Imperva WAF¶
About¶
Web application attacks prevent important transactions and steal sensitive data. Imperva Web Application Firewall (WAF) stops these attacks with near-zero false positives and a global SOC to ensure your organization is protected from the latest attacks minutes after they are discovered in the wild.
Product Details¶
Vendor URL: Imperva WAF
Product Type: Web Application Firewall
Product Tier: Tier II
Integration Method: Syslog
Parser Details¶
Log Format: Syslog, JSON, CEF
Expected Normalization Rate: ~85%
Data Label: IMPERVA_WAF
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File | UDM Field |
---|---|
dvc | about.ip |
ip_range.ip_range | additional.fields |
connection.id | additional.fields |
connection.name | additional.fields |
connection.type | additional.fields |
ddos_stop.peak_BW | additional.fields |
ddos_stop.peak_PPS | additional.fields |
cs9 | extensions.vulns.vulnerabilities.name |
xff | intermediary.ip |
popName | intermediary.location.country_or_region |
Custom filter of CEF header | metadata.description |
event.action | metadata.description |
message | metadata.description |
Custom filter of CEF header | metadata.product_event_type |
type_key | metadata.product_event_type |
Web Application Firewall | metadata.product_name |
Imperva | metadata.vendor_name |
app | network.application_protocol |
proto | network.application_protocol |
deviceExternalId | network.community_id |
requestMethod | network.http.method |
requestMethod | network.http.method |
ref | network.http.referral_url |
flexString1 | network.http.response_code |
cn1 | network.http.response_code |
payload (custom filter) | network.http.user_agent |
requestClientApplication | network.http.user_agent |
proto | network.ip_protocol |
in | network.received_bytes |
fileId | network.session_id |
tls_cipher | network.tls.cipher |
tls_version | network.tls.version |
observer.geo.name | observer.user.userid |
cs6 | principal.applicatio |
src | principal.ip |
cicode | principal.location.city |
calCountryOrRegion | principal.location.country_or_region |
cs7 (if cs7Label = latitude) | principal.location.region_latitude |
cs8 (if cs8Label = longitude) | principal.location.region_longitude |
spt | principal.port |
srcPort | principal.port |
user_details | principal.user.email_addresses |
user.email | principal.user.email_addresses |
event.provider | principal.user.user_display_name |
user_id | principal.user.userid |
act | security_result.action_details |
imperva.audit_trail.event_action | security_result.action_details |
dproc | security_result.category_details |
cs1/cs1Label | security_result.detection_fields |
cs2/cs2Label | security_result.detection_fields |
cs3/cs3Label | security_result.detection_fields |
cs4/cs4Label | security_result.detection_fields |
cs5/cs5Label | security_result.detection_fields |
cn1/cn1Label | security_result.detection_fields |
cn2/cn2Label | security_result.detection_fields |
fileType | security_result.detection_fields |
filePermission | security_result.detection_fields |
siteid | security_result.detection_fields |
start | security_result.detection_fields |
end | security_result.detection_fields |
postbody | security_result.detection_fields |
policy.id | security_result.rule_id |
policy.name | security_result.rule_name |
imperva.audit_trail.event_action_description | security_result.summary |
dhost | target.hostname |
sourceServiceName | target.hostname |
sourceServiceName | target.hostname |
dst | target.ip |
sip | target.ip |
dpt | target.port |
resource_id | target.resource.id |
context_key | target.resource.name |
imperva.audit_trail.resource_name | target.resource.name |
resource_type_key | target.resource.type |
request | target.url |
url | target.url |
imperva.audit_trail.resource_name | target.user.email_addresses |
Customer | target.user.user_display_name |
imperva.ids.account_name | target.user.user_display_name |
duser | target.user.userid |
suid | target.user.userid |
imperva.ids.account_id | target.user.userid |
account_id | target.user.userid |
Product Event Types¶
Event | UDM Event Classification |
---|---|
CEF header contains: Attack Analytics | SCAN_UNCATEGORIZED |
src = Distributed | USER_UNCATEGORIZED |
Used if raw json log does not have the requirements for USER_LOGIN | USER_STATS |
imperva.audit_trail.event_action = SUCCESSFUL_USER_SIGN_IN | USER_LOGIN |
All others | NETWORK_HTTP |
Log Sample¶
CEF:0|Incapsula|SIEMintegration|1|1|Normal|0| fileId=1151111530000002911 sourceServiceName=hostname.com siteid=id_123 suid=john.doe requestClientApplication=application_name/1.1 deviceFacility=iad cs2=false cs2Label=Javascript Support cs3=false cs3Label=CO Support cs1=NA cs1Label=Cap Support cs4=a3c54a3f-539d-4bc6-bb3b-d11752e63fa1lz cs4Label=VID cs5=internal_only cs5Label=clappsig dproc=Developer Tool cs6=application_name cs6Label=clapp ccode=US cicode=Kansas City cs7=39.106 cs7Label=latitude cs8=-94.676 cs8Label=longitude Customer=Company_name start=1710439017374 request=hostname.com/api requestMethod=GET cn1=200 app=HTTPS act=REQ_PASSED deviceExternalId=24427398944728653 sip=10.0.0.3 spt=5000 in=9897 xff=10.0.0.1, 10.0.0.2 cpt=2943 src=10.0.0.2 ver=TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 end=1710439020570
Sample Parsing¶
intermediary.ip = "10.0.0.1"
intermediary.ip = "10.0.0.2"
metadata.description = "Normal"
metadata.event_timestamp.seconds = 1710439017
metadata.event_type = "NETWORK_HTTP"
metadata.log_type = "IMPERVA_WAF"
metadata.product_event_type = "1"
metadata.product_name = "Web Application Firewall"
metadata.vendor_name = "Imperva"
network.application_protocol = "HTTPS"
network.http.method = "GET"
principal.ip = "10.0.0.2"
principal.location.region_latitude = 39.106
principal.location.region_longitude = -94.676
principal.port = 5000
security_result.action_details = "REQ_PASSED: the request was routed to the site's web server"
security_result.action = "ALLOW"
security_result.detection_fields.key = "Javascript Support"
security_result.detection_fields.value = "false"
security_result.detection_fields.key = "CO Support"
security_result.detection_fields.value = "false"
security_result.detection_fields.key = "VID"
security_result.detection_fields.value = "a3c54a3f-539d-4bc6-bb3b-d11752e63fa1lz"
security_result.detection_fields.key = "clappsig"
security_result.detection_fields.value = "internal_only"
target.hostname = "hostname.com"
target.ip = "10.0.0.3"
target.url = "hostname.com/api"