Change log for IMPERVA_WAF
| Date | Changes |
|---|---|
| 2023-02-04 | Enhancement -
- For field "deviceReceiptTime" added rebase = true in "event.timestamp". |
| 2023-01-19 | Enhancement -
- Added support to parser logs by adding following mappings. - Mapped "event.provider" to "principal.user.userid". - Mapped "client.ip" to "principal.ip". - Mapped "client.domain" to "principal.hostname". - Mapped "imperva.abp.request_type" to "principal.labels". - Mapped "imperva.abp.pid" to "principal.process.pid". - Mapped "client.geo.country_iso_code" to "principal.location.country_or_region". - Mapped "server.domain" to "target.hostname". - Mapped "server.geo.name" to "target.location.name". - Mapped "url.path" to "target.process.file.full_path". - Mapped "imperva.abp.customer_request_id" to "target.resource.id". - Mapped "imperva.abp.token_id" to "target.resource.product_object_id". - Mapped "imperva.abp.random_id" to "additional.fields". - Mapped "http.request.method" to "network.http.method". - Mapped "user_agent.original" to "network.http.parsed_user_agent". - Mapped "imperva.abp.headers_referer" to "network.http.referral_url". - Mapped "imperva.abp.zuid" to "additional.fields". - Mapped "imperva.ids.site_name" to "additional.fields". - Mapped "imperva.ids.site_id" to "additional.fields". - Mapped "imperva.ids.account_name" to "metadata.product_event_type". - Mapped "imperva.ids.account_id" to "metadata.product_log_id". - Mapped "imperva.abp.headers_accept_encoding" to "security_result.detection_fields". - Mapped "imperva.abp.headers_accept_language" to "security_result.detection_fields". - Mapped "imperva.abp.headers_connection" to "security_result.detection_fields" - Mapped "imperva.abp.policy_id" to "security_result.detection_fields". - Mapped "imperva.abp.policy_name" to "security_result.detection_fields". - Mapped "imperva.abp.selector_derived_id" to "security_result.detection_fields". - Mapped "imperva.abp.monitor_action" to "security_result.action". |
| 2022-06-28 | Enhancement -
Mapped vendor.name = Imperva and product.name = Web Application Firewall for all logs Changed "metadata.event_type" where the "src" is "Distributed" from "GENERIC_EVENT" to "USER_UNCATEGORIZED" Changed "metadata.event_type" to "USER_UNCATEGORIZED" to "USER_STATS" |
| 2022-06-20 | Modified grok pattern for field "rt".
Bug-fix - Improvements to security_result.action. - REQ_PASSED: If the request was routed to the site's web server (security_result.action = 'ALLOW'). - REQ_CACHED_X: If a response was returned from the data center's cache (security_result.action = 'ALLOW'). - REQ_BAD_X: If a protocol or network error occurred (security_result.action = 'FAIL'). - REQ_CHALLENGE_X: If a challenge was returned to the client (security_result.action = 'BLOCK'). - REQ_BLOCKED_X: If the request was blocked (security_result.action = 'BLOCK'). |
| 2022-06-14 | Bug-fix - Added gsub and modified the kv filter to avoid incorrect mapping of fields 'cs1Label', 'cs2Label', 'cs3Label' mapped to UDM field 'security_result.detection_fields'.
|
| 2022-05-26 | Bug-fix - Removed key name and colon character from the value of the detection fields.
|
| 2022-05-10 | Enhancement - Mapped the following fields:
- 'cs1', 'cs2', 'cs3', 'cs4', 'cs5', 'fileType', 'filePermission' to 'security_result.detection_fields'. - 'cs7' to 'principal.location.region_latitude'. - 'cs8' to 'principal.location.region_longitude'. - 'cn1', 'cn2' to 'security_result.detection_fields' for CEF format logs. - 'act' to 'security_result.action' and 'security_result.action_details' for CEF format logs. - 'app' to 'network.application_protocol' for CEF format logs. - 'requestClientApplication' to 'network.http.user_agent' for CEF format logs. - 'dvc' to 'about.ip' for CEF format logs. |