SIEM Integration (Enterprise only)

Created at:
Avatar
Updated

Retrieve your Incapsula access and event logs from the Incapsula cloud repository and archive or push these events into your SIEM solution.

Note: The log integration is an add-on to the Enterprise plan, and only available if purchased.

 

Incapsula creates the following comprehensive and detailed logs:

  • Security logs provide a detailed alert for each suspicious event detected by the Incapsula proxy while protecting your network throughout its globally distributed network. All logs include the account ID and site ID references, which enables drill down into each individual customer/site.
  • Access logs specify every request and response sent between your customers and the Incapsula proxy. This is all the traffic that would have been sent between end users and your origin server, including traffic that Incapsula served from its cache.

Incapsula supports CEF, LEEF, and W3C log formats and provides near real-time event reporting of in-depth event information, such as attacker geo-location and client application signature.

 

Log integration modes

Incapsula provides several modes of log integration:

  • Retrieve (Pull mode): Log integration API. Your logs are saved in a dedicated Incapsula cloud in a repository created for you. Incapsula enables you to upload a public key to encrypt your log files, activate Incapsula log collection, change the logging level, and download log files from the Incapsula storage repository to your network.

    Log storage: Logs are aggregated at the Incapsula log repository and are kept up to 48 hours. The system uses a cyclic override process in which the first written file is the first to be deleted in order to leave space for a new log file.

    Log index file: Incapsula provides a Log Index file that specifies the log files generated for you. This Index file lists which log files are available to download. The index file is not modified based on which log files have already been downloaded. It always contains the full list of available log files at any given moment.

  • Receive (Push mode): Automatic log integration via SFTP or Amazon S3. Your logs are pushed upon creation to your pre-defined repository - an AWS S3 bucket or an SFTP folder. Logs are automatically transferred from the Incapsula cloud repository to your repository. No log data is stored in Incapsula at any time.

Encryption

You can choose to implement log encryption for Incapsula logs. Logs are encrypted by a private-public key pair that you generate, to help safeguard the privacy of your data when stored in the Incapsula cloud repository. The encryption is done automatically at the Incapsula cloud repository. You need to decrypt the log files after download.

If you are using the receive (push) option for log integration, the best practice recommendation discourages using encryption. As the logs are not written to the Incapsula cloud repository, the risk of log exposure is minimal.

Pre-defined Incapsula SIEM packages

Incapsula provides predefined SIEM application packages which automate the loading of events from the Incapsula cloud into your SIEM. These predefined packages come ready-made to manipulate and display each Incapsula log event in your SIEM dashboard in order to facilitate reporting automation, prioritized mitigation, and general event handling.

Packages are available for:

  • HPE ArcSight (Express/ESM)
  • Splunk
  • McAfee Enterprise Security Manager
  • GrayLog
  • Sumo Logic

Several additional platforms provide SIEM integrations with Incapsula:

  • IBM QRadar
  • AlienVault USM Anywhere

Connector

If you choose the retrieve mode to access the logs, a sample Python script and configuration file are available for download to assist you with the process. Incapsula does not maintain this script. It is hosted in GitHub and managed by the open source community.

 

For additional information please refer to Link

Was this article helpful?
0 out of 2 found this helpful
Have more questions? Submit a request

Comments

  • Avatar
    Fredy Antonio

    Is is possible or have you had case where Incapsula is integrate with SIEM platforms developed in-house?

Powered by Zendesk