{"type":"doc","content":[{"type":"paragraph"},{"type":"heading","attrs":{"level":4},"content":[{"text":"Topics Discussed","type":"text"}]},{"type":"extension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"toc","parameters":{"macroParams":{"maxLevel":{"value":"3"},"minLevel":{"value":"3"},"_parentId":{"value":"3519580074"}},"macroMetadata":{"macroId":{"value":"a61636fd-1bd5-402d-a65e-89f975ad4f98"},"schemaVersion":{"value":"1"},"title":"Table of Contents"}},"localId":"c6dff005-2b01-46ed-9d6a-4bec4fe0c520"}},{"type":"paragraph"},{"type":"paragraph","content":[{"type":"inlineExtension","attrs":{"extensionType":"com.atlassian.confluence.macro.core","extensionKey":"excerpt-include","parameters":{"macroParams":{"":{"value":"Obtain Log Relay for Remote Log Collection"},"_parentId":{"value":"3519580074"},"name":{"value":"Remote Log Collection Permissions"},"_referencedContentId":{"value":"3519581253"},"nopanel":{"value":"true"}},"macroMetadata":{"macroId":{"value":"3ae8f0bd-f7a4-45f6-b93b-a73dc1cf4f37"},"schemaVersion":{"value":"1"},"title":"Insert excerpt"}},"localId":"20ce6db3-56c1-44ba-97d0-de7883f23ca2"}}]},{"type":"paragraph","content":[{"text":"You can use this document to add a remote log collector to a SecureSphere remote device (log source). ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#333333"}}]}]},{"type":"paragraph"},{"type":"heading","attrs":{"level":3},"content":[{"text":"Pre-Deployment Considerations","type":"text"}]},{"type":"rule"},{"type":"paragraph","content":[{"text":"Before you begin, review the following requirements:","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Log Relay","type":"text"}]},{"type":"paragraph","content":[{"text":"For remote log collection, you must have a Log Relay server on your account.","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"To learn how to add Log Relay to your account, see ","type":"text"},{"text":"Obtain Log Relay for Remote Log Collection","type":"text","marks":[{"type":"link","attrs":{"__confluenceMetadata":{"isRenamedTitle":true,"linkType":"page","contentTitle":"Obtain Log Relay for Remote Log Collection","versionAtSave":"10"},"href":"https://armor-defense.atlassian.net/wiki/spaces/KB/pages/3519581253"}}]},{"text":".","type":"text"}]}]}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Assumptions","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"The SecureSphere device is running at version v9.5 to v13 for Syslog in LEEF format","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Your device is already configured and running the policies that are needed","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"You already have a log relay box set up and configured correctly","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"The security policies for any AWS security groups or firewalls allow traffic on port 10154 to reach the log relay","type":"text"}]}]}]},{"type":"paragraph","content":[{"type":"hardBreak"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Update your Imperva SecureSphere Device","type":"text"}]},{"type":"rule"},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Log into your Imperva SecureSphere management console.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Navigate to Policies -> Action Sets","type":"text"},{"type":"hardBreak"}]},{"type":"mediaSingle","attrs":{"layout":"align-start","width":703,"widthType":"pixel"},"content":[{"type":"media","attrs":{"__fileSize":38092,"__fileMimeType":"image/png","width":624,"id":"af0682df-470b-4075-9651-e4e1e3d6d231","collection":"contentId-3519580074","type":"file","__fileName":"image2020-5-4_9-15-31.png","height":103}}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Click the ","type":"text"},{"text":"Create New","type":"text","marks":[{"type":"strong"}]},{"text":" button to define a new action set","type":"text"},{"type":"hardBreak"}]},{"type":"mediaSingle","attrs":{"layout":"align-start","width":392,"widthType":"pixel"},"content":[{"type":"media","attrs":{"__fileSize":17660,"__fileMimeType":"image/png","width":211,"id":"5fd2f60d-bf5f-4dce-bb17-7028d419ca4d","collection":"contentId-3519580074","type":"file","__fileName":"image2020-5-4_9-15-42.png","height":62}}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"In the ","type":"text"},{"text":"Action Name","type":"text","marks":[{"type":"strong"}]},{"text":" field, type a name for your alert action (ex: Log Firewall Alerts to Armor)","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Select the appropriate event type from the ","type":"text"},{"text":"Apply to Event Type","type":"text","marks":[{"type":"strong"}]},{"text":" dropdown menu - Options include Security Violations - All, Security Violations - Web Application Level, Security Violations - File Application Level, and System Events.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Click ","type":"text"},{"text":"Create","type":"text","marks":[{"type":"strong"}]},{"text":".","type":"text"},{"type":"hardBreak"}]},{"type":"mediaSingle","attrs":{"layout":"align-start","width":396,"widthType":"pixel"},"content":[{"type":"media","attrs":{"__fileSize":8528,"__fileMimeType":"image/png","width":161,"id":"057270b6-8c52-4dc4-acb7-a0052b0d6786","collection":"contentId-3519580074","type":"file","__fileName":"image2020-5-4_9-16-4.png","height":65}}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Configure the forwarding action","type":"text"}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Click into your newly created action set","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Under ","type":"text"},{"text":"Available Action Interfaces","type":"text","marks":[{"type":"strong"}]},{"text":", use the upward-pointing green arrow next to ","type":"text"},{"text":"Server System Log > Log to System Log (syslog)","type":"text","marks":[{"type":"strong"}]},{"text":" to add the action interface to the ","type":"text"},{"text":"Selected Interfaces","type":"text","marks":[{"type":"strong"}]},{"text":" section","type":"text"},{"type":"hardBreak"}]},{"type":"mediaSingle","attrs":{"layout":"align-start","width":633,"widthType":"pixel"},"content":[{"type":"media","attrs":{"__fileSize":80813,"__fileMimeType":"image/png","width":248,"id":"d753ed41-8157-4fbf-a7d8-fcc4689891d9","collection":"contentId-3519580074","type":"file","__fileName":"image2020-5-4_9-16-22.png","height":227}}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Expand the Action Interface just added to ","type":"text"},{"text":"Selected Actions","type":"text","marks":[{"type":"strong"}]},{"text":". In the ","type":"text"},{"text":"Syslog Host","type":"text","marks":[{"type":"strong"}]},{"text":" field, enter the ","type":"text"},{"text":"IP address","type":"text","marks":[{"type":"strong"}]},{"text":" of your Log Relay server and specify ","type":"text"},{"text":"port 10154","type":"text","marks":[{"type":"strong"}]},{"text":" using standard IP:PORT format (ex. 1.1.1.1:10154)","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"In the ","type":"text"},{"text":"Syslog log level","type":"text","marks":[{"type":"strong"}]},{"text":" list, select ","type":"text"},{"text":"INFO","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"In the ","type":"text"},{"text":"Message","type":"text","marks":[{"type":"strong"}]},{"text":" field, paste the following, depending on the event type you are forwarding, and placing the appropriate date and time format your SecureSphere is configured for in ","type":"text"},{"text":"devTimeFormat","type":"text","marks":[{"type":"strong"}]},{"text":" where listed :","type":"text"}]},{"type":"extension","attrs":{"extensionType":"com.atlassian.confluence.migration","extensionKey":"__confluenceADFMigrationUnsupportedContentInternalExtension__","text":"","parameters":{"cxhtml":"

For Security Violations - Web Application Level (v9.5 and v10 to v13):	LEEF:1.0\|Imperva\|SecureSphere\|${SecureSphereVersion}\|${Alert.alertType} ${Alert.immediateAction}\|Alert ID=${Alert.dn}\|devTimeFormat=\|devTime=${Alert.createTime}\|Alert type=${Alert.alertType}\|src=${Alert.sourceIp}\|srcPort=$!{Event.sourceInfo.sourcePort}\|usrName=${Alert.username}\|Application name=${Alert.applicationName}\|dst=${Event.destInfo.serverIp}\|dstPort=$!{Event.destInfo.serverPort}\|Service name=${Alert.serviceName}\|Event Description=${Alert.description}\|Severity=${Alert.severity}\|Simulation Mode=${Alert.simulationMode}\|Immediate Action=${Alert.immediateAction}
For Security Violations - File Application Level (v9.5 and v10 to v13):	LEEF:1.0\|Imperva\|SecureSphere\|${SecureSphereVersion}\|${Alert.alertType} ${Alert.immediateAction}\|Alert ID={Alert.dn}\|devTimeFormat=\|devTime=${Alert.createTime}\|Alert type=${Alert.alertType}\|src=${Alert.sourceIp}\|usrName=${Event.struct.user.username}\|Domain=${Event.struct.user.domain}\|Application name=${Alert.applicationName}\|dst=${Event.destInfo.serverIp}\|Alert Description=${Alert.description}\|Severity=${Alert.severity}\|Immediate Action=${Alert.immediateAction}\|SecureSphere Version=${SecureSphereVersion}
For Security Violations - Database Level(v9.5 and v10 to v13):	LEEF:1.0\|Imperva\|SecureSphere\|${SecureSphereVersion}\|${Alert.alertType} ${Alert.immediateAction}\|Alert ID=${Alert.dn}\|devTimeFormat=\|devTime=${Alert.createTime}\|Alert type=${Alert.alertType}\|src=${Alert.sourceIp}\|usrName=$ {Event.struct.user.user}\|Application name=${Alert.applicationName}\|dst=${Event.destInfo.serverIp}\|Alert Description=${Alert.description}\|Severity=${Alert.severity}\|Immediate Action=${Alert.immediateAction}\|SecureSphere Version=${SecureSphereVersion}
For System Events (v9.5 and v10 to v13):	LEEF:1.0\|Imperva\|SecureSphere\|${SecureSphereVersion}\|${Event.eventType}\|Event ID=${Event.dn}\|devTimeFormat=\|devTime=${Event.createTime}\|Event Type=${Event.eventType}\|Message=${Event.message}\|Severity=${Event.severity.displayName}\|usrName=${Event.username}\|SecureSphere Version=${SecureSphereVersion}
For All System Events (v6.2 and v7.x to v13 Release Enterprise Edition):	DeviceType=ImpervaSecuresphere Event\|et=$!{Event.eventType}\|dc=Securesphere System Event\|sp=$!{Event.sourceInfo.sourcePort}\|s=$!{Event.sourceInfo.sourceIp}\|d=$!{Event.destInfo.serverIp}\|dp=$!{Event.destInfo.serverPort}\|u=$!{Event.username}\|t=$!{Event.createTime}\|sev=$!{Event.severity}\|m=$!{Event.message}
For Database audit records (v9.5 and v10 to v13):	LEEF:1.0\|Imperva\|SecureSphere\|${SecureSphereVersion}\|${Event.struct.eventType}\|Server Group=${Event.serverGroup}\|Service Name=${Event.serviceName}\|Application Name=${Event.applicationName}\|Source Type=${Event.sourceInfo.eventSourceType}\|User Type=${Event.struct.user.userType}\|usrName=${Event.struct.user.user}\|User Group=${Event.struct.userGroup}\|Authenticated=${Event.struct.user.authenticated}\|App User=${Event.struct.applicationUser}\|src=${Event.sourceInfo.sourceIp}\|Application=${Event.struct.application.application}\|OS User=${Event.struct.osUser.osUser}\|Host=${Event.struct.host.host}\|Service Type=${Event.struct.serviceType}\|dst=${Event.destInfo.serverIp}\|Event Type=${Event.struct.eventType}\|Operation=${Event.struct.operations.name}\|Operation type=${Event.struct.operations.operationType}\|Object name=${Event.struct.operations.objects.name}\|Object type=${Event.struct.operations.objectType}\|Subject=${Event.struct.operations.subjects.name}\|Database=${Event.struct.databases.databaseName}\|Schema=${Event.struct.databases.schemaName}\|Table Group=$ {Event.struct.tableGroups.displayName}\|Sensitive=${Event.struct.tableGroups.sensitive}\|Privileged=${Event.struct.operations.privileged}\|Stored Proc=${Event.struct.operations.storedProcedure}\|Completed Successfully=${Event.struct.complete.completeSuccessful}\|Parsed Query=${Event.struct.query.parsedQuery}\|Bind Variables=${Event.struct.rawData.bindVariables}\|Error=${Event.struct.complete.errorValue}\|Response Size=${Event.struct.complete.responseSize}\|Response Time=${Event.struct.complete.responseTime}\|Affected Rows=${Event.struct.query.affectedRows}\|devTimeFormat=\|devTime=${Event.createTime}

","nestedContent":{"type":"doc","content":[{"type":"table","attrs":{"layout":"full-width"},"content":[{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[87.38]},"content":[{"type":"paragraph","content":[{"text":"For Security Violations - Web Application Level (v9.5 and v10 to v13):","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[1191.86]},"content":[{"type":"paragraph","content":[{"text":"LEEF:1.0|Imperva|SecureSphere|${SecureSphereVersion}|${Alert.alertType} ${Alert.immediateAction}|Alert ID=${Alert.dn}|devTimeFormat=|devTime=${Alert.createTime}|Alert type=${Alert.alertType}|src=${Alert.sourceIp}|srcPort=$!{Event.sourceInfo.sourcePort}|usrName=${Alert.username}|Application name=${Alert.applicationName}|dst=${Event.destInfo.serverIp}|dstPort=$!{Event.destInfo.serverPort}|Service name=${Alert.serviceName}|Event Description=${Alert.description}|Severity=${Alert.severity}|Simulation Mode=${Alert.simulationMode}|Immediate Action=${Alert.immediateAction}","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[87.38]},"content":[{"type":"paragraph","content":[{"text":"For Security Violations - File Application Level (v9.5 and v10 to v13):","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[1191.86]},"content":[{"type":"paragraph","content":[{"text":"LEEF:1.0|Imperva|SecureSphere|${SecureSphereVersion}|${Alert.alertType} ${Alert.immediateAction}|Alert ID={Alert.dn}|","type":"text"},{"text":"devTimeFormat=","type":"text","marks":[{"type":"strong"}]},{"text":"|devTime=${Alert.createTime}|Alert type=${Alert.alertType}|src=${Alert.sourceIp}|usrName=${Event.struct.user.username}|Domain=${Event.struct.user.domain}|Application name=${Alert.applicationName}|dst=${Event.destInfo.serverIp}|Alert Description=${Alert.description}|Severity=${Alert.severity}|Immediate Action=${Alert.immediateAction}|SecureSphere Version=${SecureSphereVersion}","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[87.38]},"content":[{"type":"paragraph","content":[{"text":"For Security Violations - Database Level(v9.5 and v10 to v13):","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[1191.86]},"content":[{"type":"paragraph","content":[{"text":"LEEF:1.0|Imperva|SecureSphere|${SecureSphereVersion}|${Alert.alertType} ${Alert.immediateAction}|Alert ID=${Alert.dn}|","type":"text"},{"text":"devTimeFormat=","type":"text","marks":[{"type":"strong"}]},{"text":"|devTime=${Alert.createTime}|Alert type=${Alert.alertType}|src=${Alert.sourceIp}|usrName=$ {Event.struct.user.user}|Application name=${Alert.applicationName}|dst=${Event.destInfo.serverIp}|Alert Description=${Alert.description}|Severity=${Alert.severity}|Immediate Action=${Alert.immediateAction}|SecureSphere Version=${SecureSphereVersion}","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[87.38]},"content":[{"type":"paragraph","content":[{"text":"For System Events (v9.5 and v10 to v13):","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[1191.86]},"content":[{"type":"paragraph","content":[{"text":"LEEF:1.0|Imperva|SecureSphere|${SecureSphereVersion}|${Event.eventType}|Event ID=${Event.dn}|","type":"text"},{"text":"devTimeFormat=","type":"text","marks":[{"type":"strong"}]},{"text":"|devTime=${Event.createTime}|Event Type=${Event.eventType}|Message=${Event.message}|Severity=${Event.severity.displayName}|usrName=${Event.username}|SecureSphere Version=${SecureSphereVersion}","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[87.38]},"content":[{"type":"paragraph","content":[{"text":"For All System Events (v6.2 and v7.x to v13 Release Enterprise Edition):","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[1191.86]},"content":[{"type":"paragraph","content":[{"text":"DeviceType=ImpervaSecuresphere Event|et=$!{Event.eventType}|dc=Securesphere System Event|sp=$!{Event.sourceInfo.sourcePort}|s=$!{Event.sourceInfo.sourceIp}|d=$!{Event.destInfo.serverIp}|dp=$!{Event.destInfo.serverPort}|u=$!{Event.username}|t=$!{Event.createTime}|sev=$!{Event.severity}|m=$!{Event.message}","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[87.38]},"content":[{"type":"paragraph","content":[{"text":"For Database audit records (v9.5 and v10 to v13):","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[1191.86]},"content":[{"type":"paragraph","content":[{"text":"LEEF:1.0|Imperva|SecureSphere|${SecureSphereVersion}|${Event.struct.eventType}|Server Group=${Event.serverGroup}|Service Name=${Event.serviceName}|Application Name=${Event.applicationName}|Source Type=${Event.sourceInfo.eventSourceType}|User Type=${Event.struct.user.userType}|usrName=${Event.struct.user.user}|User Group=${Event.struct.userGroup}|Authenticated=${Event.struct.user.authenticated}|App User=${Event.struct.applicationUser}|src=${Event.sourceInfo.sourceIp}|Application=${Event.struct.application.application}|OS User=${Event.struct.osUser.osUser}|Host=${Event.struct.host.host}|Service Type=${Event.struct.serviceType}|dst=${Event.destInfo.serverIp}|Event Type=${Event.struct.eventType}|Operation=${","type":"text"},{"text":"Event.struct.operations.name","type":"text","marks":[{"type":"link","attrs":{"href":"http://Event.struct.operations.name"}}]},{"text":"}|Operation type=${Event.struct.operations.operationType}|Object name=${","type":"text"},{"text":"Event.struct.operations.objects.name","type":"text","marks":[{"type":"link","attrs":{"href":"http://Event.struct.operations.objects.name"}}]},{"text":"}|Object type=${Event.struct.operations.objectType}|Subject=${","type":"text"},{"text":"Event.struct.operations.subjects.name","type":"text","marks":[{"type":"link","attrs":{"href":"http://Event.struct.operations.subjects.name"}}]},{"text":"}|Database=${Event.struct.databases.databaseName}|Schema=${Event.struct.databases.schemaName}|Table Group=$ {Event.struct.tableGroups.displayName}|Sensitive=${Event.struct.tableGroups.sensitive}|Privileged=${Event.struct.operations.privileged}|Stored Proc=${Event.struct.operations.storedProcedure}|Completed Successfully=${Event.struct.complete.completeSuccessful}|Parsed Query=${Event.struct.query.parsedQuery}|Bind Variables=${Event.struct.rawData.bindVariables}|Error=${Event.struct.complete.errorValue}|Response Size=${Event.struct.complete.responseSize}|Response Time=${Event.struct.complete.responseTime}|Affected Rows=${Event.struct.query.affectedRows}|","type":"text"},{"text":"devTimeFormat=","type":"text","marks":[{"type":"strong"}]},{"text":"|devTime=${Event.createTime}","type":"text"}]}]}]}]}],"version":1},"reason":"A table in list item can't be created or edited in the new editor."}}}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"In the ","type":"text"},{"text":"Facility","type":"text","marks":[{"type":"strong"}]},{"text":" field, type ","type":"text"},{"text":"syslog","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Select the ","type":"text"},{"text":"Run on Every Event","type":"text","marks":[{"type":"strong"}]},{"text":" check box","type":"text"},{"type":"hardBreak"}]},{"type":"mediaSingle","attrs":{"layout":"align-start","width":1195,"widthType":"pixel"},"content":[{"type":"media","attrs":{"__fileSize":59455,"__fileMimeType":"image/png","width":624,"id":"944133a5-f819-4406-bd0a-dcf07e135e3e","collection":"contentId-3519580074","type":"file","__fileName":"image2020-5-4_9-18-14.png","height":221}}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Click ","type":"text"},{"text":"Save","type":"text","marks":[{"type":"strong"}]},{"type":"hardBreak"},{"type":"inlineExtension","attrs":{"extensionType":"com.atlassian.confluence.migration","extensionKey":"inline-media-image","parameters":{"width":"","id":"ec49157b-84b9-47e4-bf87-80e38724e707","collection":"contentId-3519580074","height":"89"}}}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Associate your policies to the new alert action:","type":"text"}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"From the navigation menu, click ","type":"text"},{"text":"Policies","type":"text","marks":[{"type":"strong"}]},{"text":" ","type":"text"},{"text":"-> Security","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Select the policy that you want to use for the alert action","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Click the ","type":"text"},{"text":"Policy","type":"text","marks":[{"type":"strong"}]},{"text":" tab.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"From the ","type":"text"},{"text":"Followed Action","type":"text","marks":[{"type":"strong"}]},{"text":" list, select your new action (ex: Send Firewall Logs to Armor) and configure the parameters.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Ensure that your policy is configured as enabled and is applied to the appropriate server groups.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Click ","type":"text"},{"text":"save","type":"text","marks":[{"type":"strong"}]},{"text":".","type":"text"}]}]}]}]}]},{"type":"paragraph"},{"type":"paragraph"},{"type":"heading","attrs":{"level":3},"content":[{"text":"Verify Connection in AMP","type":"text"}]},{"type":"rule"},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"In the Armor Management Portal (AMP), in the left-side navigation, click ","type":"text"},{"text":"Security","type":"text","marks":[{"type":"strong"}]},{"text":".","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Click ","type":"text"},{"text":"Log & Data Management","type":"text","marks":[{"type":"strong"}]},{"text":", and then select ","type":"text"},{"text":"Search","type":"text","marks":[{"type":"strong"}]},{"text":".","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"In the ","type":"text"},{"text":"Source","type":"text","marks":[{"type":"strong"}]},{"text":" column, review the source name to locate the newly created SecureSphere remote log source.","type":"text"}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"In the search field, you can also enter \"securesphere\" to locate SecureSphere messages.","type":"text"}]}]}]}]}]},{"type":"paragraph","content":[{"type":"hardBreak"}]}],"version":1}

Browser not supported