Collect Imperva WAF logs

Supported in:

This document explains how to collect logs from the Imperva Web Application Firewall (WAF) to Google Security Operations using either an API (Pull) or Amazon S3 (Push). The parser transforms logs from SYSLOG+KV, JSON, CEF, and LEEF formats into a unified data model (UDM). It processes various log structures, extracts relevant fields, normalizes them into UDM attributes, and enriches the data with contextual information for enhanced security analysis.

Before you begin

  • Select the ingestion type (API or Amazon S3) that best fits your configuration requirements.
  • Ensure that you have a Google SecOps instance.
  • Ensure that you have privileged access to AWS.
  • Ensure that you have privileged access to Imperva WAF.

Collect Imperva WAF logs using API

Configure a Read-Only user for Imperva WAF

  1. Sign in to the Imperva Console with a privileged account.
  2. Go to Settings > Users & Roles.
  3. Click Add User.
  4. Fill in the required fields:
    • Username: enter a unique username.
    • Password: set a strong password.
    • Email: provide the user's email address.
    • In the Roles section, select the Reader role.
  5. Click Save to create the user with read-only access.

Optional: Configure Reader user as API-Only

  1. In the Users list, locate the newly created user.
  2. Click the Actions button (three dots) next to the user's name.
  3. Select Set as API-only user.

Generate the API ID and API key

  1. In the Users list, select the newly created user.
  2. Select Settings and click API Keys.
  3. Click Add API Key.
  4. Fill in the required fields:
    • Name: enter a descriptive name for the API key.
    • Optional: Description: provide an optional description.
    • In the API key will expire in list, select Never.
    • To enable, select Status.
  5. Click Save.

The system displays the API ID and API Key. Copy and save these credentials, as they won't be displayed again.

Configure a feed in Google SecOps to ingest Imperva WAF logs via Third-party API

  1. Go to SIEM Settings > Feeds.
  2. Click Add new.
  3. In the Feed name field, enter a name for the feed; for example, Imperva WAF Logs.
  4. Select Third party API as the Source type.
  5. Select Imperva as the Log type.
  6. Click Next.
  7. Specify values for the following input parameters:
    • Authentication HTTP header: enter the Imperva API ID and Key in two lines: apiId:<YOUR_API_ID> and apiKey:<YOUR_API_KEY>.
    • Asset namespace: the asset namespace.
    • Ingestion labels: the label applied to the events from this feed.
  8. Click Next.
  9. Review the feed configuration in the Finalize screen, and then click Submit.

Collect Imperva WAF logs using Amazon S3

Configure AWS IAM and S3

  1. Create an Amazon S3 bucket following this user guide: Creating a bucket
  2. Save the bucket Name and Region for later use.
  3. Create a User following this user guide: Creating an IAM user.
  4. Select the created User.
  5. Select the Security credentials tab.
  6. Click Create Access Key in the Access Keys section.
  7. Select Third-party service as the Use case.
  8. Click Next.
  9. Optional: Add a description tag.
  10. Click Create access key.
  11. Click Download .csv file and save the Access Key and Secret Access Key for later use.
  12. Click Done.
  13. Select the Permissions tab.
  14. Click Add permissions in the Permissions policies section.
  15. Select Add permissions.
  16. Select Attach policies directly.
  17. Search for and select the AmazonS3FullAccess policy.
  18. Click Next.
  19. Click Add permissions.

Configure Imperva WAF Amazon S3 connection

  1. Sign in to the Imperva Console with a privileged account.
  2. Go to Logs > Log Setup.
  3. Select Amazon S3.
  4. Fill in the required fields:
    • Access key
    • Secret key
    • Path: enter the path in the following format: <Amazon S3 bucket name>/<log folder>; for example: MyBucket/MyIncapsulaLogFolder.
  5. Click Test connection to perform a full testing cycle in which a test file is transferred to your designated folder.
  6. Select the format for the log files as CEF.
  7. By default, log files are compressed. Set the option to not compress files.

Configure a feed in Google SecOps to ingest Imperva WAF logs from Amazon S3

  1. Go to SIEM Settings > Feeds.
  2. Click Add new.
  3. In the Feed name field, enter a name for the feed; for example, Imperva WAF Logs.
  4. Select Amazon S3 as the Source type.
  5. Select Imperva as the Log type.
  6. Click Next.

  7. Specify values for the following input parameters:

    • Region: the region where the Amazon S3 bucket is located.
    • S3 URI: the bucket URI.
      • s3://your-log-bucket-name/
      • Replace your-log-bucket-name with the actual name of the bucket.
    • URI is a: select Directory or Directory which includes subdirectories.
    • Source deletion options: select the deletion option according to your preference.
    • Access Key ID: the User access key with access to the S3 bucket.
    • Secret Access Key: the User secret key with access to the S3 bucket.
    • Asset namespace: the asset namespace.
    • Ingestion labels: the label to be applied to the events from this feed.

  8. Click Next.

  9. Review your new feed configuration in the Finalize screen, and then click Submit.

UDM Mapping Table

Log field UDM mapping Logic
account_id target.user.userid The account id from the json object
act security_result.action If act is allowed, alert, starts with REQ_PASSED, or starts with REQ_CACHED, set to ALLOW. If act is deny, blocked, starts with REQ_BLOCKED, or starts with REQ_CHALLENGE, set to BLOCK. If act matches regex (?i)REQ_BAD, set to FAIL. Otherwise, set to UNKNOWN_ACTION.
app network.application_protocol Renamed from kv.app. Converted to uppercase.
calCountryOrRegion principal.location.country_or_region Renamed from calCountryOrRegion.
cat security_result.action_details If cat starts with REQ_PASSED or REQ_CACHED, set action to ALLOW and set action_details to a description based on the value of cat. If cat starts with REQ_BAD, set action to FAIL and set action_details to a description based on the value of cat. If cat starts with REQ_BLOCKED or REQ_CHALLENGE, set action to BLOCK and set action_details to a description based on the value of cat.
cicode principal.location.city Renamed from cicode.
classified_client security_result.detection_fields If classified_client is not empty, create a new detection_fields entry with key classified_client and value classified_client.
client.domain principal.hostname, principal.asset.hostname Renamed from client.domain.
client.geo.country_iso_code principal.location.country_or_region Renamed from client.geo.country_iso_code.
client.ip principal.ip, principal.asset.ip Merged into principal.ip and principal.asset.ip.
cn1 network.http.response_code Renamed from cn1. Converted to integer.
context_key target.resource.name Renamed from context_key.
country principal.location.country_or_region Renamed from country.
credentials_leaked security_result.detection_fields Converted to string. If not empty, create a new detection_fields entry with key credentials_leaked and value credentials_leaked.
cs1 security_result.detection_fields If cs1 is not empty, NA, or `, create a newdetection_fieldsentry with keycs1Labeland valuecs1`.
cs1Label security_result.detection_fields Used as the key for the detection_fields entry created from cs1.
cs2 security_result.detection_fields If cs2 is not empty, create a new detection_fields entry with key cs2Label and value cs2.
cs2Label security_result.detection_fields Used as the key for the detection_fields entry created from cs2.
cs3 security_result.detection_fields If cs3 is not empty, -, or `, create a newdetection_fieldsentry with keycs3Labeland valuecs3`.
cs3Label security_result.detection_fields Used as the key for the detection_fields entry created from cs3.
cs4 security_result.detection_fields If cs4 is not empty, create a new detection_fields entry with key cs4Label and value cs4.
cs4Label security_result.detection_fields Used as the key for the detection_fields entry created from cs4.
cs5 security_result.detection_fields If cs5 is not empty, create a new detection_fields entry with key cs5Label and value cs5.
cs5Label security_result.detection_fields Used as the key for the detection_fields entry created from cs5.
cs6 principal.application Renamed from cs6.
cs7 principal.location.region_latitude If cs7Label is latitude, renamed to principal.location.region_latitude. Converted to float.
cs7Label If cs7Label is latitude, used to determine the mapping of cs7.
cs8 principal.location.region_longitude If cs8Label is longitude, renamed to principal.location.region_longitude. Converted to float.
cs8Label If cs8Label is longitude, used to determine the mapping of cs8.
cs9 security_result.rule_name, extensions.vulns.vulnerabilities.name If cs9 is not empty, set to security_result.rule_name and create a new vulnerabilities entry with name cs9.
Customer target.user.user_display_name Renamed from Customer.
declared_client security_result.detection_fields If declared_client is not empty, create a new detection_fields entry with key declared_client and value declared_client.
description security_result.threat_name Renamed from description.
deviceExternalId network.community_id Renamed from deviceExternalId.
deviceReceiptTime metadata.event_timestamp Parsed as a date and set to metadata.event_timestamp. If empty, log_timestamp or kv.start is used instead.
dhost target.hostname Renamed from kv.dhost.
dproc security_result.category_details Renamed from dproc.
dpt target.port Renamed from kv.dpt. Converted to integer.
dst target.ip, target.asset.ip If dst is not empty, merged into target.ip and target.asset.ip.
dstPort target.port Renamed from dstPort. Converted to integer.
duser target.user.userid If duser does not match regex .*?Alert.* and is not empty, renamed to target.user.userid.
end security_result.detection_fields If end is not empty, create a new detection_fields entry with key event_end_time and value end.
event.id The event id from the json object
event.provider principal.user.user_display_name Renamed from event.provider.
failed_logins_last_24h security_result.detection_fields Converted to string. If not empty, create a new detection_fields entry with key failed_logins_last_24h and value failed_logins_last_24h.
fileId network.session_id Renamed from fileId.
filePermission security_result.detection_fields If filePermission is not empty, create a new detection_fields entry with key filePermission and value filePermission.
fileType security_result.detection_fields If fileType is not empty, create a new detection_fields entry with key fileType and value fileType.
fingerprint security_result.detection_fields If fingerprint is not empty, create a new detection_fields entry with key log_imperva_fingerprint and value fingerprint.
flexString1 network.http.response_code Renamed from kv.flexString1. Converted to integer.
http.request.body.bytes network.sent_bytes Converted to unsigned integer. Renamed from http.request.body.bytes.
http.request.method network.http.method Renamed from http.request.method.
imperva.abp.apollo_rule_versions security_result.detection_fields For each entry in imperva.abp.apollo_rule_versions, create a new detection_fields entry with key apollo_rule_versions_{index} and value equal to the entry.
imperva.abp.bot_behaviors security_result.detection_fields For each entry in imperva.abp.bot_behaviors, create a new detection_fields entry with key bot_behaviors_{index} and value equal to the entry.
imperva.abp.bot_deciding_condition_ids security_result.detection_fields For each entry in imperva.abp.bot_deciding_condition_ids, create a new detection_fields entry with key bot_deciding_condition_ids_{index} and value equal to the entry.
imperva.abp.bot_deciding_condition_names security_result.detection_fields For each entry in imperva.abp.bot_deciding_condition_names, create a new detection_fields entry with key bot_deciding_condition_names_{index} and value equal to the entry.
imperva.abp.bot_triggered_condition_ids security_result.detection_fields For each entry in imperva.abp.bot_triggered_condition_ids, create a new detection_fields entry with key bot_triggered_condition_ids_{index} and value equal to the entry.
imperva.abp.bot_triggered_condition_names security_result.detection_fields For each entry in imperva.abp.bot_triggered_condition_names, create a new detection_fields entry with key bot_triggered_condition_names_{index} and value equal to the entry.
imperva.abp.bot_violations security_result.detection_fields For each entry in imperva.abp.bot_violations, create a new detection_fields entry with key bot_violations_{index} and value equal to the entry.
imperva.abp.customer_request_id network.session_id Renamed from imperva.abp.customer_request_id.
imperva.abp.headers_accept_encoding security_result.detection_fields If imperva.abp.headers_accept_encoding is not empty, create a new detection_fields entry with key Accept Encoding and value imperva.abp.headers_accept_encoding.
imperva.abp.headers_accept_language security_result.detection_fields If imperva.abp.headers_accept_language is not empty, create a new detection_fields entry with key Accept Language and value imperva.abp.headers_accept_language.
imperva.abp.headers_connection security_result.detection_fields If imperva.abp.headers_connection is not empty, create a new detection_fields entry with key headers_connection and value imperva.abp.headers_connection.
imperva.abp.headers_referer network.http.referral_url Renamed from imperva.abp.headers_referer.
imperva.abp.hsig security_result.detection_fields If imperva.abp.hsig is not empty, create a new detection_fields entry with key hsig and value imperva.abp.hsig.
imperva.abp.monitor_action security_result.action, security_result.severity If imperva.abp.monitor_action matches regex (?i)allow, set security_action to ALLOW and severity to INFORMATIONAL. If imperva.abp.monitor_action matches regex (?i)captcha or (?i)block, set security_action to BLOCK.
imperva.abp.pid principal.process.pid Renamed from imperva.abp.pid.
imperva.abp.policy_id security_result.detection_fields If imperva.abp.policy_id is not empty, create a new detection_fields entry with key Policy Id and value imperva.abp.policy_id.
imperva.abp.policy_name security_result.detection_fields If imperva.abp.policy_name is not empty, create a new detection_fields entry with key Policy Name and value imperva.abp.policy_name.
imperva.abp.random_id additional.fields If imperva.abp.random_id is not empty, create a new additional.fields entry with key Random Id and value imperva.abp.random_id.
imperva.abp.request_type principal.labels If imperva.abp.request_type is not empty, create a new principal.labels entry with key request_type and value imperva.abp.request_type.
imperva.abp.selector security_result.detection_fields If imperva.abp.selector is not empty, create a new detection_fields entry with key selector and value imperva.abp.selector.
imperva.abp.selector_derived_id security_result.detection_fields If imperva.abp.selector_derived_id is not empty, create a new detection_fields entry with key selector_derived_id and value imperva.abp.selector_derived_id.
imperva.abp.tls_fingerprint security_result.description Renamed from imperva.abp.tls_fingerprint.
imperva.abp.token_id target.resource.product_object_id Renamed from imperva.abp.token_id.
imperva.abp.zuid additional.fields If imperva.abp.zuid is not empty, create a new additional.fields entry with key zuid and value imperva.abp.zuid.
imperva.additional_factors additional.fields For each entry in imperva.additional_factors, create a new additional.fields entry with key additional_factors_{index} and value equal to the entry.
imperva.audit_trail.event_action security_result.detection_fields If imperva.audit_trail.event_action is not empty, create a new detection_fields entry with key imperva.audit_trail.event_action and value imperva.audit_trail.event_action_description.
imperva.audit_trail.event_action_description security_result.detection_fields Used as the value for the detection_fields entry created from imperva.audit_trail.event_action.
imperva.audit_trail.event_context security_result.detection_fields If imperva.audit_trail.event_context is not empty, create a new detection_fields entry with key imperva.audit_trail.event_context and value imperva.audit_trail.event_context_description.
imperva.audit_trail.event_context_description security_result.detection_fields Used as the value for the detection_fields entry created from imperva.audit_trail.event_context.
imperva.country principal.location.country_or_region Renamed from imperva.country.
imperva.declared_client security_result.detection_fields If imperva.declared_client is not empty, create a new detection_fields entry with key declared_client and value imperva.declared_client.
imperva.device_reputation additional.fields For each entry in imperva.device_reputation, create a new additional.fields entry with key device_reputation and a list value containing the entry.
imperva.domain_risk security_result.detection_fields If imperva.domain_risk is not empty, create a new detection_fields entry with key domain_risk and value imperva.domain_risk.
imperva.failed_logins_last_24h security_result.detection_fields Converted to string. If not empty, create a new detection_fields entry with key failed_logins_last_24h and value failed_logins_last_24h.
imperva.fingerprint security_result.detection_fields If imperva.fingerprint is not empty, create a new detection_fields entry with key log_imperva_fingerprint and value imperva.fingerprint.
imperva.ids.account_id metadata.product_log_id Renamed from imperva.ids.account_id.
imperva.ids.account_name metadata.product_event_type Renamed from imperva.ids.account_name.
imperva.ids.site_id additional.fields If imperva.ids.site_id is not empty, create a new additional.fields entry with key site_id and value imperva.ids.site_id.
imperva.ids.site_name additional.fields If imperva.ids.site_name is not empty, create a new additional.fields entry with key site_name and value imperva.ids.site_name.
imperva.referrer network.http.referral_url Renamed from imperva.referrer.
imperva.request_session_id network.session_id Renamed from imperva.request_session_id.
imperva.request_user security_result.detection_fields If imperva.request_user is not empty, create a new detection_fields entry with key request_user and value imperva.request_user.
imperva.risk_level security_result.severity_details Renamed from imperva.risk_level.
imperva.risk_reason security_result.description Renamed from imperva.risk_reason.
imperva.significant_domain_name security_result.detection_fields If imperva.significant_domain_name is not empty, create a new detection_fields entry with key significant_domain_name and value imperva.significant_domain_name.
imperva.violated_directives security_result.detection_fields For each entry in imperva.violated_directives, create a new detection_fields entry with key violated_directives and value equal to the entry.
in network.received_bytes Renamed from in. Converted to unsigned integer.
log_timestamp metadata.event_timestamp If deviceReceiptTime is empty and kv.start is empty, set to metadata.event_timestamp.
message metadata.description If message is not empty and event.provider, imperva.ids.account_name, and client.ip are all empty, set to metadata.description.
postbody security_result.detection_fields If postbody is not empty, create a new detection_fields entry with key post_body_info and value postbody.
proto network.application_protocol Renamed from proto.
protoVer network.tls.version, network.tls.cipher If protoVer is not empty, parsed to extract tls_version and tls_cipher, which are then renamed to network.tls.version and network.tls.cipher respectively.
request target.url Renamed from kv.request.
requestClientApplication network.http.user_agent Renamed from requestClientApplication.
requestMethod network.http.method Renamed from requestMethod. Converted to uppercase.
resource_id target.resource.id Renamed from resource_id.
resource_type_key target.resource.type Renamed from resource_type_key.
rt metadata.event_timestamp Parsed to extract deviceReceiptTime, which is then parsed as a date and set to metadata.event_timestamp.
security_result.action security_result.action Merged with the value of the _action field.
security_result.severity security_result.severity If sevs is error or warning, set to HIGH. If sevs is critical, set to CRITICAL. If sevs is medium or notice, set to MEDIUM. If sevs is information or info, set to LOW.
server.domain target.hostname, target.asset.hostname Renamed from server.domain.
server.geo.name target.location.name Renamed from server.geo.name.
severity security_result.threat_id Renamed from severity.
siteid security_result.detection_fields If siteid is not empty, create a new detection_fields entry with key siteid and value siteid.
sourceServiceName target.hostname Renamed from kv.sourceServiceName.
spt principal.port Renamed from kv.spt. Converted to integer.
src principal.ip, principal.asset.ip If src is not empty, merged into principal.ip and principal.asset.ip.
srcPort principal.port Renamed from srcPort. Converted to integer.
start security_result.detection_fields, metadata.event_timestamp If start is not empty, create a new detection_fields entry with key event_start_time and value start. Also parsed as a date and set to metadata.event_timestamp if deviceReceiptTime is empty.
successful_logins_last_24h security_result.detection_fields Converted to string. If not empty, create a new detection_fields entry with key successful_logins_last_24h and value successful_logins_last_24h.
suid target.user.userid Renamed from suid.
time metadata.event_timestamp Converted to string. Parsed as a date and set to metadata.event_timestamp.
type_key metadata.product_event_type Renamed from type_key.
url target.process.file.full_path If url.path is not empty or /, set to target.process.file.full_path.
url target.url Renamed from url. If qstr is not empty, appended to url with a ? separator.
user.email principal.user.email_addresses If user.email is not empty and matches regex ^.+@.+$, merged into principal.user.email_addresses.
user_agent network.http.user_agent Renamed from user_agent.
user_agent.original network.http.parsed_user_agent If user_agent.original is not empty or *, converted to parseduseragent and renamed to network.http.parsed_user_agent.
user_details principal.user.email_addresses If user_details is not empty and matches regex ^.+@.+$, merged into principal.user.email_addresses.
user_id principal.user.userid Renamed from user_id.
ver network.tls.version, network.tls.cipher If ver is not empty, parsed to extract tls_version and tls_cipher, which are then renamed to network.tls.version and network.tls.cipher respectively.
xff intermediary.ip, intermediary.asset.ip, intermediary.hostname, intermediary.asset.hostname If xff is not empty, processed to extract IP addresses and hostnames. IP addresses are merged into intermediary.ip and intermediary.asset.ip. Hostnames are set to intermediary.hostname and intermediary.asset.hostname.

Changes

2025-01-16

Enhancement:

  • Mapped log.imperva.audit_trail.resource_name to target.resource.name.

2024-11-14

Enhancement:

  • Added support to handle new log format.

2024-10-10

Enhancement:

  • Mapped metadata.vendor_name to Imperva Cloud WAF.

2024-10-03

Enhancement:

  • Mapped cn1 to network.http.response_code.

2024-09-05

Enhancement:

  • Added support to handle new log format.

2024-08-27

Enhancement:

  • Changed mapping of log.imperva.ids.account_name from metadata.product_event_type to target.user.user_display_name.

2024-06-25

Enhancement:

  • Added support to handle JSON logs.

2024-04-02

Enhancement:

  • Mapped log.imperva.request_user to security_result.detection_fields.
  • Mapped log.imperva.classified_client to security_result.detection_fields.

2024-02-26

Enhancement:

  • Mapped log.imperva.request_session_id to network.session_id.
  • Mapped `log.imperva.successful_logins_last_24h,log.imperva.path and log.imperva.failed_logins_last_24h to security_result.detection_fields.
  • Mapped log.imperva.risk_reason to security_result.severity_details and security_result.severity.
  • Mapped additional_factor,log.imperva.device_reputation and log.imperva.credentials_leaked to additional.fields.
  • Mapped log.imperva.fingerprint to security_result.description.
  • Mapped log.imperva.referrer to network.http.referral_url.
  • Mapped log.imperva.classified_client to principal.process.file.full_path

2024-02-06

Enhancement:

  • Initialized accept_encoding_label, site_name_label, random_id_label, request_type_label, accept_language_label, headers_connection_label, zuid_labels, site_id_label, policy_id, policy_name, selector_derived_id, hsig, selector, detection_fields_event_action, detection_fields_event_context, detection_fields_significant_domain_name, and detection_fields_domain_risk to null inside the for loop for json_array.

2024-01-27

Enhancement:

  • Mapped description to security_result.threat_name.
  • Mapped severity to security_result.threat_id.
  • Mapped kv.src, src and log.client.ip to principal.asset.ip.
  • Mapped kv.dst and dst to target.asset.ip.
  • Mapped kv.dvc to about.asset.ip.
  • Mapped kv.cs9 and cs9 to security_result.rule_name.
  • Mapped kv.fileType and fileType to security_result.rule_type.
  • Mapped dst to target.asset.ip.
  • Mapped xff and forwardedIp to intermediary.asset.ip.
  • Mapped log.client.domain to principal.asset.hostname.
  • Mapped log.server.domain to target.asset.hostname.

2023-10-16

Bug fix:

  • Initialized security_result and security_action to null inside the for loop for json_array.
  • Added a null check before merging security_action to security_result.action.
  • When log.imperva.abp.monitor_action is block, then mapped security_action to BLOCK.

2023-09-26

Enhancement:

  • Mapped significant_domain_name, domain_risk, violated_directives to security_result.detection_fields in CSP logs.

2023-08-07

Bug fix:

  • Added support to parse array of JSON logs.
  • Added Grok pattern to check for hostname before mapping xff to intermediary.hostname.

2023-06-16

Bug fix:

  • Mapped imperva.audit_trail.event_action to security_result.detection_fields.
  • Mapped imperva.audit_trail.event_action_description to security_result.detection_fields.
  • Mapped imperva.audit_trail.event_context to security_result.detection_fields.
  • Mapped imperva.audit_trail.event_context_description to security_result.detection_fields.
  • Fixed Timestamp parsing issues.
  • Dropped malformed logs.

2023-06-16

Bug fix:

  • Mapped imperva.audit_trail.event_action to security_result.detection_fields.
  • Mapped imperva.audit_trail.event_action_description to security_result.detection_fields.
  • Mapped imperva.audit_trail.event_context to security_result.detection_fields.
  • Mapped imperva.audit_trail.event_context_description to security_result.detection_fields.
  • Fixed Timestamp parsing issues.
  • Dropped malformed logs.

2023-06-08

Enhancement:

  • Mapped imperva.abp.apollo_rule_versions to security_result.detection_fields.
  • Mapped imperva.abp.bot_violations to security_result.detection_fields.
  • Mapped imperva.abp.bot_behaviors to security_result.detection_fields.
  • Mapped imperva.abp.bot_deciding_condition_ids to security_result.detection_fields.
  • Mapped imperva.abp.bot_deciding_condition_names to security_result.detection_fields.
  • Mapped imperva.abp.bot_triggered_condition_ids to security_result.detection_fields.
  • Mapped imperva.abp.bot_triggered_condition_names to security_result.detection_fields.

2023-04-26

Enhancement:

  • Defined the field kv.src in the statedata.
  • Mapped kvdata.ver to network.tls.version and network.tls.cipher.
  • Mapped kvdata.sip to principal.ip.
  • Mapped kvdata.spt to principal.port.
  • Mapped kvdata.act to 'security_result.action_details'.
  • Mapped kvdata.app to 'network.application_protocol'.
  • Mapped kvdata.requestMethod to network.http.method.

2023-02-04

Enhancement:

  • For field deviceReceiptTime added rebase = true in event.timestamp.

2023-01-19

Enhancement:

  • Added support to parser logs by adding following mappings.
  • Mapped event.provider to principal.user.userid.
  • Mapped client.ip to principal.ip.
  • Mapped client.domain to principal.hostname.
  • Mapped imperva.abp.request_type to principal.labels.
  • Mapped imperva.abp.pid to principal.process.pid.
  • Mapped client.geo.country_iso_code to principal.location.country_or_region.
  • Mapped server.domain to target.hostname.
  • Mapped server.geo.name to target.location.name.
  • Mapped url.path to target.process.file.full_path.
  • Mapped imperva.abp.customer_request_id to target.resource.id.
  • Mapped imperva.abp.token_id to target.resource.product_object_id.
  • Mapped imperva.abp.random_id to additional.fields.
  • Mapped http.request.method to network.http.method.
  • Mapped user_agent.original to network.http.parsed_user_agent.
  • Mapped imperva.abp.headers_referer to network.http.referral_url.
  • Mapped imperva.abp.zuid to additional.fields.
  • Mapped imperva.ids.site_name to additional.fields.
  • Mapped imperva.ids.site_id to additional.fields.
  • Mapped imperva.ids.account_name to metadata.product_event_type.
  • Mapped imperva.ids.account_id to metadata.product_log_id.
  • Mapped imperva.abp.headers_accept_encoding to security_result.detection_fields.
  • Mapped imperva.abp.headers_accept_language to security_result.detection_fields.
  • Mapped imperva.abp.headers_connection to security_result.detection_fields
  • Mapped imperva.abp.policy_id to security_result.detection_fields.
  • Mapped imperva.abp.policy_name to security_result.detection_fields.
  • Mapped imperva.abp.selector_derived_id to security_result.detection_fields.
  • Mapped imperva.abp.monitor_action to security_result.action.

2022-06-28

Enhancement:

  • Mapped vendor.name = Imperva and product.name = Web Application Firewall for all logs
  • Changed metadata.event_type where the src is Distributed from GENERIC_EVENT to USER_UNCATEGORIZED
  • Changed metadata.event_type to USER_UNCATEGORIZED to USER_STATS

2022-06-20

  • Modified grok pattern for field rt.
  • Bug-fix - Improvements to security_result.action.
  • REQ_PASSED: If the request was routed to the site's web server (security_result.action = 'ALLOW').
  • REQ_CACHED_X: If a response was returned from the data center's cache (security_result.action = 'ALLOW').
  • REQ_BAD_X: If a protocol or network error occurred (security_result.action = 'FAIL').
  • REQ_CHALLENGE_X: If a challenge was returned to the client (security_result.action = 'BLOCK').
  • REQ_BLOCKED_X: If the request was blocked (security_result.action = 'BLOCK').

2022-06-14

Bug fix:

  • Added gsub and modified the kv filter to avoid incorrect mapping of fields 'cs1Label', 'cs2Label', 'cs3Label' mapped to UDM field 'security_result.detection_fields'.

2022-05-26

Bug fix:

  • Removed key name and colon character from the value of the detection fields.

2022-05-10

Enhancement:

  • Mapped the following fields:
  • 'cs1', 'cs2', 'cs3', 'cs4', 'cs5', 'fileType', 'filePermission' to 'security_result.detection_fields'.
  • 'cs7' to 'principal.location.region_latitude'.
  • 'cs8' to 'principal.location.region_longitude'.
  • 'cn1', 'cn2' to 'security_result.detection_fields' for CEF format logs.
  • 'act' to 'security_result.action' and 'security_result.action_details' for CEF format logs.
  • 'app' to 'network.application_protocol' for CEF format logs.
  • 'requestClientApplication' to 'network.http.user_agent' for CEF format logs.
  • 'dvc' to 'about.ip' for CEF format logs.

Need more help? Get answers from Community members and Google SecOps professionals.