Skip to content

Imperva WAF

Imperva

About

Web application attacks prevent important transactions and steal sensitive data. Imperva Web Application Firewall (WAF) stops these attacks with near-zero false positives and a global SOC to ensure your organization is protected from the latest attacks minutes after they are discovered in the wild.

Product Details

Vendor URL: Imperva WAF

Product Type: Web Application Firewall

Product Tier: Tier II

Integration Method: Syslog

Parser Details

Log Format: Syslog, JSON, CEF

Expected Normalization Rate: ~85%

Data Label: IMPERVA_WAF

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File UDM Field
dvc about.ip
ip_range.ip_range additional.fields
connection.id additional.fields
connection.name additional.fields
connection.type additional.fields
ddos_stop.peak_BW additional.fields
ddos_stop.peak_PPS additional.fields
cs9 extensions.vulns.vulnerabilities.name
xff intermediary.ip
popName intermediary.location.country_or_region
Custom filter of CEF header metadata.description
event.action metadata.description
message metadata.description
Custom filter of CEF header metadata.product_event_type
type_key metadata.product_event_type
Web Application Firewall metadata.product_name
Imperva metadata.vendor_name
app network.application_protocol
proto network.application_protocol
deviceExternalId network.community_id
requestMethod network.http.method
requestMethod network.http.method
ref network.http.referral_url
flexString1 network.http.response_code
cn1 network.http.response_code
payload (custom filter) network.http.user_agent
requestClientApplication network.http.user_agent
proto network.ip_protocol
in network.received_bytes
fileId network.session_id
tls_cipher network.tls.cipher
tls_version network.tls.version
observer.geo.name observer.user.userid
cs6 principal.applicatio
src principal.ip
cicode principal.location.city
calCountryOrRegion principal.location.country_or_region
cs7 (if cs7Label = latitude) principal.location.region_latitude
cs8 (if cs8Label = longitude) principal.location.region_longitude
spt principal.port
srcPort principal.port
user_details principal.user.email_addresses
user.email principal.user.email_addresses
event.provider principal.user.user_display_name
user_id principal.user.userid
act security_result.action_details
imperva.audit_trail.event_action security_result.action_details
dproc security_result.category_details
cs1/cs1Label security_result.detection_fields
cs2/cs2Label security_result.detection_fields
cs3/cs3Label security_result.detection_fields
cs4/cs4Label security_result.detection_fields
cs5/cs5Label security_result.detection_fields
cn1/cn1Label security_result.detection_fields
cn2/cn2Label security_result.detection_fields
fileType security_result.detection_fields
filePermission security_result.detection_fields
siteid security_result.detection_fields
start security_result.detection_fields
end security_result.detection_fields
postbody security_result.detection_fields
policy.id security_result.rule_id
policy.name security_result.rule_name
imperva.audit_trail.event_action_description security_result.summary
dhost target.hostname
sourceServiceName target.hostname
sourceServiceName target.hostname
dst target.ip
sip target.ip
dpt target.port
resource_id target.resource.id
context_key target.resource.name
imperva.audit_trail.resource_name target.resource.name
resource_type_key target.resource.type
request target.url
url target.url
imperva.audit_trail.resource_name target.user.email_addresses
Customer target.user.user_display_name
imperva.ids.account_name target.user.user_display_name
duser target.user.userid
suid target.user.userid
imperva.ids.account_id target.user.userid
account_id target.user.userid

Product Event Types

Event UDM Event Classification
CEF header contains: Attack Analytics SCAN_UNCATEGORIZED
src = Distributed USER_UNCATEGORIZED
Used if raw json log does not have the requirements for USER_LOGIN USER_STATS
imperva.audit_trail.event_action = SUCCESSFUL_USER_SIGN_IN USER_LOGIN
All others NETWORK_HTTP

Log Sample

CEF:0|Incapsula|SIEMintegration|1|1|Normal|0| fileId=1151111530000002911 sourceServiceName=hostname.com siteid=id_123 suid=john.doe requestClientApplication=application_name/1.1 deviceFacility=iad cs2=false cs2Label=Javascript Support cs3=false cs3Label=CO Support cs1=NA cs1Label=Cap Support cs4=a3c54a3f-539d-4bc6-bb3b-d11752e63fa1lz cs4Label=VID cs5=internal_only cs5Label=clappsig dproc=Developer Tool cs6=application_name cs6Label=clapp ccode=US cicode=Kansas City cs7=39.106 cs7Label=latitude cs8=-94.676 cs8Label=longitude Customer=Company_name start=1710439017374 request=hostname.com/api requestMethod=GET cn1=200 app=HTTPS act=REQ_PASSED deviceExternalId=24427398944728653 sip=10.0.0.3 spt=5000 in=9897 xff=10.0.0.1, 10.0.0.2 cpt=2943 src=10.0.0.2 ver=TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 end=1710439020570

Sample Parsing

intermediary.ip = "10.0.0.1"
intermediary.ip = "10.0.0.2"
metadata.description = "Normal"
metadata.event_timestamp.seconds = 1710439017
metadata.event_type = "NETWORK_HTTP"
metadata.log_type = "IMPERVA_WAF"
metadata.product_event_type = "1"
metadata.product_name = "Web Application Firewall"
metadata.vendor_name = "Imperva"
network.application_protocol = "HTTPS"
network.http.method = "GET"
principal.ip = "10.0.0.2"
principal.location.region_latitude = 39.106
principal.location.region_longitude = -94.676
principal.port = 5000
security_result.action_details = "REQ_PASSED: the request was routed to the site's web server"
security_result.action = "ALLOW"
security_result.detection_fields.key = "Javascript Support"
security_result.detection_fields.value = "false"
security_result.detection_fields.key = "CO Support"
security_result.detection_fields.value = "false"
security_result.detection_fields.key = "VID"
security_result.detection_fields.value = "a3c54a3f-539d-4bc6-bb3b-d11752e63fa1lz"
security_result.detection_fields.key = "clappsig"
security_result.detection_fields.value = "internal_only"
target.hostname = "hostname.com"
target.ip = "10.0.0.3"
target.url = "hostname.com/api"