Imperva WAF¶
About¶
Web application attacks prevent important transactions and steal sensitive data. Imperva Web Application Firewall (WAF) stops these attacks with near-zero false positives and a global SOC to ensure your organization is protected from the latest attacks minutes after they are discovered in the wild.
Product Details¶
Vendor URL: Imperva WAF
Product Type: Web Application Firewall
Product Tier: Tier II
Integration Method: Syslog
Parser Details¶
Log Format: Syslog, JSON, CEF
Expected Normalization Rate: ~85%
Data Label: IMPERVA_WAF
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File | UDM Field |
|---|---|
| dvc | about.ip |
| ip_range.ip_range | additional.fields |
| connection.id | additional.fields |
| connection.name | additional.fields |
| connection.type | additional.fields |
| ddos_stop.peak_BW | additional.fields |
| ddos_stop.peak_PPS | additional.fields |
| cs9 | extensions.vulns.vulnerabilities.name |
| xff | intermediary.ip |
| popName | intermediary.location.country_or_region |
| Custom filter of CEF header | metadata.description |
| event.action | metadata.description |
| message | metadata.description |
| Custom filter of CEF header | metadata.product_event_type |
| type_key | metadata.product_event_type |
| Web Application Firewall | metadata.product_name |
| Imperva | metadata.vendor_name |
| app | network.application_protocol |
| proto | network.application_protocol |
| deviceExternalId | network.community_id |
| requestMethod | network.http.method |
| requestMethod | network.http.method |
| ref | network.http.referral_url |
| flexString1 | network.http.response_code |
| cn1 | network.http.response_code |
| payload (custom filter) | network.http.user_agent |
| requestClientApplication | network.http.user_agent |
| proto | network.ip_protocol |
| in | network.received_bytes |
| fileId | network.session_id |
| tls_cipher | network.tls.cipher |
| tls_version | network.tls.version |
| observer.geo.name | observer.user.userid |
| cs6 | principal.applicatio |
| src | principal.ip |
| cicode | principal.location.city |
| calCountryOrRegion | principal.location.country_or_region |
| cs7 (if cs7Label = latitude) | principal.location.region_latitude |
| cs8 (if cs8Label = longitude) | principal.location.region_longitude |
| spt | principal.port |
| srcPort | principal.port |
| user_details | principal.user.email_addresses |
| user.email | principal.user.email_addresses |
| event.provider | principal.user.user_display_name |
| user_id | principal.user.userid |
| act | security_result.action_details |
| imperva.audit_trail.event_action | security_result.action_details |
| dproc | security_result.category_details |
| cs1/cs1Label | security_result.detection_fields |
| cs2/cs2Label | security_result.detection_fields |
| cs3/cs3Label | security_result.detection_fields |
| cs4/cs4Label | security_result.detection_fields |
| cs5/cs5Label | security_result.detection_fields |
| cn1/cn1Label | security_result.detection_fields |
| cn2/cn2Label | security_result.detection_fields |
| fileType | security_result.detection_fields |
| filePermission | security_result.detection_fields |
| siteid | security_result.detection_fields |
| start | security_result.detection_fields |
| end | security_result.detection_fields |
| postbody | security_result.detection_fields |
| policy.id | security_result.rule_id |
| policy.name | security_result.rule_name |
| imperva.audit_trail.event_action_description | security_result.summary |
| dhost | target.hostname |
| sourceServiceName | target.hostname |
| sourceServiceName | target.hostname |
| dst | target.ip |
| sip | target.ip |
| dpt | target.port |
| resource_id | target.resource.id |
| context_key | target.resource.name |
| imperva.audit_trail.resource_name | target.resource.name |
| resource_type_key | target.resource.type |
| request | target.url |
| url | target.url |
| imperva.audit_trail.resource_name | target.user.email_addresses |
| Customer | target.user.user_display_name |
| imperva.ids.account_name | target.user.user_display_name |
| duser | target.user.userid |
| suid | target.user.userid |
| imperva.ids.account_id | target.user.userid |
| account_id | target.user.userid |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| CEF header contains: Attack Analytics | SCAN_UNCATEGORIZED |
| src = Distributed | USER_UNCATEGORIZED |
| Used if raw json log does not have the requirements for USER_LOGIN | USER_STATS |
| imperva.audit_trail.event_action = SUCCESSFUL_USER_SIGN_IN | USER_LOGIN |
| All others | NETWORK_HTTP |
Log Sample¶
CEF:0|Incapsula|SIEMintegration|1|1|Normal|0| fileId=1151111530000002911 sourceServiceName=hostname.com siteid=id_123 suid=john.doe requestClientApplication=application_name/1.1 deviceFacility=iad cs2=false cs2Label=Javascript Support cs3=false cs3Label=CO Support cs1=NA cs1Label=Cap Support cs4=a3c54a3f-539d-4bc6-bb3b-d11752e63fa1lz cs4Label=VID cs5=internal_only cs5Label=clappsig dproc=Developer Tool cs6=application_name cs6Label=clapp ccode=US cicode=Kansas City cs7=39.106 cs7Label=latitude cs8=-94.676 cs8Label=longitude Customer=Company_name start=1710439017374 request=hostname.com/api requestMethod=GET cn1=200 app=HTTPS act=REQ_PASSED deviceExternalId=24427398944728653 sip=10.0.0.3 spt=5000 in=9897 xff=10.0.0.1, 10.0.0.2 cpt=2943 src=10.0.0.2 ver=TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 end=1710439020570
Sample Parsing¶
intermediary.ip = "10.0.0.1"
intermediary.ip = "10.0.0.2"
metadata.description = "Normal"
metadata.event_timestamp.seconds = 1710439017
metadata.event_type = "NETWORK_HTTP"
metadata.log_type = "IMPERVA_WAF"
metadata.product_event_type = "1"
metadata.product_name = "Web Application Firewall"
metadata.vendor_name = "Imperva"
network.application_protocol = "HTTPS"
network.http.method = "GET"
principal.ip = "10.0.0.2"
principal.location.region_latitude = 39.106
principal.location.region_longitude = -94.676
principal.port = 5000
security_result.action_details = "REQ_PASSED: the request was routed to the site's web server"
security_result.action = "ALLOW"
security_result.detection_fields.key = "Javascript Support"
security_result.detection_fields.value = "false"
security_result.detection_fields.key = "CO Support"
security_result.detection_fields.value = "false"
security_result.detection_fields.key = "VID"
security_result.detection_fields.value = "a3c54a3f-539d-4bc6-bb3b-d11752e63fa1lz"
security_result.detection_fields.key = "clappsig"
security_result.detection_fields.value = "internal_only"
target.hostname = "hostname.com"
target.ip = "10.0.0.3"
target.url = "hostname.com/api"