Following Imperva's DIY syslog format posting by bmestep I decided to write in more details about SecureSphere's "content out" integration with different systems, starting with the generic interfaces first. This is the first post in the series. 

SecureSphere provides rich set of out-of-the-box policies for Data protection, yet one might need to add 3rd party integration or perform a task that is unique for his organization. SecureSphere security administrators can use built-in interfaces for syslog, email, snmp, ticketing and OS command integration to perform such tasks.

Let's start with the basics: SecureSphere provides a method to perform external activities and integrate with 3rd party applications using Action Sets: predefined action templates that are performed as a respond to a security or system event occurrence and provide a variety of detection, monitoring and management options. Action Sets are assigned to SecureSphere policies using the Followed Action parameter. Each Action Set is applied to an event according to the event type, which is also matched to the policy type. Defining different actions for each type is performed using Action Interfaces. 

The following screenshot illustrates the relationship between Action Sets and Action Interfaces: 

Action Set (listed on the left) serve as the policy repository for the different actions that will take place when an event occurs. The diagram below shows 6 action interface options (sends email, OS command, send syslog, create SecureSphere task and review SecureSphere task).  

Action Sets and Action Interfaces (click to see a larger image)

A single Action Set might have multiple interfaces. The Action Set is invoked by SecureSphere's policy using followed action.  One can add as many Action Sets and Action Interfaces as needed.