Friday, August 1, 2014

QRadar - Extracting fields from Imperva's SecureSphere events

As mentioned in my previous post, no matter which tool you use for SIEM, there will be times when this information is not readily available. Just as this was for the FireEye device in the last post, it is the same for Imperva's SecureSphere. Do remember also, ensuring that you can have access to the raw events that is received by your SIEM is extremely important.

Sample Event:
<6>LEEF:1.0|Imperva|SecureSphere|10.0.0|Firewall None|Alert ID=912905|devTimeFormat=yyyy-MM-dd HH:mm:ss.S|devTime=2014-07-22 06:59:58.0|Alert type=Firewall|src=10.0.0.1|usrName=n/a|Application name=${Alert.applicationName}|Service name=${Alert.serviceName}|Alert Description=TCP - TCP Unexpected SYN|Severity=High|Simulation Mode=false|Immediate Action=None|Event ID=4238139139125767123|dst=10.0.0.2|dp=443|Server Group=securitynik_servers|Affected Application=|Affected Application (violation)=$item.alert.applicationName|HTTP Method=|HTTP Host=|Query=

Let's try to extract the following fields.
Alert Description
Alert ID
Severity


Similarly to the previous post, we will "Extract Property" from the events

Property Type: Regex based
Property Name: Alert Description
Field Type: AlphaNumeric
Description: Alert Description as extracted from the raw Imperva Log
Log Source Type: Imperva SecureSphere
Log Source: All
Category: High Level: Any
Low Level Category Any
Regex: Alert Description=(.*?\|) - Capture Group 1
Enabled

Property Name: Alert ID:
Field Type: AlphaNumeric
Description: Alert ID Field
Log Source Type: Imperva SecureSphere
Log Source: All
Category: High Level: Any
Low Level Category Any
Regex: Alert\sID=([0-9]*) - Capture Group 1
Enabled


Property Name: Severity
OPtimized parsing for rules, reports and searches
Field Type: AlphaNumeric
Description: Severity
Log Source Type: Imperva SecureSphere
Log Source: All
Category: High Level: Any
Low Level Category Any
Regex: (Severity\=)([a-zA-Z]*) - Capture Group 2
Enabled

Voila!!! Just like that, we've extracted data from Imperva's SecureSphere which was not readily parsed by QRadar.

Regex Refernces:
http://www.autohotkey.com/docs/misc/RegEx-QuickRef.htm
https://www.tcl.tk/man/tcl8.5/tutorial/Tcl20.html
http://www.adobe.com/devnet/dreamweaver/articles/regular_expressions_pt1.html
http://www.rexegg.com/

2 comments: