Skip to content

Commit

Permalink
[Imperva] Add additional 21 custom strings for SecureSphere (#12618)
Browse files Browse the repository at this point in the history
  • Loading branch information
@gogochan
gogochan authored Feb 5, 2025
1 parent c7708ad commit f6c275f
Show file tree
Hide file tree
Showing 7 changed files with 1,040 additions and 2 deletions.
5 changes: 5 additions & 0 deletions packages/imperva/changelog.yml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "1.4.0"
changes:
- description: Add support for additional custom string fields.
type: enhancement
link: https://github.com/elastic/integrations/pull/12618
- version: "1.3.0"
changes:
- description: ECS version updated to 8.17.0.
Expand Down
341 changes: 340 additions & 1 deletion packages/imperva/data_stream/securesphere/_dev/test/pipeline/test-securesphere.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,345 @@
"name": "admin"
}
}
}
},
{
"@timestamp": "2024-12-16T07:58:43.000Z",
"observer": {
"product": "SecureSphere",
"version": "14.16.1.10_0",
"vendor": "Imperva Inc."
},
"message": "Audit.DAM",
"network": {
"transport": "tcp"
},
"event": {
"code": "Audit",
"original": "<14>CEF:0|Imperva Inc.|SecureSphere|14.16.1.10_0|Audit|Audit.DAM|Informative|dst=10.1.1.1 dpt=49561 duser=testuser src=10.2.2.2 spt=64361 proto=TCP rt=Dec 16 2024 07:58:43 cat=Audit DML Operations cs1Label=Policy cs2=Old-app cs2Label=ServerGroup cs3=Old_Application cs3Label=ServiceName cs4=MsSql Application cs4Label=ApplicationName cs5=7420436200618644437 cs5Label=EventId cs6=Query cs6Label=EventType cs7= cs7Label=UserGroup cs8=True cs8Label=UserAuthenticated cs9= cs9Label=ApplicationUser cs10=.net sqlclient data provider cs10Label=SourceApplication cs11= cs11Label=OSUser cs12=Asset01 cs12Label=HostName cs13=app01 cs13Label=Database cs14= cs14Label=Schema cs15=UPDATE [appSession] SET [TimeStamp] \\= '2024/12/16 10:58:43', [SessionInfo] \\= 'eyJDcmVhdGVkIjoiMjAyNC0wOC0xNVQxNTozOTo0Mi45NDk2NDk1KzAzOjAwIn0\\=' WHERE ([SessionID] \\= '395b63e9-f7a5-48a8-92c1-97d30c8f9a65') cs15Label=RawQuery cs16=update [appSession] set [timestamp] \\= ?, [sessioninfo] \\= ? where ([sessionid] \\= ?) cs16Label=ParsedQuery cs17= cs17Label=BindVariables cs18= cs18Label=SQLError cs19=0 cs19Label=ResponseSize cs20=0 cs20Label=ResponseTime cs21=1 cs21Label=AffectedRows"
},
"input": {
"type": "filestream"
},
"agent": {
"name": "juda",
"type": "filebeat",
"version": "8.17.1",
"ephemeral_id": "ae2a3be2-3c6b-49c4-848a-41a776d6d3f7",
"id": "a51aae49-f57b-4cfc-80d0-af51e77f1db0"
},
"host": {
"name": "juda"
},
"cef": {
"version": "0",
"device": {
"vendor": "Imperva Inc.",
"product": "SecureSphere",
"version": "14.16.1.10_0",
"event_class_id": "Audit"
},
"name": "Audit.DAM",
"severity": "Informative",
"extensions": {
"cs12Label": "HostName",
"cs14": "",
"cs13Label": "Database",
"cs17Label": "BindVariables",
"deviceCustomString2": "Old-app",
"cs11Label": "OSUser",
"cs17": "",
"cs14Label": "Schema",
"deviceCustomString5Label": "EventId",
"cs16": "update [appSession] set [timestamp] = ?, [sessioninfo] = ? where ([sessionid] = ?)",
"deviceCustomString3Label": "ServiceName",
"cs9": "",
"deviceReceiptTime": "2024-12-16T07:58:43.000Z",
"cs12": "Asset01",
"cs20": "0",
"destinationPort": 49561,
"cs11": "",
"cs10Label": "SourceApplication",
"cs18Label": "SQLError",
"transportProtocol": "TCP",
"cs7": "",
"cs21Label": "AffectedRows",
"cs19": "0",
"cs9Label": "ApplicationUser",
"deviceCustomString4Label": "ApplicationName",
"sourcePort": 64361,
"deviceCustomString2Label": "ServerGroup",
"destinationAddress": "10.1.1.1",
"cs20Label": "ResponseTime",
"deviceCustomString1Label": "Policy",
"destinationUserName": "testuser",
"cs16Label": "ParsedQuery",
"cs19Label": "ResponseSize",
"cs10": ".net sqlclient data provider",
"cs13": "app01",
"deviceEventCategory": "Audit DML Operations",
"deviceCustomString5": "7420436200618644437",
"deviceCustomString3": "Old_Application",
"sourceAddress": "10.2.2.2",
"cs15Label": "RawQuery",
"cs15": "UPDATE [appSession] SET [TimeStamp] = '2024/12/16 10:58:43', [SessionInfo] = 'eyJDcmVhdGVkIjoiMjAyNC0wOC0xNVQxNTozOTo0Mi45NDk2NDk1KzAzOjAwIn0=' WHERE ([SessionID] = '395b63e9-f7a5-48a8-92c1-97d30c8f9a65')",
"cs7Label": "UserGroup",
"cs8": "True",
"deviceCustomString6": "Query",
"deviceCustomString4": "MsSql Application",
"cs8Label": "UserAuthenticated",
"cs18": "",
"cs21": "1",
"deviceCustomString6Label": "EventType"
}
},
"log": {
"file": {
"device_id": "65025",
"inode": "4614302",
"path": "impervia.log"
},
"offset": 0
},
"ecs": {
"version": "8.0.0"
},
"source": {
"port": 64361,
"ip": "10.2.2.2"
},
"destination": {
"port": 49561,
"user": {
"name": "testuser"
},
"ip": "10.1.1.1"
}
},
{
"@timestamp": "2024-12-16T07:58:43.000Z",
"source": {
"ip": "10.2.2.2",
"port": 64361
},
"log": {
"offset": 1153,
"file": {
"path": "impervia.log",
"device_id": "65025",
"inode": "4614302"
}
},
"host": {
"name": "juda"
},
"agent": {
"id": "a51aae49-f57b-4cfc-80d0-af51e77f1db0",
"name": "juda",
"type": "filebeat",
"version": "8.17.1",
"ephemeral_id": "ae2a3be2-3c6b-49c4-848a-41a776d6d3f7"
},
"cef": {
"version": "0",
"device": {
"vendor": "Imperva Inc.",
"product": "SecureSphere",
"version": "14.16.1.10_0",
"event_class_id": "Audit"
},
"name": "Audit.DAM",
"severity": "Informative",
"extensions": {
"cs14": "",
"deviceCustomString6": "Query",
"cs12Label": "HostName",
"cs16Label": "ParsedQuery",
"deviceCustomString2": "Old-app",
"cs17Label": "BindVariables",
"deviceEventCategory": "Audit DML Operations",
"destinationPort": 49561,
"cs9": "",
"cs21": "1",
"destinationUserName": "testuser",
"deviceCustomString1Label": "Policy",
"cs13": "app01",
"cs18": "",
"cs10Label": "SourceApplication",
"deviceReceiptTime": "2024-12-16T07:58:43.000Z",
"cs21Label": "AffectedRows",
"deviceCustomString4Label": "ApplicationName",
"cs15Label": "RawQuery",
"destinationAddress": "10.1.1.1",
"cs7": "",
"cs15": "UPDATE [appSession] SET [TimeStamp] = '2024/12/16 10:58:43', [SessionInfo] = 'eyJDcmVhdGVkIjoiMjAyNC0wOC0xNVQxNTozOTo0Mi45NDk2NDk1KzAzOjAwIn0=' WHERE ([SessionID] = '395b63e9-f7a5-48a8-92c1-97d30c8f9a65')",
"cs8Label": "UserAuthenticated",
"cs12": "Asset01",
"deviceCustomString5": "7420436200618644437",
"deviceCustomString4": "MsSql Application",
"deviceCustomString3Label": "ServiceName",
"cs17": "",
"cs13Label": "Database",
"deviceCustomString2Label": "ServerGroup",
"sourceAddress": "10.2.2.2",
"cs19Label": "ResponseSize",
"sourcePort": 64361,
"cs20Label": "ResponseTime",
"cs18Label": "SQLError",
"cs19": "0",
"deviceCustomString3": "Old_Application",
"deviceCustomString5Label": "EventId",
"cs9Label": "ApplicationUser",
"cs11Label": "OSUser",
"cs16": "update [appSession] set [timestamp] = ?, [sessioninfo] = ? where ([sessionid] = ?)",
"cs11": "",
"deviceCustomString6Label": "EventType",
"cs8": "True",
"transportProtocol": "TCP",
"cs7Label": "UserGroup",
"cs14Label": "Schema",
"cs20": "0",
"cs10": ".net sqlclient data provider"
}
},
"observer": {
"vendor": "Imperva Inc.",
"product": "SecureSphere",
"version": "14.16.1.10_0"
},
"network": {
"transport": "tcp"
},
"event": {
"original": "<14>CEF:0|Imperva Inc.|SecureSphere|14.16.1.10_0|Audit|Audit.DAM|Informative|dst=10.1.1.1 dpt=49561 duser=testuser src=10.2.2.2 spt=64361 proto=TCP rt=Dec 16 2024 07:58:43 cat=Audit DML Operations cs1Label=Policy cs2=Old-app cs2Label=ServerGroup cs3=Old_Application cs3Label=ServiceName cs4=MsSql Application cs4Label=ApplicationName cs5=7420436200618644437 cs5Label=EventId cs6=Query cs6Label=EventType cs7= cs7Label=UserGroup cs8=True cs8Label=UserAuthenticated cs9= cs9Label=ApplicationUser cs10=.net sqlclient data provider cs10Label=SourceApplication cs11= cs11Label=OSUser cs12=Asset01 cs12Label=HostName cs13=app01 cs13Label=Database cs14= cs14Label=Schema cs15=UPDATE [appSession] SET [TimeStamp] \\= '2024/12/16 10:58:43', [SessionInfo] \\= 'eyJDcmVhdGVkIjoiMjAyNC0wOC0xNVQxNTozOTo0Mi45NDk2NDk1KzAzOjAwIn0\\=' WHERE ([SessionID] \\= '395b63e9-f7a5-48a8-92c1-97d30c8f9a65') cs15Label=RawQuery cs16=update [appSession] set [timestamp] \\= ?, [sessioninfo] \\= ? where ([sessionid] \\= ?) cs16Label=ParsedQuery cs17= cs17Label=BindVariables cs18= cs18Label=SQLError cs19=0 cs19Label=ResponseSize cs20=0 cs20Label=ResponseTime cs21=1 cs21Label=AffectedRows",
"code": "Audit"
},
"input": {
"type": "filestream"
},
"ecs": {
"version": "8.0.0"
},
"message": "Audit.DAM",
"destination": {
"ip": "10.1.1.1",
"port": 49561,
"user": {
"name": "testuser"
}
}
},
{
"@timestamp": "2024-12-16T07:58:43.000Z",
"event": {
"original": "<14>CEF:0|Imperva Inc.|SecureSphere|14.16.1.10_0|Audit|Audit.DAM|Informative|dst=10.1.1.1 dpt=49561 duser=testuser src=10.2.2.2 spt=64361 proto=TCP rt=Dec 16 2024 07:58:43 cat=Audit DML Operations cs1Label=Policy cs2=Old-app cs2Label=ServerGroup cs3=Old_Application cs3Label=ServiceName cs4=MsSql Application cs4Label=ApplicationName cs5=7420436200618644922 cs5Label=EventId cs6=Query cs6Label=EventType cs7= cs7Label=UserGroup cs8=True cs8Label=UserAuthenticated cs9= cs9Label=ApplicationUser cs10=.net sqlclient data provider cs10Label=SourceApplication cs11= cs11Label=OSUser cs12=Asset01 cs12Label=HostName cs13=app01 cs13Label=Database cs14= cs14Label=Schema cs15=UPDATE [appSession] SET [TimeStamp] \\= '2024/12/16 10:58:43', [SessionInfo] \\= 'eyJDcmVhdGVkIjoiMjAyNC0xMi0xNlQxMDo1Mzo0NS44NDM1NDErMDM6MDAifQ\\=\\=' WHERE ([SessionID] \\= '34053637-5c62-4cb4-9eac-2ebc9c948c59') cs15Label=RawQuery cs16=update [appSession] set [timestamp] \\= ?, [sessioninfo] \\= ? where ([sessionid] \\= ?) cs16Label=ParsedQuery cs17= cs17Label=BindVariables cs18= cs18Label=SQLError cs19=0 cs19Label=ResponseSize cs20=0 cs20Label=ResponseTime cs21=1 cs21Label=AffectedRows",
"code": "Audit"
},
"input": {
"type": "filestream"
},
"cef": {
"device": {
"version": "14.16.1.10_0",
"event_class_id": "Audit",
"vendor": "Imperva Inc.",
"product": "SecureSphere"
},
"name": "Audit.DAM",
"severity": "Informative",
"extensions": {
"cs15": "UPDATE [appSession] SET [TimeStamp] = '2024/12/16 10:58:43', [SessionInfo] = 'eyJDcmVhdGVkIjoiMjAyNC0xMi0xNlQxMDo1Mzo0NS44NDM1NDErMDM6MDAifQ==' WHERE ([SessionID] = '34053637-5c62-4cb4-9eac-2ebc9c948c59')",
"cs16": "update [appSession] set [timestamp] = ?, [sessioninfo] = ? where ([sessionid] = ?)",
"cs20Label": "ResponseTime",
"deviceCustomString2": "Old-app",
"cs12": "Asset01",
"sourcePort": 64361,
"cs17": "",
"cs14": "",
"destinationAddress": "10.1.1.1",
"sourceAddress": "10.2.2.2",
"deviceCustomString1Label": "Policy",
"deviceCustomString4Label": "ApplicationName",
"cs15Label": "RawQuery",
"cs19": "0",
"deviceCustomString5Label": "EventId",
"cs8": "True",
"cs21Label": "AffectedRows",
"deviceEventCategory": "Audit DML Operations",
"cs11": "",
"deviceCustomString4": "MsSql Application",
"cs7": "",
"cs7Label": "UserGroup",
"transportProtocol": "TCP",
"destinationUserName": "testuser",
"cs10Label": "SourceApplication",
"deviceReceiptTime": "2024-12-16T07:58:43.000Z",
"cs13": "app01",
"cs14Label": "Schema",
"cs12Label": "HostName",
"cs18": "",
"cs19Label": "ResponseSize",
"cs18Label": "SQLError",
"deviceCustomString2Label": "ServerGroup",
"cs9Label": "ApplicationUser",
"cs16Label": "ParsedQuery",
"deviceCustomString3": "Old_Application",
"cs9": "",
"cs10": ".net sqlclient data provider",
"deviceCustomString6": "Query",
"cs13Label": "Database",
"cs11Label": "OSUser",
"deviceCustomString5": "7420436200618644922",
"cs20": "0",
"deviceCustomString3Label": "ServiceName",
"cs8Label": "UserAuthenticated",
"destinationPort": 49561,
"cs17Label": "BindVariables",
"cs21": "1",
"deviceCustomString6Label": "EventType"
},
"version": "0"
},
"message": "Audit.DAM",
"destination": {
"user": {
"name": "testuser"
},
"ip": "10.1.1.1",
"port": 49561
},
"source": {
"port": 64361,
"ip": "10.2.2.2"
},
"log": {
"file": {
"path": "impervia.log",
"device_id": "65025",
"inode": "4614302"
},
"offset": 2306
},
"host": {
"name": "juda"
},
"agent": {
"id": "a51aae49-f57b-4cfc-80d0-af51e77f1db0",
"name": "juda",
"type": "filebeat",
"version": "8.17.1",
"ephemeral_id": "ae2a3be2-3c6b-49c4-848a-41a776d6d3f7"
},
"ecs": {
"version": "8.0.0"
},
"observer": {
"vendor": "Imperva Inc.",
"product": "SecureSphere",
"version": "14.16.1.10_0"
},
"network": {
"transport": "tcp"
}
}
]
}
Loading

0 comments on commit f6c275f

Please sign in to comment.