Basic parser for Imperva Incapsula and Attack Analytics
-In your inputs.conf, you should set the following in your monitor:// stanza sourcetype=incapsula -Install this App on the Index/HF tier (timestamp, event breaks, and sub-sourcetyping) as well as SH where CIM compliance is required Incapsula WAF data should get detected as incapsula:cef This data has been normalized to IDS, Network_Traffic, and Web Data Models Attack Analytics should get detected as imperva:aa:cef This data has been normalized to the Alerts DM
1. All events receiving sourcetype=incapsula (not being sub sourcetyped). a. Ensure you installed the TA on the Indexer or HF that processes the events b. Validate source data is supported. This addon supports "Incapsula SIEMintegration" and "Imperva Inc Attack Analytics" sourcetypes in the CEF format. 2. Events with missing action=value. If you have any events matching this search "sourcetype=incapsula:cef act=* NOT action=*", the values from act=* will need to be added to lookups/imperva_vendor_act.csv. If this happens to you, please send me the act=values so I can update the lookup for everyone! 3. Data being truncated. Many of the WAF events are quite long, and you likely need to increase the default truncation limit from 10000 to a size large enough to support your data. If you do have larger events, you should add a local/props.conf with the following [incapsula:cef] #set this large a little higher than your largest event and periodically monitor if it is sufficient. TRUNCATE = 10000 This search can help you identify sourcetypes that get truncated due to truncation limits that are too low index=_internal sourcetype=splunkd component=LineBreakingProcessor | extract | rex "because\slimit\sof\s(?<limit>\S+).*>=\s(?<actual>\S+)" | stats count avg(actual) max(actual) dc(data_source) dc(data_host) BY data_sourcetype, limit | eval avg(actual)=round('avg(actual)') | sort - count
Fixing file permissions to pass App Inspect
Make sure your events aren't being truncated!
May need to increase "TRUNCATE = 10000" (defaults) to a higher value. This search can help you identify data that is being truncated.
index=_internal sourcetype=splunkd component=LineBreakingProcessor | extract | rex "because\slimit\sof\s(?<limit>\S+).*>=\s(?<actual>\S+)" | stats count avg(actual) max(actual) dc(data_source) dc(data_host) BY data_sourcetype, limit | eval avg(actual)=round('avg(actual)') | sort - count
Fixed compatibility with Network Traffic DM (update tags.conf from "traffic = true" to "communicate = true".
Added additional action evals. If you find any other events with "act=* AND NOT action=*" please let me know. The values from "act=" will need to be added to the lookup "imperva_vendor_act.csv".
Added an additional transform to null queue "blank" events, where the event only contains the header with no message data.
Fixed REPORT regex for Rule_name extraction. Updated signature evals to cover more events.
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.