Imperva Web Application Firewall
Overview
Imperva Web Application Firewall helps you to protect your web applications and your APIs.
This setup guide describes how to forward security events collected on the Imperva WAF platform to SEKOIA.IO.
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
Web proxy |
Imperva WAF logs provide information about the connected client and the requested resource |
Web logs |
Imperva WAF logs provide information about the connected client and the requested resource |
In details, the following table denotes the type of events produced by this integration.
| Name | Values |
|---|---|
| Kind | event |
| Category | network |
| Type | ["connection", "access"], ["connection", "allowed"], ["connection", "denied"], ["connection", "error"] |
Event Samples
Find below few samples of events and how they are normalized by SEKOIA.IO.
{
"imperva": {
"request": {
"headers": [
{
"Accept": "*/*"
},
{
"x-v": "1"
},
{
"x-fapi-interaction-id": "10.10.10.10"
}
],
"x_forwarded_for": "44.44.44.44"
},
"response": {
"headers": [
{
"Content-Type": "text/html; charset\\=UTF-8"
}
]
},
"pop": "mia"
},
"user_agent": {
"original": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0"
},
"client": {
"geo": {
"country_iso_code": "IL",
"city_name": "Rehovot",
"location": {
"lon": 34.8186,
"lat": 31.8969
}
}
},
"url": {
"full": "site123.abcd.info/main.css",
"original": "site123.abcd.info/main.css"
},
"http": {
"request": {
"referrer": "www.incapsula.com/lama",
"method": "GET",
"bytes": 54,
"id": "33411452762204224"
},
"response": {
"status_code": 200
}
},
"network": {
"protocol": "http"
},
"source": {
"port": 443,
"ip": "12.12.12.12"
},
"tls": {
"version": "1.2",
"version_protocol": "tls",
"cipher": "ECDHE-RSA-AES128-GCM-SHA256"
},
"event": {
"start": "1970-01-02T10:17:36.789000Z",
"end": "1970-01-03T14:04:16.789000Z",
"duration": 100000000.0,
"kind": "event",
"category": "network",
"type": [
"connection",
"access"
]
},
"@timestamp": "1970-01-02T10:17:36.789000Z"
}
{
"imperva": {
"pop": "cdg",
"session": {
"id": 393000630126853202
},
"client": {
"js_support": true,
"cookie_support": true,
"captcha_support": "NA"
},
"visitor": {
"id": "a99e6166-5092-4cce-8fb6-afae61ef7493"
},
"user_agent": {
"type": "Browser"
}
},
"user_agent": {
"original": "Mozilla/5.0 (X11; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0",
"name": "Webkit Browser"
},
"client": {
"geo": {
"country_iso_code": "FR",
"city_name": "Strasbourg",
"location": {
"lat": 48.34,
"lon": 7.4508
}
}
},
"http": {
"request": {
"method": "GET",
"id": "195557299895996363"
}
},
"url": {
"full": "www.test.com/",
"original": "www.test.com/"
},
"network": {
"protocol": "http"
},
"source": {
"port": 45208,
"ip": "1.2.3.4"
},
"event": {
"action": "REQ_BAD_PARSE_ERROR",
"start": "2022-04-12T14:09:58.763000Z",
"end": "2022-04-12T14:09:58.765000Z",
"duration": 2.0,
"kind": "event",
"category": "network",
"type": [
"connection",
"error"
],
"reason": "The HTTP request was malformated"
},
"@timestamp": "2022-04-12T14:09:58.763000Z"
}
{
"imperva": {
"pop": "cdg",
"session": {
"id": 393000630126853202
},
"client": {
"js_support": true,
"cookie_support": true,
"captcha_support": "NA"
},
"visitor": {
"id": "a99e6166-5092-4cce-8fb6-afae61ef7493"
},
"user_agent": {
"type": "Browser"
}
},
"user_agent": {
"original": "Mozilla/5.0 (X11; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0",
"name": "Webkit Browser"
},
"client": {
"geo": {
"country_iso_code": "FR",
"city_name": "Strasbourg",
"location": {
"lat": 48.34,
"lon": 7.4508
}
}
},
"http": {
"request": {
"method": "GET",
"id": "195557299895996363"
}
},
"url": {
"full": "www.test.com/",
"original": "www.test.com/"
},
"network": {
"protocol": "http"
},
"source": {
"port": 45208,
"ip": "1.2.3.4"
},
"event": {
"action": "REQ_DOMAIN_BLACKLISTED",
"start": "2022-04-12T14:09:58.763000Z",
"end": "2022-04-12T14:09:58.765000Z",
"duration": 2.0,
"kind": "event",
"category": "network",
"type": [
"connection",
"denied"
],
"reason": "The destination was blacklisted"
},
"@timestamp": "2022-04-12T14:09:58.763000Z"
}
{
"imperva": {
"pop": "cdg",
"session": {
"id": 393000630126853202
},
"client": {
"js_support": true,
"cookie_support": true,
"captcha_support": "NA"
},
"visitor": {
"id": "a99e6166-5092-4cce-8fb6-afae61ef7493"
},
"user_agent": {
"type": "Browser"
}
},
"user_agent": {
"original": "Mozilla/5.0 (X11; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0",
"name": "Webkit Browser"
},
"client": {
"geo": {
"country_iso_code": "FR",
"city_name": "Strasbourg",
"location": {
"lat": 48.34,
"lon": 7.4508
}
}
},
"http": {
"request": {
"method": "GET",
"id": "195557299895996363"
}
},
"url": {
"full": "www.test.com/",
"original": "www.test.com/"
},
"network": {
"protocol": "http"
},
"source": {
"port": 45208,
"ip": "1.2.3.4"
},
"event": {
"action": "REQ_BLOCKED_VISITOR",
"start": "2022-04-12T14:09:58.763000Z",
"end": "2022-04-12T14:09:58.765000Z",
"duration": 2.0,
"kind": "event",
"category": "network",
"type": [
"connection",
"denied"
],
"reason": "The request was blocked based on WAF settings"
},
"@timestamp": "2022-04-12T14:09:58.763000Z"
}
{
"imperva": {
"pop": "cdg",
"session": {
"id": 393000630126853202
},
"client": {
"js_support": true,
"cookie_support": true,
"captcha_support": "NA"
},
"visitor": {
"id": "a99e6166-5092-4cce-8fb6-afae61ef7493"
},
"user_agent": {
"type": "Browser"
}
},
"user_agent": {
"original": "Mozilla/5.0 (X11; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0",
"name": "Webkit Browser"
},
"client": {
"geo": {
"country_iso_code": "FR",
"city_name": "Strasbourg",
"location": {
"lat": 48.34,
"lon": 7.4508
}
}
},
"http": {
"request": {
"method": "GET",
"id": "195557299895996363"
}
},
"url": {
"full": "www.test.com/",
"original": "www.test.com/"
},
"network": {
"protocol": "http"
},
"source": {
"port": 45208,
"ip": "1.2.3.4"
},
"event": {
"action": "REQ_CACHED_WEBSITE",
"start": "2022-04-12T14:09:58.763000Z",
"end": "2022-04-12T14:09:58.765000Z",
"duration": 2.0,
"kind": "event",
"category": "network",
"type": [
"connection",
"allowed"
],
"reason": ""
},
"@timestamp": "2022-04-12T14:09:58.763000Z"
}
{
"imperva": {
"pop": "mia",
"request": {
"x_forwarded_for": "44.44.44.44",
"headers": [
{
"Accept": "*/*"
},
{
"x-v": "1"
},
{
"x-fapi-interaction-id": "10.10.10.10"
}
]
},
"response": {
"headers": [
{
"Content-Type": "text/html; charset\\=UTF-8"
}
]
},
"session": {
"id": 3412341160002518171
},
"client": {
"js_support": true,
"cookie_support": true,
"captcha_support": "NOT_SUPPORTED"
},
"visitor": {
"id": "c2e72124-0e8a-4dd8-b13b-3da246af3ab2"
},
"user_agent": {
"type": "Browser"
},
"attack": {
"type": "30037,1001,",
"id": "2,1,"
},
"rule": {
"names": [
"Block Malicious User",
"High Risk Resources"
],
"additional_info": ",,[{\"api_specification_violation_type\":\"INVALID_PARAM_NAME\",\"parameter_name\":\"somename\"}]"
}
},
"user_agent": {
"original": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0",
"name": "Firefox"
},
"client": {
"geo": {
"country_iso_code": "IL",
"city_name": "Rehovot",
"location": {
"lat": 31.8969,
"lon": 34.8186
}
}
},
"http": {
"response": {
"status_code": 200
},
"request": {
"bytes": 54,
"method": "GET",
"id": "33411452762204224"
}
},
"url": {
"full": "site123.abcd.info/",
"original": "site123.abcd.info/",
"query": "p\\=%2fetc%2fpasswd"
},
"network": {
"protocol": "http"
},
"source": {
"port": 443,
"ip": "12.12.12.12"
},
"tls": {
"version_protocol": "tls",
"version": "1.2",
"cipher": "ECDHE-RSA-AES128-GCM-SHA256"
},
"event": {
"action": "REQ_CHALLENGED_CAPTCHA",
"start": "1970-01-02T10:17:36.789000Z",
"end": "1970-01-03T14:04:16.789000Z",
"duration": 100000000.0,
"kind": "event",
"category": "network",
"type": [
"connection",
"denied"
],
"reason": "A challenge was submitted to the client"
},
"rule": {
"name": "Block Malicious User,High Risk Resources,"
},
"@timestamp": "1970-01-02T10:17:36.789000Z"
}
{
"imperva": {
"pop": "cdg",
"session": {
"id": 393000630126853202
},
"client": {
"js_support": true,
"cookie_support": true,
"captcha_support": "NA"
},
"visitor": {
"id": "a99e6166-5092-4cce-8fb6-afae61ef7493"
},
"user_agent": {
"type": "Browser"
}
},
"user_agent": {
"original": "Mozilla/5.0 (X11; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0",
"name": "Webkit Browser"
},
"client": {
"geo": {
"country_iso_code": "FR",
"city_name": "Strasbourg",
"location": {
"lat": 48.34,
"lon": 7.4508
}
}
},
"http": {
"request": {
"method": "GET",
"id": "195557299895996363"
}
},
"url": {
"full": "www.test.com/",
"original": "www.test.com/"
},
"network": {
"protocol": "http"
},
"source": {
"port": 45208,
"ip": "1.2.3.4"
},
"event": {
"action": "REQ_IPV6_NOT_SUPPORTED",
"start": "2022-04-12T14:09:58.763000Z",
"end": "2022-04-12T14:09:58.765000Z",
"duration": 2.0,
"kind": "event",
"category": "network",
"type": [
"connection",
"error"
],
"reason": "The destination doesn't support IPv6 addresses"
},
"@timestamp": "2022-04-12T14:09:58.763000Z"
}
{
"imperva": {
"pop": "cdg",
"session": {
"id": 393000630126853202
},
"client": {
"js_support": true,
"cookie_support": true,
"captcha_support": "NA"
},
"visitor": {
"id": "a99e6166-5092-4cce-8fb6-afae61ef7493"
},
"user_agent": {
"type": "Browser"
}
},
"user_agent": {
"original": "Mozilla/5.0 (X11; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0",
"name": "Webkit Browser"
},
"client": {
"geo": {
"country_iso_code": "FR",
"city_name": "Strasbourg",
"location": {
"lat": 48.34,
"lon": 7.4508
}
}
},
"http": {
"request": {
"method": "GET",
"id": "195557299895996363"
}
},
"url": {
"full": "www.test.com/",
"original": "www.test.com/"
},
"network": {
"protocol": "http"
},
"source": {
"port": 45208,
"ip": "1.2.3.4"
},
"event": {
"action": "REQ_PASSED",
"start": "2022-04-12T14:09:58.763000Z",
"end": "2022-04-12T14:09:58.765000Z",
"duration": 2.0,
"kind": "event",
"category": "network",
"type": [
"connection",
"allowed"
]
},
"@timestamp": "2022-04-12T14:09:58.763000Z"
}
{
"imperva": {
"pop": "cdg",
"session": {
"id": 393000630126853202
},
"client": {
"js_support": true,
"cookie_support": true,
"captcha_support": "NA"
},
"visitor": {
"id": "a99e6166-5092-4cce-8fb6-afae61ef7493"
},
"user_agent": {
"type": "Browser"
}
},
"user_agent": {
"original": "Mozilla/5.0 (X11; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0",
"name": "Webkit Browser"
},
"client": {
"geo": {
"country_iso_code": "FR",
"city_name": "Strasbourg",
"location": {
"lat": 48.34,
"lon": 7.4508
}
}
},
"http": {
"request": {
"method": "GET",
"id": "195557299895996363"
}
},
"url": {
"full": "www.test.com/",
"original": "www.test.com/"
},
"network": {
"protocol": "http"
},
"source": {
"port": 45208,
"ip": "1.2.3.4"
},
"event": {
"action": "REQ_UNRESOLVED_SITE_INVALID_CNAME",
"start": "2022-04-12T14:09:58.763000Z",
"end": "2022-04-12T14:09:58.765000Z",
"duration": 2.0,
"kind": "event",
"category": "network",
"type": [
"connection",
"error"
],
"reason": "The proxy failed to resolve the destination"
},
"@timestamp": "2022-04-12T14:09:58.763000Z"
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
@timestamp |
date |
Date/time when the event originated. |
client.geo.city_name |
keyword |
City name. |
client.geo.country_iso_code |
keyword |
Country ISO code. |
client.geo.location |
geo_point |
Longitude and latitude. |
event.action |
keyword |
The action captured by the event. |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.duration |
long |
Duration of the event in nanoseconds. |
event.end |
date |
event.end contains the date when the event ended or when the activity was last observed. |
event.kind |
keyword |
The kind of the event. The highest categorization field in the hierarchy. |
event.reason |
keyword |
Reason why this event happened, according to the source |
event.start |
date |
event.start contains the date when the event started or when the activity was first observed. |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
http.request.bytes |
long |
Total size in bytes of the request (body and headers). |
http.request.id |
keyword |
HTTP request ID. |
http.request.method |
keyword |
HTTP request method. |
http.request.referrer |
keyword |
Referrer for this HTTP request. |
http.response.status_code |
long |
HTTP response status code. |
imperva.attack.id |
keyword |
None |
imperva.attack.type |
keyword |
None |
imperva.client.captcha_support |
keyword |
None |
imperva.client.cookie_support |
boolean |
None |
imperva.client.js_support |
boolean |
None |
imperva.pop |
keyword |
None |
imperva.request.headers |
array |
None |
imperva.request.x_forwarded_for |
text |
None |
imperva.response.headers |
array |
None |
imperva.rule.additional_info |
text |
None |
imperva.rule.names |
array |
None |
imperva.session.id |
long |
None |
imperva.user_agent.type |
keyword |
None |
imperva.visitor.id |
keyword |
None |
network.protocol |
keyword |
Application protocol name. |
rule.name |
keyword |
Rule name |
source.ip |
ip |
IP address of the source. |
source.port |
long |
Port of the source. |
tls.cipher |
keyword |
String indicating the cipher used during the current connection. |
tls.version |
keyword |
Numeric part of the version parsed from the original string. |
tls.version_protocol |
keyword |
Normalized lowercase protocol name parsed from original string. |
url.full |
wildcard |
Full unparsed URL. |
url.original |
wildcard |
Unmodified original url as seen in the event source. |
url.query |
keyword |
Query string of the request. |
user_agent.name |
keyword |
Name of the user agent. |
user_agent.original |
keyword |
Unparsed user_agent string. |
Configure
In Imperva interface
In your Imperva control panel, go to Account > Account Management > SIEM Logs > WAF Log Setup. Select Imperva API, CEF format and enable compression. Copy the API ID, the API Key and the Log Server URI.
Then go to SIEM Logs > Websites Logs Level and enable for each website the log level you want to get on SEKOIA.IO.
Create the intake in SEKOIA.IO
Go to the intake page and create a new intake from the format Imperva WAF. Copy the intake key.
Pull events
Go to the playbook page and create a new playbook with the Imperva WAF logs trigger. You can use the existing template to fasten and ease the creation of your playbook. Set up a new module configuration with the information you copied previously. Set up the trigger configuration with the frequency of the pull.
At the end of the playbook, set up the action Push events to intake with a SEKOIA.IO API key and the intake key, from the intake previously created.
Start the playbook and enjoy your events.