Collect Imperva Attack Analytics logs

Supported in:

This document explains how to ingest Imperva Attack Analytics logs to Google Security Operations using Amazon S3. Imperva Attack Analytics leverages machine learning and artificial intelligence to provide advanced threat detection and analysis capabilities. It monitors network traffic, application logs, and user behavior to detect anomalies and suspicious activities, correlating data from multiple sources to provide comprehensive security insights. This integration lets you send these logs to Google SecOps for analysis and monitoring.

Before you begin

Make sure you have the following prerequisites:

  • A Google SecOps instance
  • Privileged access to AWS
  • Privileged access to Imperva Console

Collect Imperva Attack Analytics prerequisites (API credentials)

  1. Sign in to the Imperva Console at my.imperva.com.
  2. Go to Account > Account Management.
  3. On the sidebar, click SIEM Logs > Log Configuration.
  4. Click Add connection.
  5. Select Amazon S3 as the delivery method.
  6. Configure the connection for Amazon S3:
    • Connection name: Enter a descriptive name (for example, Google SecOps Integration).
    • Access key: Your S3 access key.
    • Secret key: Your S3 secret key.
    • Path: The bucket path in format <bucket-name>/<folder> (for example, imperva-attack-analytics-logs/chronicle).

Configure AWS S3 bucket and IAM for Google SecOps

  1. Create Amazon S3 bucket following this user guide: Creating a bucket.
  2. Save bucket Name and Region for future reference (for example, imperva-attack-analytics-logs).
  3. Create a User following this user guide: Creating an IAM user.
  4. Select the created User.
  5. Select Security credentials tab.
  6. Click Create Access Key in section Access Keys.
  7. Select Third-party service as Use case.
  8. Click Next.
  9. Optional: Add a description tag.
  10. Click Create access key.
  11. Click Download CSV file to save the Access Key and Secret Access Key for future reference.
  12. Click Done.
  13. Select Permissions tab.
  14. Click Add permissions in section Permissions policies.
  15. Select Add permissions.
  16. Select Attach policies directly.
  17. Search for AmazonS3FullAccess policy.
  18. Select the policy.
  19. Click Next.
  20. Click Add permissions.

Configure the IAM policy and role for S3 uploads

  1. In the AWS console, go to IAM > Policies.
  2. Click Create policy > JSON tab.

  3. Enter the following policy:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowPutObjects",
      "Effect": "Allow",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::imperva-attack-analytics-logs/*"
    },
    {
      "Sid": "AllowGetObjects",
      "Effect": "Allow", 
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::imperva-attack-analytics-logs/*"
    },
    {
      "Sid": "AllowListBucket",
      "Effect": "Allow",
      "Action": "s3:ListBucket", 
      "Resource": "arn:aws:s3:::imperva-attack-analytics-logs"
    }
  ]
}
    • Replace imperva-attack-analytics-logs if you entered a different bucket name.

  4. Click Next > Create policy.

  5. Go to IAM > Roles > Create role > AWS service > Lambda.

  6. Attach the newly created policy.

  7. Name the role imperva-attack-analytics-s3-role and click Create role.

Configure Imperva Attack Analytics S3 connection

  1. Return to the Imperva Console SIEM Logs configuration.
  2. Update the Amazon S3 connection with the AWS credentials:
    • Access key: The User access key with access to the S3 bucket.
    • Secret key: The User secret key with access to the S3 bucket.
    • Path: Enter the path in format imperva-attack-analytics-logs/chronicle.
  3. Click Test connection to verify connectivity.
  4. Ensure the connection status shows Available.

Configure Attack Analytics log export

  1. In the Connections table, expand your Amazon S3 connection.
  2. Click Add log type.
  3. Provide the following configuration details:
    • Configuration name: Enter a descriptive name (for example, Attack Analytics Logs to Google SecOps).
    • Select service: Choose Attack Analytics.
    • Select log types: Select the Attack Analytics log types you want to export.
    • Format: CEF (Common Event Format for Attack Analytics logs).
    • State: Set to Enabled.
  4. Click Add log type to save the configuration.

Optional: Create read-only IAM user & keys for Google SecOps

  1. Go to AWS Console > IAM > Users.
  2. Click Add users.
  3. Provide the following configuration details:
    • User: Enter secops-reader.
    • Access type: Select Access key – Programmatic access.
  4. Click Create user.
  5. Attach minimal read policy (custom): Users > secops-reader > Permissions > Add permissions > Attach policies directly > Create policy.

  6. In the JSON editor, enter the following policy:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject"],
      "Resource": "arn:aws:s3:::imperva-attack-analytics-logs/*"
    },
    {
      "Effect": "Allow",
      "Action": ["s3:ListBucket"],
      "Resource": "arn:aws:s3:::imperva-attack-analytics-logs"
    }
  ]
}

  7. Set the name to secops-reader-policy.

  8. Go to Create policy > search/select > Next > Add permissions.

  9. Go to Security credentials > Access keys > Create access key.

  10. Download the CSV (these values are entered into the feed).

Configure a feed in Google SecOps to ingest Imperva Attack Analytics logs

  1. Go to SIEM Settings > Feeds.
  2. Click + Add New Feed.
  3. In the Feed name field, enter a name for the feed (for example, Imperva Attack Analytics logs).
  4. Select Amazon S3 V2 as the Source type.
  5. Select Imperva Attack Analytics as the Log type.
  6. Click Next.
  7. Specify values for the following input parameters:
    • S3 URI: s3://imperva-attack-analytics-logs/chronicle/
    • Source deletion options: Select deletion option according to your preference.
    • Maximum File Age: Include files modified in the last number of days. Default is 180 days.
    • Access Key ID: User access key with access to the S3 bucket.
    • Secret Access Key: User secret key with access to the S3 bucket.
    • Asset namespace: The asset namespace.
    • Ingestion labels: The label applied to the events from this feed.
  8. Click Next.
  9. Review your new feed configuration in the Finalize screen, and then click Submit.

Need more help? Get answers from Community members and Google SecOps professionals.