:23
From: Karol Gruszczynski
Subject: What to set as log forwarding or backup in DAM

Every audit policy that was configured for the database server is archiving separately to file.
You can copy the backup file via scp/cifs/nfs/ftp manually or automatically after backup is done.
So, when you create a new audit policy (menu Policies -> Audit) on ARCHIVING tab, you can attach archiving action set.

System logs from IMPERVA mgmt and gtws you can archive too, but it is another way.

------------------------------
Karol Gruszczynski
IT SECURITY EXPERT
Warsaw

Original Message:
Sent: 08-27-2021 05:54
From: sukhmeet singh
Subject: What to set as log forwarding or backup in DAM

Thanks Karol,

May i ask, if these audit logs are specific to Imperva mgmt and gateways or it includes logs for the audit policies configured for database servers?

Regards

------------------------------
[Karl] [barg]

Original Message:
Sent: 08-25-2021 06:48
From: Karol Gruszczynski
Subject: What to set as log forwarding or backup in DAM

Hi,

The best practice is to send all necessary security logs to SIEM. Still, all audit logs from the audit policies should be archiving every day by the native IMPERVA backup mechanism.
It is the best way because you do not lose your SIEM license for audit logs.

Have you thought about changing the license to a subscription model? There is JSonar - I think the best DAM tool on the market.
JSonar is implemented with KIBANA and MongoDB. It is more modern and faster than Imperva DAM. It is possible to send all DB Audit logs from MX to Jsonar as a syslog log.

------------------------------
Karol Gruszczynski
IT SECURITY EXPERT
Warsaw

Original Message:
Sent: 08-25-2021 06:15
From: sukhmeet singh
Subject: What to set as log forwarding or backup in DAM

Hi All,

I have a query around configuring archive/backup in DAM. In my understanding we just need to backup alerts, warning in DAM and I am configuring log forwarding to capture these alerts warning in our SIEM where this data will be available for 6 months or more. wanted to understand if my approach is correct or do we need to have separate archiving method dedicated for DAM? 

Thanks in advance!
#DatabaseActivityMonitoring

------------------------------
[Karl] [barg]
------------------------------