Collect Imperva Incapsula Web Application Firewall logs

Supported in:

This document describes how you can ingest Imperva Incapsula Web Application Firewall logs by setting up a Google Security Operations feed.

For more information, see Data ingestion to Google Security Operations.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the IMPERVA_WAF ingestion label.

Configure Incapsula WAF

  1. Sign in to my.imperva.com with a reader account.
  2. Select Management > Users > Add User. Only users with the account administrator or other required permissions can add a new user to the account. A verification email is sent to the listed addresses of the user and the account administrator.
  3. Click the link in the email to verify the email address of the new user and set a login password.

Generate the API ID and API key of reader user

  1. Sign in to the my.imperva.com account.
  2. Navigate to Management and select Users.
  3. Select a user with the reader role.
  4. Navigate to Setting and select API Keys.
  5. Provide a name for the API key.
  6. In the API key will expire in list, select Never.
  7. To enable the status, select Status.
  8. Click Save.
  9. Copy and save the API key and API ID from the dialog that appears. You require the API key and API ID when you configure the Google Security Operations feed.
  10. Optional: You can provide a list of approved IP addresses or leave it blank.

Configure a feed in Google Security Operations to ingest Imperva Incapsula Web Application Firewall logs

  1. From the Google Security Operations menu, select Settings and then click Feeds.
  2. Click Add New.
  3. Select Third party API for Source Type.
  4. Select Imperva as the Log Type to create a feed for Imperva WAF Parser.
  5. Provide the API ID and API key in Authentication HTTP Header Configuration.
  6. Click Next and then click Submit.

For more information about Google Security Operations feeds, see Google Security Operations feeds documentation. For information about requirements for each feed type, see Feed configuration by type.

If you encounter issues when you create feeds, contact Google Security Operations support.

Field mapping reference

This parser handles both CEF (Common Event Format) and LEEF (Log Event Extended Format) formatted logs from Imperva Web Application Firewall (WAF), as well as JSON formatted logs. It extracts fields, performs data transformations, and maps the data to the UDM based on the log format detected. The parser also handles specific Imperva event types like "Attack Analytics" and various actions like "allow", "block", and "deny", mapping them to appropriate UDM fields.

Imperva Parser UDM mapping table

Log Field UDM Mapping Logic
account_id target.user.userid The account ID from the JSON payload is mapped to the target user's ID.
act security_result.action (ALLOW/BLOCK/FAIL/UNKNOWN), security_result.action_details The act field determines the UDM action and action details. allowed, alert, REQ_PASSED, REQ_CACHED map to ALLOW. deny, blocked, REQ_BLOCKED, REQ_CHALLENGE map to BLOCK. REQ_BAD maps to FAIL. Action details provide further context based on the specific act value.
additionalReqHeaders Not Mapped These headers are not currently mapped to the IDM object.
additionalResHeaders Not Mapped These headers are not currently mapped to the IDM object.
app network.application_protocol The application protocol (e.g., HTTP, HTTPS) is extracted from the app field and uppercased.
calCountryOrRegion principal.location.country_or_region Country or region code extracted from the LEEF data.
cat security_result.action (ALLOW/BLOCK/FAIL/UNKNOWN), security_result.action_details Similar logic to act for determining action and action details in LEEF format.
ccode Not Mapped This field is not currently mapped to the IDM object.
ccpt Not Mapped This field is not currently mapped to the IDM object.
cef_version Not Mapped Internal use only.
cicode principal.location.city City information extracted from the LEEF data.
client.domain principal.hostname, principal.asset.hostname Client domain from JSON payload.
client.geo.country_iso_code principal.location.country_or_region Country code from JSON payload.
client.ip principal.ip, principal.asset.ip Client IP from JSON payload.
cn1 network.http.response_code HTTP response code extracted from LEEF or CEF data. Converted to integer.
context_key target.resource.name Context key from JSON payload, used as resource name.
cpt Not Mapped This field is not currently mapped to the IDM object.
cs1 security_result.detection_fields If present and not "N/A", creates a detection field with key from cs1Label and value from cs1.
cs2 security_result.detection_fields Creates a detection field with key from cs2Label and value from cs2.
cs3 security_result.detection_fields If present and not "-", creates a detection field with key from cs3Label and value from cs3.
cs4 security_result.detection_fields Creates a detection field with key from cs4Label and value from cs4.
cs5 security_result.detection_fields Creates a detection field with key from cs5Label and value from cs5.
cs6 principal.application Application used by the principal, extracted from LEEF data.
cs7 principal.location.region_latitude Latitude extracted from LEEF or CEF data. Converted to float.
cs8 principal.location.region_longitude Longitude extracted from LEEF or CEF data. Converted to float.
cs9 security_result.rule_name, extensions.vulns.vulnerabilities.name Rule name or vulnerability name, depending on the log format.
Customer target.user.user_display_name Customer name from LEEF data, mapped to target user display name.
data Various (see other fields) The raw log data field containing CEF, LEEF, or JSON.
description security_result.threat_name (CEF), metadata.description (Attack Analytics) Description from CEF or Attack Analytics logs, mapped to threat name or metadata description.
deviceExternalId network.community_id Device ID from LEEF data, mapped to network community ID.
deviceFacility Not Mapped This field is not currently mapped to the IDM object.
deviceReceiptTime metadata.event_timestamp Timestamp extracted from various fields (rt, start, log_timestamp) depending on availability and format. Parsed using the date filter.
dhost target.hostname Destination hostname from CEF data.
dproc security_result.category_details Device process (e.g., Browser, Bot) from LEEF data.
dst target.ip, target.asset.ip Destination IP from CEF or LEEF data.
dpt target.port Destination port from CEF data. Converted to integer.
duser target.user.userid Destination user ID from CEF data.
end security_result.detection_fields Creates a detection field with key "event_end_time" and value from end.
event.id Not Mapped This field is not currently mapped to the IDM object.
event_attributes Various (see other fields) Attributes extracted from LEEF data.
event_id Not Mapped Internal use only.
fileId network.session_id File ID from LEEF data, mapped to network session ID.
filePermission security_result.detection_fields, security_result.rule_type File permission from LEEF data, used as a detection field and rule type.
fileType security_result.detection_fields, security_result.rule_type File type from LEEF data, used as a detection field and rule type.
flexString1 network.http.response_code Response code from CEF data. Converted to integer.
http.request.body.bytes network.sent_bytes Bytes sent in the HTTP request body from JSON payload. Converted to unsigned integer.
http.request.method network.http.method HTTP request method from JSON payload.
imperva.abp.apollo_rule_versions security_result.detection_fields Creates detection fields for each Apollo rule version.
imperva.abp.bot_behaviors security_result.detection_fields Creates detection fields for each bot behavior.
imperva.abp.bot_deciding_condition_ids security_result.detection_fields Creates detection fields for each bot deciding condition ID.
imperva.abp.bot_deciding_condition_names security_result.detection_fields Creates detection fields for each bot deciding condition name.
imperva.abp.bot_triggered_condition_ids security_result.detection_fields Creates detection fields for each bot triggered condition ID.
imperva.abp.bot_triggered_condition_names security_result.detection_fields Creates detection fields for each bot triggered condition name.
imperva.abp.bot_violations security_result.detection_fields Creates detection fields for each bot violation.
imperva.abp.customer_request_id network.session_id Customer request ID from JSON payload, used as network session ID.
imperva.abp.deciding_tags Not Mapped These tags are not currently mapped to the IDM object.
imperva.abp.hsig security_result.detection_fields Creates a detection field with key "hsig" and value from imperva.abp.hsig.
imperva.abp.headers_accept Not Mapped This field is not currently mapped to the IDM object.
imperva.abp.headers_accept_charset Not Mapped This field is not currently mapped to the IDM object.
imperva.abp.header_names Not Mapped These header names are not currently mapped to the IDM object.
imperva.abp.headers_cookie_length Not Mapped This field is not currently mapped to the IDM object.
imperva.abp.header_lengths Not Mapped These header lengths are not currently mapped to the IDM object.
imperva.abp.monitor_action security_result.action (ALLOW/BLOCK), security_result.severity (INFORMATIONAL) Monitor action from JSON payload. "allow" maps to ALLOW and INFORMATIONAL severity. "captcha" and "block" map to BLOCK.
imperva.abp.pid principal.process.pid Process ID from JSON payload.
imperva.abp.policy_id security_result.detection_fields Creates a detection field with key "Policy Id" and value from imperva.abp.policy_id.
imperva.abp.policy_name security_result.detection_fields Creates a detection field with key "Policy Name" and value from imperva.abp.policy_name.
imperva.abp.random_id additional.fields Creates an additional field with key "Random Id" and value from imperva.abp.random_id.
imperva.abp.request_path_decoded target.process.file.full_path Decoded request path from JSON payload, used as process path.
imperva.abp.request_type principal.labels Request type from JSON payload, used as a principal label.
imperva.abp.selector security_result.detection_fields Creates a detection field with key "selector" and value from imperva.abp.selector.
imperva.abp.selector_derived_id security_result.detection_fields Creates a detection field with key "selector_derived_id" and value from imperva.abp.selector_derived_id.
imperva.abp.tls_fingerprint security_result.description TLS fingerprint from JSON payload, used as security result description.
imperva.abp.triggered_tags Not Mapped These tags are not currently mapped to the IDM object.
imperva.abp.zuid additional.fields Creates an additional field with key "zuid" and value from imperva.abp.zuid.
imperva.additional_factors additional.fields Creates additional fields for each additional factor.
imperva.audit_trail.event_action security_result.detection_fields Creates a detection field with key from event_action and value from event_action_description.
imperva.audit_trail.event_action_description security_result.detection_fields Used as the value for the detection field created from event_action.
imperva.audit_trail.event_context security_result.detection_fields Creates a detection field with key from event_context and value from event_context_description.
imperva.audit_trail.event_context_description security_result.detection_fields Used as the value for the detection field created from event_context.
imperva.classified_client security_result.detection_fields Creates a detection field with key "classified_client" and value from imperva.classified_client.
imperva.country principal.location.country_or_region Country code from JSON payload.
imperva.credentials_leaked security_result.detection_fields Creates a detection field with key "credentials_leaked" and value from imperva.credentials_leaked.
imperva.declared_client security_result.detection_fields Creates a detection field with key "declared_client" and value from imperva.declared_client.
imperva.device_reputation additional.fields Creates an additional field with key "device_reputation" and a list of values from imperva.device_reputation.
imperva.domain_risk security_result.detection_fields Creates a detection field with key "domain_risk" and value from imperva.domain_risk.
imperva.failed_logins_last_24h security_result.detection_fields Creates a detection field with key "failed_logins_last_24h" and value from imperva.failed_logins_last_24h.
imperva.fingerprint security_result.detection_fields Creates a detection field with key "log_imperva_fingerprint" and value from imperva.fingerprint.
imperva.ids.account_id metadata.product_log_id Account ID from JSON payload, used as product log ID.
imperva.ids.account_name metadata.product_event_type Account name from JSON payload, used as product event type.
imperva.ids.site_id additional.fields Creates an additional field with key "site_id" and value from imperva.ids.site_id.
imperva.ids.site_name additional.fields Creates an additional field with key "site_name" and value from imperva.ids.site_name.
imperva.referrer network.http.referral_url Referrer URL from JSON payload.
imperva.request_id network.session_id Request ID from JSON payload, used as network session ID.
imperva.request_session_id network.session_id Request session ID from JSON payload, used as network session ID.
imperva.request_user security_result.detection_fields Creates a detection field with key "request_user" and value from imperva.request_user.
imperva.risk_level security_result.severity (HIGH/CRITICAL/MEDIUM/LOW), security_result.severity_details Risk level from JSON payload. Mapped to UDM severity. Also used as severity details.
imperva.risk_reason security_result.description Risk reason from JSON payload, used as security result description.
imperva.significant_domain_name security_result.detection_fields Creates a detection field with key "significant_domain_name" and value from imperva.significant_domain_name.
imperva.successful_logins_last_24h security_result.detection_fields Creates a detection field with key "successful_logins_last_24h" and value from imperva.successful_logins_last_24h.
imperva.violated_directives security_result.detection_fields Creates detection fields for each violated directive.
in network.received_bytes Bytes received on the network from LEEF data. Converted to unsigned integer.
leef_version Not Mapped Internal use only.
log.@timestamp metadata.event_timestamp Timestamp from JSON payload, parsed using the date filter. Used if log.time is not available.
log.client.geo.country_iso_code principal.location.country_or_region Country code from nested JSON payload.
log.client.ip principal.ip, principal.asset.ip Client IP from nested JSON payload.
log.context_key target.resource.name Context key from nested JSON payload, used as resource name.
log.event.provider principal.user.user_display_name Event provider from nested JSON payload, used as principal user display name.
log.http.request.body.bytes network.sent_bytes Request body bytes from nested JSON payload. Converted to unsigned integer.
log.http.request.method network.http.method, network.application_protocol (HTTP) HTTP method from nested JSON payload. If present, sets application protocol to HTTP.
log.imperva.abp.bot_behaviors security_result.detection_fields Creates detection fields for each bot behavior from nested JSON payload.
log.imperva.abp.bot_deciding_condition_ids security_result.detection_fields Creates detection fields for each bot deciding condition ID from nested JSON payload.
log.imperva.abp.bot_deciding_condition_names security_result.detection_fields Creates detection fields for each bot deciding condition name from nested JSON payload.
log.imperva.abp.bot_triggered_condition_ids security_result.detection_fields Creates detection fields for each bot triggered condition ID from nested JSON payload.
log.imperva.abp.bot_triggered_condition_names security_result.detection_fields Creates detection fields for each bot triggered condition name from nested JSON payload.
log.imperva.abp.bot_violations security_result.detection_fields Creates detection fields for each bot violation from nested JSON payload.
log.imperva.abp.customer_request_id network.session_id Customer request ID from nested JSON payload, used as network session ID.
log.imperva.abp.headers_accept Not Mapped This field is not currently mapped to the IDM object.
log.imperva.abp.headers_accept_charset Not Mapped This field is not currently mapped to the IDM object.
log.imperva.abp.headers_accept_encoding security_result.detection_fields Creates a detection field with key "Accept Encoding" and value from log.imperva.abp.headers_accept_encoding.
log.imperva.abp.headers_accept_language security_result.detection_fields Creates a detection field with key "Accept Language" and value from log.imperva.abp.headers_accept_language.
log.imperva.abp.headers_cf_connecting_ip Not Mapped This field is not currently mapped to the IDM object.
log.imperva.abp.headers_connection security_result.detection_fields Creates a detection field with key "headers_connection" and value from log.imperva.abp.headers_connection.
log.imperva.abp.headers_cookie_length Not Mapped This field is not currently mapped to the IDM object.
log.imperva.abp.headers_host Not Mapped This field is not currently mapped to the IDM object.
log.imperva.abp.header_lengths Not Mapped These header lengths are not currently mapped to the IDM object.
log.imperva.abp.header_names Not Mapped These header names are not currently mapped to the IDM object.
log.imperva.abp.hsig security_result.detection_fields Creates a detection field with key "hsig" and value from log.imperva.abp.hsig.
log.imperva.abp.monitor_action security_result.action (ALLOW/BLOCK), security_result.severity (INFORMATIONAL) Monitor action from nested JSON payload. "allow" maps to ALLOW and INFORMATIONAL severity. "captcha" and "block" map to BLOCK.
log.imperva.abp.pid principal.process.pid Process ID from nested JSON payload.
log.imperva.abp.policy_id security_result.detection_fields Creates a detection field with key "Policy Id" and value from log.imperva.abp.policy_id.
log.imperva.abp.policy_name security_result.detection_fields Creates a detection field with key "Policy Name" and value from log.imperva.abp.policy_name.
log.imperva.abp.random_id additional.fields Creates an additional field with key "Random Id" and value from log.imperva.abp.random_id.
log.imperva.abp.request_path_decoded target.process.file.full_path Decoded request path from nested JSON payload, used as process path.
log.imperva.abp.request_type principal.labels Request type from nested JSON payload, used as a principal label.
log.imperva.abp.selector security_result.detection_fields Creates a detection field with key "selector" and value from log.imperva.abp.selector.
log.imperva.abp.selector_derived_id security_result.detection_fields Creates a detection field with key "selector_derived_id" and value from log.imperva.abp.selector_derived_id.
log.imperva.abp.tls_fingerprint security_result.description TLS fingerprint from nested JSON payload, used as security result description.
log.imperva.abp.token_expire Not Mapped This field is not currently mapped to the IDM object.
log.imperva.abp.token_id target.resource.product_object_id Token ID from nested JSON payload, used as resource product object ID.
log.imperva.abp.triggered_tags Not Mapped These tags are not currently mapped to the IDM object.
log.imperva.abp.zuid additional.fields Creates an additional field with key "zuid" and value from log.imperva.abp.zuid.
log.imperva.additional_factors additional.fields Creates additional fields for each additional factor from nested JSON payload.
log.imperva.audit_trail.event_action security_result.detection_fields Creates a detection field with key from event_action and value from event_action_description from nested JSON payload.
log.imperva.audit_trail.event_action_description security_result.detection_fields Used as the value for the detection field created from event_action from nested JSON payload.
log.imperva.audit_trail.event_context security_result.detection_fields Creates a detection field with key from event_context and value from event_context_description from nested JSON payload.
log.imperva.audit_trail.event_context_description security_result.detection_fields Used as the value for the detection field created from event_context from nested JSON payload.
log.imperva.classified_client security_result.detection_fields Creates a detection field with key "classified_client" and value from log.imperva.classified_client.
log.imperva.country principal.location.country_or_region Country code from nested JSON payload.
log.imperva.credentials_leaked security_result.detection_fields Creates a detection field with key "credentials_leaked" and value from log.imperva.credentials_leaked.
log.imperva.declared_client security_result.detection_fields Creates a detection field with key "declared_client" and value from log.imperva.declared_client.
log.imperva.device_reputation additional.fields Creates an additional field with key "device_reputation" and a list of values from log.imperva.device_reputation.
log.imperva.domain_risk security_result.detection_fields Creates a detection field with key "domain_risk" and value from log.imperva.domain_risk.
log.imperva.failed_logins_last_24h security_result.detection_fields Creates a detection field with key "failed_logins_last_24h" and value from log.imperva.failed_logins_last_24h.
log.imperva.fingerprint security_result.detection_fields Creates a detection field with key "log_imperva_fingerprint" and value from log.imperva.fingerprint.
log.imperva.ids.account_id metadata.product_log_id Account ID from nested JSON payload, used as product log ID.
log.imperva.ids.account_name metadata.product_event_type Account name from nested JSON payload, used as product event type.
log.imperva.ids.site_id additional.fields Creates an additional field with key "site_id" and value from log.imperva.ids.site_id.
log.imperva.ids.site_name additional.fields Creates an additional field with key "site_name" and value from log.imperva.ids.site_name.
log.imperva.path principal.process.file.full_path Path from nested JSON payload, used as process path.
log.imperva.referrer network.http.referral_url Referrer URL from nested JSON payload.
log.imperva.request_id network.session_id Request ID from nested JSON payload, used as network session ID.
log.imperva.request_session_id network.session_id Request session ID from nested JSON payload, used as network session ID.
log.imperva.request_user security_result.detection_fields Creates a detection field with key "request_user" and value from log.imperva.request_user.
log.imperva.risk_level security_result.severity (HIGH/CRITICAL/MEDIUM/LOW), security_result.severity_details Risk level from nested JSON payload. Mapped to UDM severity. Also used as severity details.
log.imperva.risk_reason security_result.description Risk reason from nested JSON payload, used as security result description.
log.imperva.significant_domain_name security_result.detection_fields Creates a detection field with key "significant_domain_name" and value from log.imperva.significant_domain_name.
log.imperva.successful_logins_last_24h security_result.detection_fields Creates a detection field with key "successful_logins_last_24h" and value from log.imperva.successful_logins_last_24h.
log.imperva.violated_directives security_result.detection_fields Creates detection fields for each violated directive from nested JSON payload.
log.message metadata.description Message from nested JSON payload, used as metadata description if no other description is available.
log.resource_id target.resource.id Resource ID from nested JSON payload.
log.resource_type_key target.resource.type Resource type key from nested JSON payload.
log.server.domain target.hostname, target.asset.hostname Server domain from nested JSON payload.
log.server.geo.name target.location.name Server location name from nested JSON payload.
log.time metadata.event_timestamp Timestamp from nested JSON payload, parsed using the date filter.
log.type_key metadata.product_event_type Type key from nested JSON payload, used as product event type.
log.user.email principal.user.email_addresses User email from nested JSON payload.
log.user_agent.original network.http.parsed_user_agent User agent from nested JSON payload, parsed using the useragent filter.
log.user_details principal.user.email_addresses User details from nested JSON payload, used as email address if it matches email format.
log.user_id principal.user.userid User ID from nested JSON payload.
log_timestamp metadata.event_timestamp Log timestamp from syslog, used as event timestamp if other timestamps are not available.
log_type Not Mapped Internal use only.
message Various (see other fields) The message field containing the log data.
metadata.event_type metadata.event_type Set to "NETWORK_HTTP" for CEF and JSON logs, "SCAN_UNCATEGORIZED" for Attack Analytics logs, "USER_UNCATEGORIZED" if src is "Distributed", "USER_STATS" for JSON logs with type_key, "STATUS_UPDATE" for JSON logs with client IP or domain and server domain, and "GENERIC_EVENT" for other JSON logs.
metadata.log_type metadata.log_type Set to "IMPERVA_WAF".
metadata.product_event_type metadata.product_event_type Populated from various fields depending on the log format (csv.event_id, log.imperva.ids.account_name, log.type_key).
metadata.product_name metadata.product_name Set to "Web Application Firewall".
metadata.vendor_name metadata.vendor_name Set to "Imperva".
msg Not Mapped This field is not currently mapped to the IDM object.
organization Not Mapped Internal use only.
payload Various (see other fields) Payload extracted from CEF data.
popName intermediary.location.country_or_region PoP name from LEEF data, mapped to intermediary location.
postbody security_result.detection_fields Creates a detection field with key "post_body_info" and value from postbody.
product_version Not Mapped Internal use only.
proto network.application_protocol Protocol from LEEF data, mapped to network application protocol.
protoVer network.tls.version, network.tls.cipher Protocol version from LEEF data, parsed to extract TLS version and cipher.
qstr Appended to target.url Query string from LEEF data, appended to the target URL.
ref network.http.referral_url Referral URL from LEEF data.
request target.url Request URL from CEF data.
requestClientApplication network.http.user_agent Request client application from LEEF or CEF data, mapped to network HTTP user agent.
requestContext network.http.user_agent Request context from CEF data, mapped to network HTTP user agent.
requestMethod network.http.method Request method from LEEF or CEF data, mapped to network HTTP method and uppercased.
resource_id target.resource.id Resource ID from JSON payload.
resource_type_key target.resource.type Resource type key from JSON payload.
rt metadata.event_timestamp Receipt time from CEF data, used as event timestamp.
security_result.action security_result.action Set based on the value of act or cat.
security_result.action_details security_result.action_details Provides additional context based on the value of act or cat.
security_result.category_details security_result.category_details Set to the value of dproc.
security_result.detection_fields security_result.detection_fields Contains various key-value pairs extracted from the log data.
security_result.description security_result.description Set to the value of imperva.risk_reason or log.imperva.abp.tls_fingerprint.
security_result.rule_name security_result.rule_name Set to the value of cs9.
security_result.rule_type security_result.rule_type Set to the value of fileType.
security_result.severity security_result.severity Set based on the value of sevs or imperva.risk_level.
security_result.severity_details security_result.severity_details Set to the value of imperva.risk_level.
security_result.threat_id

Changes

2024-04-02

  • Mapped "log.imperva.request_user" to "security_result.detection_fields".
  • Mapped "log.imperva.classified_client" to "security_result.detection_fields".

2024-02-26

  • Mapped "log.imperva.request_session_id" to "network.session_id".
  • Mapped ""log.imperva.successful_logins_last_24h","log.imperva.path" and "log.imperva.failed_logins_last_24h" to "security_result.detection_fields".
  • Mapped "log.imperva.risk_reason" to "security_result.severity_details" and "security_result.severity".
  • Mapped "additional_factor","log.imperva.device_reputation" and "log.imperva.credentials_leaked" to "additional.fields".
  • Mapped "log.imperva.fingerprint" to "security_result.description".
  • Mapped "log.imperva.referrer" to "network.http.referral_url".
  • Mapped "log.imperva.classified_client" to "principal.process.file.full_path"

2024-02-06

  • Initialized "accept_encoding_label", "site_name_label", "random_id_label", "request_type_label", "accept_language_label", "headers_connection_label", "zuid_labels", "site_id_label", "policy_id", "policy_name", "selector_derived_id", "hsig", "selector", "detection_fields_event_action", "detection_fields_event_context", "detection_fields_significant_domain_name", and "detection_fields_domain_risk" to null inside the "for loop" for json_array.

2024-01-27

  • Mapped "description" to "security_result.threat_name".
  • Mapped "severity" to "security_result.threat_id".
  • Mapped "kv.src", "src" and "log.client.ip" to "principal.asset.ip".
  • Mapped "kv.dst" and "dst" to "target.asset.ip".
  • Mapped "kv.dvc" to "about.asset.ip".
  • Mapped "kv.cs9" and "cs9" to "security_result.rule_name".
  • Mapped "kv.fileType" and "fileType" to "security_result.rule_type".
  • Mapped "dst" to "target.asset.ip".
  • Mapped "xff" and "forwardedIp" to "intermediary.asset.ip".
  • Mapped "log.client.domain" to "principal.asset.hostname".
  • Mapped "log.server.domain" to "target.asset.hostname".

2023-10-16

  • Bug-Fix:
  • Initialized "security_result" and "security_action" to null inside the "for loop" for json_array.
  • Added a null check before merging "security_action" to "security_result.action".
  • When "log.imperva.abp.monitor_action" is "block", then mapped "security_action" to "BLOCK".

2023-09-26

  • Mapped "significant_domain_name", "domain_risk", "violated_directives" to "security_result.detection_fields" in CSP logs.

2023-08-07

  • Bug-fix -
  • Added support to parse array of JSON logs.
  • Added Grok pattern to check for hostname before mapping "xff" to "intermediary.hostname".

2023-06-16

  • Resolved presubmit issue due to single on_error for two fields.

2023-06-16

  • Bug-fix -
  • Mapped "imperva.audit_trail.event_action" to "security_result.detection_fields".
  • Mapped "imperva.audit_trail.event_action_description" to "security_result.detection_fields".
  • Mapped "imperva.audit_trail.event_context" to "security_result.detection_fields".
  • Mapped "imperva.audit_trail.event_context_description" to "security_result.detection_fields".
  • Fixed Timestamp parsing issues.
  • Dropped malformed logs.

2023-06-08

  • Enhancement -
  • Mapped "imperva.abp.apollo_rule_versions" to "security_result.detection_fields".
  • Mapped "imperva.abp.bot_violations" to "security_result.detection_fields".
  • Mapped "imperva.abp.bot_behaviors" to "security_result.detection_fields".
  • Mapped "imperva.abp.bot_deciding_condition_ids" to "security_result.detection_fields".
  • Mapped "imperva.abp.bot_deciding_condition_names " to "security_result.detection_fields".
  • Mapped "imperva.abp.bot_triggered_condition_ids" to "security_result.detection_fields".
  • Mapped "imperva.abp.bot_triggered_condition_names" to "security_result.detection_fields".

2023-04-26

  • Enhancement -
  • Defined the field "kv.src" in the statedata.
  • Mapped "kvdata.ver" to "network.tls.version" and network.tls.cipher.
  • Mapped "kvdata.sip" to "principal.ip".
  • Mapped "kvdata.spt" to "principal.port".
  • Mapped "kvdata.act" to 'security_result.action_details'.
  • Mapped "kvdata.app" to 'network.application_protocol'.
  • Mapped "kvdata.requestMethod" to "network.http.method".

2023-02-04

  • Enhancement -
  • For field "deviceReceiptTime" added rebase = true in "event.timestamp".

2023-01-19

  • Enhancement -
  • Added support to parser logs by adding following mappings.
  • Mapped "event.provider" to "principal.user.userid".
  • Mapped "client.ip" to "principal.ip".
  • Mapped "client.domain" to "principal.hostname".
  • Mapped "imperva.abp.request_type" to "principal.labels".
  • Mapped "imperva.abp.pid" to "principal.process.pid".
  • Mapped "client.geo.country_iso_code" to "principal.location.country_or_region".
  • Mapped "server.domain" to "target.hostname".
  • Mapped "server.geo.name" to "target.location.name".
  • Mapped "url.path" to "target.process.file.full_path".
  • Mapped "imperva.abp.customer_request_id" to "target.resource.id".
  • Mapped "imperva.abp.token_id" to "target.resource.product_object_id".
  • Mapped "imperva.abp.random_id" to "additional.fields".
  • Mapped "http.request.method" to "network.http.method".
  • Mapped "user_agent.original" to "network.http.parsed_user_agent".
  • Mapped "imperva.abp.headers_referer" to "network.http.referral_url".
  • Mapped "imperva.abp.zuid" to "additional.fields".
  • Mapped "imperva.ids.site_name" to "additional.fields".
  • Mapped "imperva.ids.site_id" to "additional.fields".
  • Mapped "imperva.ids.account_name" to "metadata.product_event_type".
  • Mapped "imperva.ids.account_id" to "metadata.product_log_id".
  • Mapped "imperva.abp.headers_accept_encoding" to "security_result.detection_fields".
  • Mapped "imperva.abp.headers_accept_language" to "security_result.detection_fields".
  • Mapped "imperva.abp.headers_connection" to "security_result.detection_fields"
  • Mapped "imperva.abp.policy_id" to "security_result.detection_fields".
  • Mapped "imperva.abp.policy_name" to "security_result.detection_fields".
  • Mapped "imperva.abp.selector_derived_id" to "security_result.detection_fields".
  • Mapped "imperva.abp.monitor_action" to "security_result.action".

2022-06-28

  • Enhancement -
  • Mapped vendor.name = Imperva and product.name = Web Application Firewall for all logs
  • Changed "metadata.event_type" where the "src" is "Distributed" from "GENERIC_EVENT" to "USER_UNCATEGORIZED"
  • Changed "metadata.event_type" to "USER_UNCATEGORIZED" to "USER_STATS"

2022-06-20

  • Modified grok pattern for field "rt".
  • Bug-fix - Improvements to security_result.action.
  • REQ_PASSED: If the request was routed to the site's web server (security_result.action = 'ALLOW').
  • REQ_CACHED_X: If a response was returned from the data center's cache (security_result.action = 'ALLOW').
  • REQ_BAD_X: If a protocol or network error occurred (security_result.action = 'FAIL').
  • REQ_CHALLENGE_X: If a challenge was returned to the client (security_result.action = 'BLOCK').
  • REQ_BLOCKED_X: If the request was blocked (security_result.action = 'BLOCK').

2022-06-14

  • Bug-fix - Added gsub and modified the kv filter to avoid incorrect mapping of fields 'cs1Label', 'cs2Label', 'cs3Label' mapped to UDM field 'security_result.detection_fields'.

2022-05-26

  • Bug-fix - Removed key name and colon character from the value of the detection fields.

2022-05-10

  • Enhancement - Mapped the following fields:
  • 'cs1', 'cs2', 'cs3', 'cs4', 'cs5', 'fileType', 'filePermission' to 'security_result.detection_fields'.
  • 'cs7' to 'principal.location.region_latitude'.
  • 'cs8' to 'principal.location.region_longitude'.
  • 'cn1', 'cn2' to 'security_result.detection_fields' for CEF format logs.
  • 'act' to 'security_result.action' and 'security_result.action_details' for CEF format logs.
  • 'app' to 'network.application_protocol' for CEF format logs.
  • 'requestClientApplication' to 'network.http.user_agent' for CEF format logs.
  • 'dvc' to 'about.ip' for CEF format logs.