Security

Log example for Imperva SecureSphere CEF/LEEF

changux
Builder

Hi all.
I want to do a test between Imperva's SecureSphere logs and Splunk but i haven't for now a sample of the log data. Anyone have an example file (with altered information of course)? I only see standard templates like:

LEEF:1.0|Imperva|SecureSphere|10.0.0|Firewall None|Alert ID=912905|devTimeFormat=yyyy-MM-dd HH:mm:ss.S|devTime=2014-07-22 06:59:58.0|Alert type=Firewall|src=10.0.0.1|usrName=n/a|Application name=${Alert.applicationName}|Service name=${Alert.serviceName}|Alert Description=TCP - TCP Unexpected SYN|Severity=High|Simulation Mode=false|Immediate Action=None|Event ID=4238139139125767123|dst=10.0.0.2|dp=443|Server Group=securitynik_servers|Affected Application=|Affected Application (violation)=$item.alert.applicationName|HTTP Method=|HTTP Host=|Query=

I want to see detailed examples to try regular expressions and more.

Thank you!

Regards.

0 Karma

Rob_van_Hoboken
New Member

Normally, I would expect KVPs in LEEF records to be separated by TABs. There is more discussion and a sample in

https://answers.splunk.com/answers/507704/does-splunk-recognize-leef-formatted.html

0 Karma

changux
Builder
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...