Collect Imperva Incapsula Web Application Firewall logs
This document describes how you can ingest Imperva Incapsula Web Application Firewall logs by setting up a Google Security Operations feed.
For more information, see Data ingestion to Google Security Operations.
An ingestion label identifies the parser which normalizes raw log data
to structured UDM format. The information in this document applies to the parser
with the IMPERVA_WAF
ingestion label.
Configure Incapsula WAF
- Sign in to my.imperva.com with a reader account.
- Select Management > Users > Add User. Only users with the account administrator or other required permissions can add a new user to the account. A verification email is sent to the listed addresses of the user and the account administrator.
Click the link in the email to verify the email address of the new user and set a login password.
Generate the API ID and API key of reader user
- Sign in to the my.imperva.com account.
- Navigate to Management and select Users.
- Select a user with the reader role.
- Navigate to Setting and select API Keys.
- Provide a name for the API key.
- In the API key will expire in list, select Never.
- To enable the status, select Status.
- Click Save.
- Copy and save the API key and API ID from the dialog that appears. You require the API key and API ID when you configure the Google Security Operations feed.
- Optional: You can provide a list of approved IP addresses or leave it blank.
Configure a feed in Google Security Operations to ingest Imperva Incapsula Web Application Firewall logs
- Select SIEM Settings > Feeds.
- Click Add new.
- Enter a unique name for the Feed name.
- Select Third party API as the Source Type.
- Select Imperva as the Log Type.
- Provide the API ID and API key in Authentication HTTP Header Configuration.
- Click Next and then click Submit.
For more information about Google Security Operations feeds, see Google Security Operations feeds documentation. For information about requirements for each feed type, see Feed configuration by type.
If you encounter issues when you create feeds, contact Google Security Operations support.
Field mapping reference
This parser handles both CEF (Common Event Format) and LEEF (Log Event Extended Format) formatted logs from Imperva Web Application Firewall (WAF), as well as JSON formatted logs. It extracts fields, performs data transformations, and maps the data to the UDM based on the log format detected. The parser also handles specific Imperva event types like "Attack Analytics" and various actions like "allow", "block", and "deny", mapping them to appropriate UDM fields.
Imperva Parser UDM mapping table
Log Field | UDM Mapping | Logic |
---|---|---|
account_id |
target.user.userid |
The account ID from the JSON payload is mapped to the target user's ID. |
act |
security_result.action (ALLOW/BLOCK/FAIL/UNKNOWN), security_result.action_details |
The act field determines the UDM action and action details. allowed , alert , REQ_PASSED , REQ_CACHED map to ALLOW. deny , blocked , REQ_BLOCKED , REQ_CHALLENGE map to BLOCK. REQ_BAD maps to FAIL. Action details provide further context based on the specific act value. |
additionalReqHeaders |
Not Mapped | These headers are not currently mapped to the IDM object. |
additionalResHeaders |
Not Mapped | These headers are not currently mapped to the IDM object. |
app |
network.application_protocol |
The application protocol (e.g., HTTP, HTTPS) is extracted from the app field and uppercased. |
calCountryOrRegion |
principal.location.country_or_region |
Country or region code extracted from the LEEF data. |
cat |
security_result.action (ALLOW/BLOCK/FAIL/UNKNOWN), security_result.action_details |
Similar logic to act for determining action and action details in LEEF format. |
ccode |
Not Mapped | This field is not currently mapped to the IDM object. |
ccpt |
Not Mapped | This field is not currently mapped to the IDM object. |
cef_version |
Not Mapped | Internal use only. |
cicode |
principal.location.city |
City information extracted from the LEEF data. |
client.domain |
principal.hostname , principal.asset.hostname |
Client domain from JSON payload. |
client.geo.country_iso_code |
principal.location.country_or_region |
Country code from JSON payload. |
client.ip |
principal.ip , principal.asset.ip |
Client IP from JSON payload. |
cn1 |
network.http.response_code |
HTTP response code extracted from LEEF or CEF data. Converted to integer. |
context_key |
target.resource.name |
Context key from JSON payload, used as resource name. |
cpt |
Not Mapped | This field is not currently mapped to the IDM object. |
cs1 |
security_result.detection_fields |
If present and not "N/A", creates a detection field with key from cs1Label and value from cs1 . |
cs2 |
security_result.detection_fields |
Creates a detection field with key from cs2Label and value from cs2 . |
cs3 |
security_result.detection_fields |
If present and not "-", creates a detection field with key from cs3Label and value from cs3 . |
cs4 |
security_result.detection_fields |
Creates a detection field with key from cs4Label and value from cs4 . |
cs5 |
security_result.detection_fields |
Creates a detection field with key from cs5Label and value from cs5 . |
cs6 |
principal.application |
Application used by the principal, extracted from LEEF data. |
cs7 |
principal.location.region_latitude |
Latitude extracted from LEEF or CEF data. Converted to float. |
cs8 |
principal.location.region_longitude |
Longitude extracted from LEEF or CEF data. Converted to float. |
cs9 |
security_result.rule_name , extensions.vulns.vulnerabilities.name |
Rule name or vulnerability name, depending on the log format. |
Customer |
target.user.user_display_name |
Customer name from LEEF data, mapped to target user display name. |
data |
Various (see other fields) | The raw log data field containing CEF, LEEF, or JSON. |
description |
security_result.threat_name (CEF), metadata.description (Attack Analytics) |
Description from CEF or Attack Analytics logs, mapped to threat name or metadata description. |
deviceExternalId |
network.community_id |
Device ID from LEEF data, mapped to network community ID. |
deviceFacility |
Not Mapped | This field is not currently mapped to the IDM object. |
deviceReceiptTime |
metadata.event_timestamp |
Timestamp extracted from various fields (rt , start , log_timestamp ) depending on availability and format. Parsed using the date filter. |
dhost |
target.hostname |
Destination hostname from CEF data. |
dproc |
security_result.category_details |
Device process (e.g., Browser, Bot) from LEEF data. |
dst |
target.ip , target.asset.ip |
Destination IP from CEF or LEEF data. |
dpt |
target.port |
Destination port from CEF data. Converted to integer. |
duser |
target.user.userid |
Destination user ID from CEF data. |
end |
security_result.detection_fields |
Creates a detection field with key "event_end_time" and value from end . |
event.id |
Not Mapped | This field is not currently mapped to the IDM object. |
event_attributes |
Various (see other fields) | Attributes extracted from LEEF data. |
event_id |
Not Mapped | Internal use only. |
fileId |
network.session_id |
File ID from LEEF data, mapped to network session ID. |
filePermission |
security_result.detection_fields , security_result.rule_type |
File permission from LEEF data, used as a detection field and rule type. |
fileType |
security_result.detection_fields , security_result.rule_type |
File type from LEEF data, used as a detection field and rule type. |
flexString1 |
network.http.response_code |
Response code from CEF data. Converted to integer. |
http.request.body.bytes |
network.sent_bytes |
Bytes sent in the HTTP request body from JSON payload. Converted to unsigned integer. |
http.request.method |
network.http.method |
HTTP request method from JSON payload. |
imperva.abp.apollo_rule_versions |
security_result.detection_fields |
Creates detection fields for each Apollo rule version. |
imperva.abp.bot_behaviors |
security_result.detection_fields |
Creates detection fields for each bot behavior. |
imperva.abp.bot_deciding_condition_ids |
security_result.detection_fields |
Creates detection fields for each bot deciding condition ID. |
imperva.abp.bot_deciding_condition_names |
security_result.detection_fields |
Creates detection fields for each bot deciding condition name. |
imperva.abp.bot_triggered_condition_ids |
security_result.detection_fields |
Creates detection fields for each bot triggered condition ID. |
imperva.abp.bot_triggered_condition_names |
security_result.detection_fields |
Creates detection fields for each bot triggered condition name. |
imperva.abp.bot_violations |
security_result.detection_fields |
Creates detection fields for each bot violation. |
imperva.abp.customer_request_id |
network.session_id |
Customer request ID from JSON payload, used as network session ID. |
imperva.abp.deciding_tags |
Not Mapped | These tags are not currently mapped to the IDM object. |
imperva.abp.hsig |
security_result.detection_fields |
Creates a detection field with key "hsig" and value from imperva.abp.hsig . |
imperva.abp.headers_accept |
Not Mapped | This field is not currently mapped to the IDM object. |
imperva.abp.headers_accept_charset |
Not Mapped | This field is not currently mapped to the IDM object. |
imperva.abp.header_names |
Not Mapped | These header names are not currently mapped to the IDM object. |
imperva.abp.headers_cookie_length |
Not Mapped | This field is not currently mapped to the IDM object. |
imperva.abp.header_lengths |
Not Mapped | These header lengths are not currently mapped to the IDM object. |
imperva.abp.monitor_action |
security_result.action (ALLOW/BLOCK), security_result.severity (INFORMATIONAL) |
Monitor action from JSON payload. "allow" maps to ALLOW and INFORMATIONAL severity. "captcha" and "block" map to BLOCK. |
imperva.abp.pid |
principal.process.pid |
Process ID from JSON payload. |
imperva.abp.policy_id |
security_result.detection_fields |
Creates a detection field with key "Policy Id" and value from imperva.abp.policy_id . |
imperva.abp.policy_name |
security_result.detection_fields |
Creates a detection field with key "Policy Name" and value from imperva.abp.policy_name . |
imperva.abp.random_id |
additional.fields |
Creates an additional field with key "Random Id" and value from imperva.abp.random_id . |
imperva.abp.request_path_decoded |
target.process.file.full_path |
Decoded request path from JSON payload, used as process path. |
imperva.abp.request_type |
principal.labels |
Request type from JSON payload, used as a principal label. |
imperva.abp.selector |
security_result.detection_fields |
Creates a detection field with key "selector" and value from imperva.abp.selector . |
imperva.abp.selector_derived_id |
security_result.detection_fields |
Creates a detection field with key "selector_derived_id" and value from imperva.abp.selector_derived_id . |
imperva.abp.tls_fingerprint |
security_result.description |
TLS fingerprint from JSON payload, used as security result description. |
imperva.abp.triggered_tags |
Not Mapped | These tags are not currently mapped to the IDM object. |
imperva.abp.zuid |
additional.fields |
Creates an additional field with key "zuid" and value from imperva.abp.zuid . |
imperva.additional_factors |
additional.fields |
Creates additional fields for each additional factor. |
imperva.audit_trail.event_action |
security_result.detection_fields |
Creates a detection field with key from event_action and value from event_action_description . |
imperva.audit_trail.event_action_description |
security_result.detection_fields |
Used as the value for the detection field created from event_action . |
imperva.audit_trail.event_context |
security_result.detection_fields |
Creates a detection field with key from event_context and value from event_context_description . |
imperva.audit_trail.event_context_description |
security_result.detection_fields |
Used as the value for the detection field created from event_context . |
imperva.classified_client |
security_result.detection_fields |
Creates a detection field with key "classified_client" and value from imperva.classified_client . |
imperva.country |
principal.location.country_or_region |
Country code from JSON payload. |
imperva.credentials_leaked |
security_result.detection_fields |
Creates a detection field with key "credentials_leaked" and value from imperva.credentials_leaked . |
imperva.declared_client |
security_result.detection_fields |
Creates a detection field with key "declared_client" and value from imperva.declared_client . |
imperva.device_reputation |
additional.fields |
Creates an additional field with key "device_reputation" and a list of values from imperva.device_reputation . |
imperva.domain_risk |
security_result.detection_fields |
Creates a detection field with key "domain_risk" and value from imperva.domain_risk . |
imperva.failed_logins_last_24h |
security_result.detection_fields |
Creates a detection field with key "failed_logins_last_24h" and value from imperva.failed_logins_last_24h . |
imperva.fingerprint |
security_result.detection_fields |
Creates a detection field with key "log_imperva_fingerprint" and value from imperva.fingerprint . |
imperva.ids.account_id |
metadata.product_log_id |
Account ID from JSON payload, used as product log ID. |
imperva.ids.account_name |
metadata.product_event_type |
Account name from JSON payload, used as product event type. |
imperva.ids.site_id |
additional.fields |
Creates an additional field with key "site_id" and value from imperva.ids.site_id . |
imperva.ids.site_name |
additional.fields |
Creates an additional field with key "site_name" and value from imperva.ids.site_name . |
imperva.referrer |
network.http.referral_url |
Referrer URL from JSON payload. |
imperva.request_id |
network.session_id |
Request ID from JSON payload, used as network session ID. |
imperva.request_session_id |
network.session_id |
Request session ID from JSON payload, used as network session ID. |
imperva.request_user |
security_result.detection_fields |
Creates a detection field with key "request_user" and value from imperva.request_user . |
imperva.risk_level |
security_result.severity (HIGH/CRITICAL/MEDIUM/LOW), security_result.severity_details |
Risk level from JSON payload. Mapped to UDM severity. Also used as severity details. |
imperva.risk_reason |
security_result.description |
Risk reason from JSON payload, used as security result description. |
imperva.significant_domain_name |
security_result.detection_fields |
Creates a detection field with key "significant_domain_name" and value from imperva.significant_domain_name . |
imperva.successful_logins_last_24h |
security_result.detection_fields |
Creates a detection field with key "successful_logins_last_24h" and value from imperva.successful_logins_last_24h . |
imperva.violated_directives |
security_result.detection_fields |
Creates detection fields for each violated directive. |
in |
network.received_bytes |
Bytes received on the network from LEEF data. Converted to unsigned integer. |
leef_version |
Not Mapped | Internal use only. |
log.@timestamp |
metadata.event_timestamp |
Timestamp from JSON payload, parsed using the date filter. Used if log.time is not available. |
log.client.geo.country_iso_code |
principal.location.country_or_region |
Country code from nested JSON payload. |
log.client.ip |
principal.ip , principal.asset.ip |
Client IP from nested JSON payload. |
log.context_key |
target.resource.name |
Context key from nested JSON payload, used as resource name. |
log.event.provider |
principal.user.user_display_name |
Event provider from nested JSON payload, used as principal user display name. |
log.http.request.body.bytes |
network.sent_bytes |
Request body bytes from nested JSON payload. Converted to unsigned integer. |
log.http.request.method |
network.http.method , network.application_protocol (HTTP) |
HTTP method from nested JSON payload. If present, sets application protocol to HTTP. |
log.imperva.abp.bot_behaviors |
security_result.detection_fields |
Creates detection fields for each bot behavior from nested JSON payload. |
log.imperva.abp.bot_deciding_condition_ids |
security_result.detection_fields |
Creates detection fields for each bot deciding condition ID from nested JSON payload. |
log.imperva.abp.bot_deciding_condition_names |
security_result.detection_fields |
Creates detection fields for each bot deciding condition name from nested JSON payload. |
log.imperva.abp.bot_triggered_condition_ids |
security_result.detection_fields |
Creates detection fields for each bot triggered condition ID from nested JSON payload. |
log.imperva.abp.bot_triggered_condition_names |
security_result.detection_fields |
Creates detection fields for each bot triggered condition name from nested JSON payload. |
log.imperva.abp.bot_violations |
security_result.detection_fields |
Creates detection fields for each bot violation from nested JSON payload. |
log.imperva.abp.customer_request_id |
network.session_id |
Customer request ID from nested JSON payload, used as network session ID. |
log.imperva.abp.headers_accept |
Not Mapped | This field is not currently mapped to the IDM object. |
log.imperva.abp.headers_accept_charset |
Not Mapped | This field is not currently mapped to the IDM object. |
log.imperva.abp.headers_accept_encoding |
security_result.detection_fields |
Creates a detection field with key "Accept Encoding" and value from log.imperva.abp.headers_accept_encoding . |
log.imperva.abp.headers_accept_language |
security_result.detection_fields |
Creates a detection field with key "Accept Language" and value from log.imperva.abp.headers_accept_language . |
log.imperva.abp.headers_cf_connecting_ip |
Not Mapped | This field is not currently mapped to the IDM object. |
log.imperva.abp.headers_connection |
security_result.detection_fields |
Creates a detection field with key "headers_connection" and value from log.imperva.abp.headers_connection . |
log.imperva.abp.headers_cookie_length |
Not Mapped | This field is not currently mapped to the IDM object. |
log.imperva.abp.headers_host |
Not Mapped | This field is not currently mapped to the IDM object. |
log.imperva.abp.header_lengths |
Not Mapped | These header lengths are not currently mapped to the IDM object. |
log.imperva.abp.header_names |
Not Mapped | These header names are not currently mapped to the IDM object. |
log.imperva.abp.hsig |
security_result.detection_fields |
Creates a detection field with key "hsig" and value from log.imperva.abp.hsig . |
log.imperva.abp.monitor_action |
security_result.action (ALLOW/BLOCK), security_result.severity (INFORMATIONAL) |
Monitor action from nested JSON payload. "allow" maps to ALLOW and INFORMATIONAL severity. "captcha" and "block" map to BLOCK. |
log.imperva.abp.pid |
principal.process.pid |
Process ID from nested JSON payload. |
log.imperva.abp.policy_id |
security_result.detection_fields |
Creates a detection field with key "Policy Id" and value from log.imperva.abp.policy_id . |
log.imperva.abp.policy_name |
security_result.detection_fields |
Creates a detection field with key "Policy Name" and value from log.imperva.abp.policy_name . |
log.imperva.abp.random_id |
additional.fields |
Creates an additional field with key "Random Id" and value from log.imperva.abp.random_id . |
log.imperva.abp.request_path_decoded |
target.process.file.full_path |
Decoded request path from nested JSON payload, used as process path. |
log.imperva.abp.request_type |
principal.labels |
Request type from nested JSON payload, used as a principal label. |
log.imperva.abp.selector |
security_result.detection_fields |
Creates a detection field with key "selector" and value from log.imperva.abp.selector . |
log.imperva.abp.selector_derived_id |
security_result.detection_fields |
Creates a detection field with key "selector_derived_id" and value from log.imperva.abp.selector_derived_id . |
log.imperva.abp.tls_fingerprint |
security_result.description |
TLS fingerprint from nested JSON payload, used as security result description. |
log.imperva.abp.token_expire |
Not Mapped | This field is not currently mapped to the IDM object. |
log.imperva.abp.token_id |
target.resource.product_object_id |
Token ID from nested JSON payload, used as resource product object ID. |
log.imperva.abp.triggered_tags |
Not Mapped | These tags are not currently mapped to the IDM object. |
log.imperva.abp.zuid |
additional.fields |
Creates an additional field with key "zuid" and value from log.imperva.abp.zuid . |
log.imperva.additional_factors |
additional.fields |
Creates additional fields for each additional factor from nested JSON payload. |
log.imperva.audit_trail.event_action |
security_result.detection_fields |
Creates a detection field with key from event_action and value from event_action_description from nested JSON payload. |
log.imperva.audit_trail.event_action_description |
security_result.detection_fields |
Used as the value for the detection field created from event_action from nested JSON payload. |
log.imperva.audit_trail.event_context |
security_result.detection_fields |
Creates a detection field with key from event_context and value from event_context_description from nested JSON payload. |
log.imperva.audit_trail.event_context_description |
security_result.detection_fields |
Used as the value for the detection field created from event_context from nested JSON payload. |
log.imperva.classified_client |
security_result.detection_fields |
Creates a detection field with key "classified_client" and value from log.imperva.classified_client . |
log.imperva.country |
principal.location.country_or_region |
Country code from nested JSON payload. |
log.imperva.credentials_leaked |
security_result.detection_fields |
Creates a detection field with key "credentials_leaked" and value from log.imperva.credentials_leaked . |
log.imperva.declared_client |
security_result.detection_fields |
Creates a detection field with key "declared_client" and value from log.imperva.declared_client . |
log.imperva.device_reputation |
additional.fields |
Creates an additional field with key "device_reputation" and a list of values from log.imperva.device_reputation . |
log.imperva.domain_risk |
security_result.detection_fields |
Creates a detection field with key "domain_risk" and value from log.imperva.domain_risk . |
log.imperva.failed_logins_last_24h |
security_result.detection_fields |
Creates a detection field with key "failed_logins_last_24h" and value from log.imperva.failed_logins_last_24h . |
log.imperva.fingerprint |
security_result.detection_fields |
Creates a detection field with key "log_imperva_fingerprint" and value from log.imperva.fingerprint . |
log.imperva.ids.account_id |
metadata.product_log_id |
Account ID from nested JSON payload, used as product log ID. |
log.imperva.ids.account_name |
metadata.product_event_type |
Account name from nested JSON payload, used as product event type. |
log.imperva.ids.site_id |
additional.fields |
Creates an additional field with key "site_id" and value from log.imperva.ids.site_id . |
log.imperva.ids.site_name |
additional.fields |
Creates an additional field with key "site_name" and value from log.imperva.ids.site_name . |
log.imperva.path |
principal.process.file.full_path |
Path from nested JSON payload, used as process path. |
log.imperva.referrer |
network.http.referral_url |
Referrer URL from nested JSON payload. |
log.imperva.request_id |
network.session_id |
Request ID from nested JSON payload, used as network session ID. |
log.imperva.request_session_id |
network.session_id |
Request session ID from nested JSON payload, used as network session ID. |
log.imperva.request_user |
security_result.detection_fields |
Creates a detection field with key "request_user" and value from log.imperva.request_user . |
log.imperva.risk_level |
security_result.severity (HIGH/CRITICAL/MEDIUM/LOW), security_result.severity_details |
Risk level from nested JSON payload. Mapped to UDM severity. Also used as severity details. |
log.imperva.risk_reason |
security_result.description |
Risk reason from nested JSON payload, used as security result description. |
log.imperva.significant_domain_name |
security_result.detection_fields |
Creates a detection field with key "significant_domain_name" and value from log.imperva.significant_domain_name . |
log.imperva.successful_logins_last_24h |
security_result.detection_fields |
Creates a detection field with key "successful_logins_last_24h" and value from log.imperva.successful_logins_last_24h . |
log.imperva.violated_directives |
security_result.detection_fields |
Creates detection fields for each violated directive from nested JSON payload. |
log.message |
metadata.description |
Message from nested JSON payload, used as metadata description if no other description is available. |
log.resource_id |
target.resource.id |
Resource ID from nested JSON payload. |
log.resource_type_key |
target.resource.type |
Resource type key from nested JSON payload. |
log.server.domain |
target.hostname , target.asset.hostname |
Server domain from nested JSON payload. |
log.server.geo.name |
target.location.name |
Server location name from nested JSON payload. |
log.time |
metadata.event_timestamp |
Timestamp from nested JSON payload, parsed using the date filter. |
log.type_key |
metadata.product_event_type |
Type key from nested JSON payload, used as product event type. |
log.user.email |
principal.user.email_addresses |
User email from nested JSON payload. |
log.user_agent.original |
network.http.parsed_user_agent |
User agent from nested JSON payload, parsed using the useragent filter. |
log.user_details |
principal.user.email_addresses |
User details from nested JSON payload, used as email address if it matches email format. |
log.user_id |
principal.user.userid |
User ID from nested JSON payload. |
log_timestamp |
metadata.event_timestamp |
Log timestamp from syslog, used as event timestamp if other timestamps are not available. |
log_type |
Not Mapped | Internal use only. |
message |
Various (see other fields) | The message field containing the log data. |
metadata.event_type |
metadata.event_type |
Set to "NETWORK_HTTP" for CEF and JSON logs, "SCAN_UNCATEGORIZED" for Attack Analytics logs, "USER_UNCATEGORIZED" if src is "Distributed", "USER_STATS" for JSON logs with type_key , "STATUS_UPDATE" for JSON logs with client IP or domain and server domain, and "GENERIC_EVENT" for other JSON logs. |
metadata.log_type |
metadata.log_type |
Set to "IMPERVA_WAF". |
metadata.product_event_type |
metadata.product_event_type |
Populated from various fields depending on the log format (csv.event_id , log.imperva.ids.account_name , log.type_key ). |
metadata.product_name |
metadata.product_name |
Set to "Web Application Firewall". |
metadata.vendor_name |
metadata.vendor_name |
Set to "Imperva". |
msg |
Not Mapped | This field is not currently mapped to the IDM object. |
organization |
Not Mapped | Internal use only. |
payload |
Various (see other fields) | Payload extracted from CEF data. |
popName |
intermediary.location.country_or_region |
PoP name from LEEF data, mapped to intermediary location. |
postbody |
security_result.detection_fields |
Creates a detection field with key "post_body_info" and value from postbody . |
product_version |
Not Mapped | Internal use only. |
proto |
network.application_protocol |
Protocol from LEEF data, mapped to network application protocol. |
protoVer |
network.tls.version , network.tls.cipher |
Protocol version from LEEF data, parsed to extract TLS version and cipher. |
qstr |
Appended to target.url |
Query string from LEEF data, appended to the target URL. |
ref |
network.http.referral_url |
Referral URL from LEEF data. |
request |
target.url |
Request URL from CEF data. |
requestClientApplication |
network.http.user_agent |
Request client application from LEEF or CEF data, mapped to network HTTP user agent. |
requestContext |
network.http.user_agent |
Request context from CEF data, mapped to network HTTP user agent. |
requestMethod |
network.http.method |
Request method from LEEF or CEF data, mapped to network HTTP method and uppercased. |
resource_id |
target.resource.id |
Resource ID from JSON payload. |
resource_type_key |
target.resource.type |
Resource type key from JSON payload. |
rt |
metadata.event_timestamp |
Receipt time from CEF data, used as event timestamp. |
security_result.action |
security_result.action |
Set based on the value of act or cat . |
security_result.action_details |
security_result.action_details |
Provides additional context based on the value of act or cat . |
security_result.category_details |
security_result.category_details |
Set to the value of dproc . |
security_result.detection_fields |
security_result.detection_fields |
Contains various key-value pairs extracted from the log data. |
security_result.description |
security_result.description |
Set to the value of imperva.risk_reason or log.imperva.abp.tls_fingerprint . |
security_result.rule_name |
security_result.rule_name |
Set to the value of cs9 . |
security_result.rule_type |
security_result.rule_type |
Set to the value of fileType . |
security_result.severity |
security_result.severity |
Set based on the value of sevs or imperva.risk_level . |
security_result.severity_details |
security_result.severity_details |
Set to the value of imperva.risk_level . |
security_result.threat_id |
Changes
2024-04-02
- Mapped "log.imperva.request_user" to "security_result.detection_fields".
- Mapped "log.imperva.classified_client" to "security_result.detection_fields".
2024-02-26
- Mapped "log.imperva.request_session_id" to "network.session_id".
- Mapped ""log.imperva.successful_logins_last_24h","log.imperva.path" and "log.imperva.failed_logins_last_24h" to "security_result.detection_fields".
- Mapped "log.imperva.risk_reason" to "security_result.severity_details" and "security_result.severity".
- Mapped "additional_factor","log.imperva.device_reputation" and "log.imperva.credentials_leaked" to "additional.fields".
- Mapped "log.imperva.fingerprint" to "security_result.description".
- Mapped "log.imperva.referrer" to "network.http.referral_url".
- Mapped "log.imperva.classified_client" to "principal.process.file.full_path"
2024-02-06
- Initialized "accept_encoding_label", "site_name_label", "random_id_label", "request_type_label", "accept_language_label", "headers_connection_label", "zuid_labels", "site_id_label", "policy_id", "policy_name", "selector_derived_id", "hsig", "selector", "detection_fields_event_action", "detection_fields_event_context", "detection_fields_significant_domain_name", and "detection_fields_domain_risk" to null inside the "for loop" for json_array.
2024-01-27
- Mapped "description" to "security_result.threat_name".
- Mapped "severity" to "security_result.threat_id".
- Mapped "kv.src", "src" and "log.client.ip" to "principal.asset.ip".
- Mapped "kv.dst" and "dst" to "target.asset.ip".
- Mapped "kv.dvc" to "about.asset.ip".
- Mapped "kv.cs9" and "cs9" to "security_result.rule_name".
- Mapped "kv.fileType" and "fileType" to "security_result.rule_type".
- Mapped "dst" to "target.asset.ip".
- Mapped "xff" and "forwardedIp" to "intermediary.asset.ip".
- Mapped "log.client.domain" to "principal.asset.hostname".
- Mapped "log.server.domain" to "target.asset.hostname".
2023-10-16
- Bug-Fix:
- Initialized "security_result" and "security_action" to null inside the "for loop" for json_array.
- Added a null check before merging "security_action" to "security_result.action".
- When "log.imperva.abp.monitor_action" is "block", then mapped "security_action" to "BLOCK".
2023-09-26
- Mapped "significant_domain_name", "domain_risk", "violated_directives" to "security_result.detection_fields" in CSP logs.
2023-08-07
- Bug-fix -
- Added support to parse array of JSON logs.
- Added Grok pattern to check for hostname before mapping "xff" to "intermediary.hostname".
2023-06-16
- Resolved presubmit issue due to single on_error for two fields.
2023-06-16
- Bug-fix -
- Mapped "imperva.audit_trail.event_action" to "security_result.detection_fields".
- Mapped "imperva.audit_trail.event_action_description" to "security_result.detection_fields".
- Mapped "imperva.audit_trail.event_context" to "security_result.detection_fields".
- Mapped "imperva.audit_trail.event_context_description" to "security_result.detection_fields".
- Fixed Timestamp parsing issues.
- Dropped malformed logs.
2023-06-08
- Enhancement -
- Mapped "imperva.abp.apollo_rule_versions" to "security_result.detection_fields".
- Mapped "imperva.abp.bot_violations" to "security_result.detection_fields".
- Mapped "imperva.abp.bot_behaviors" to "security_result.detection_fields".
- Mapped "imperva.abp.bot_deciding_condition_ids" to "security_result.detection_fields".
- Mapped "imperva.abp.bot_deciding_condition_names " to "security_result.detection_fields".
- Mapped "imperva.abp.bot_triggered_condition_ids" to "security_result.detection_fields".
- Mapped "imperva.abp.bot_triggered_condition_names" to "security_result.detection_fields".
2023-04-26
- Enhancement -
- Defined the field "kv.src" in the statedata.
- Mapped "kvdata.ver" to "network.tls.version" and network.tls.cipher.
- Mapped "kvdata.sip" to "principal.ip".
- Mapped "kvdata.spt" to "principal.port".
- Mapped "kvdata.act" to 'security_result.action_details'.
- Mapped "kvdata.app" to 'network.application_protocol'.
- Mapped "kvdata.requestMethod" to "network.http.method".
2023-02-04
- Enhancement -
- For field "deviceReceiptTime" added rebase = true in "event.timestamp".
2023-01-19
- Enhancement -
- Added support to parser logs by adding following mappings.
- Mapped "event.provider" to "principal.user.userid".
- Mapped "client.ip" to "principal.ip".
- Mapped "client.domain" to "principal.hostname".
- Mapped "imperva.abp.request_type" to "principal.labels".
- Mapped "imperva.abp.pid" to "principal.process.pid".
- Mapped "client.geo.country_iso_code" to "principal.location.country_or_region".
- Mapped "server.domain" to "target.hostname".
- Mapped "server.geo.name" to "target.location.name".
- Mapped "url.path" to "target.process.file.full_path".
- Mapped "imperva.abp.customer_request_id" to "target.resource.id".
- Mapped "imperva.abp.token_id" to "target.resource.product_object_id".
- Mapped "imperva.abp.random_id" to "additional.fields".
- Mapped "http.request.method" to "network.http.method".
- Mapped "user_agent.original" to "network.http.parsed_user_agent".
- Mapped "imperva.abp.headers_referer" to "network.http.referral_url".
- Mapped "imperva.abp.zuid" to "additional.fields".
- Mapped "imperva.ids.site_name" to "additional.fields".
- Mapped "imperva.ids.site_id" to "additional.fields".
- Mapped "imperva.ids.account_name" to "metadata.product_event_type".
- Mapped "imperva.ids.account_id" to "metadata.product_log_id".
- Mapped "imperva.abp.headers_accept_encoding" to "security_result.detection_fields".
- Mapped "imperva.abp.headers_accept_language" to "security_result.detection_fields".
- Mapped "imperva.abp.headers_connection" to "security_result.detection_fields"
- Mapped "imperva.abp.policy_id" to "security_result.detection_fields".
- Mapped "imperva.abp.policy_name" to "security_result.detection_fields".
- Mapped "imperva.abp.selector_derived_id" to "security_result.detection_fields".
- Mapped "imperva.abp.monitor_action" to "security_result.action".
2022-06-28
- Enhancement -
- Mapped vendor.name = Imperva and product.name = Web Application Firewall for all logs
- Changed "metadata.event_type" where the "src" is "Distributed" from "GENERIC_EVENT" to "USER_UNCATEGORIZED"
- Changed "metadata.event_type" to "USER_UNCATEGORIZED" to "USER_STATS"
2022-06-20
- Modified grok pattern for field "rt".
- Bug-fix - Improvements to security_result.action.
- REQ_PASSED: If the request was routed to the site's web server (security_result.action = 'ALLOW').
- REQ_CACHED_X: If a response was returned from the data center's cache (security_result.action = 'ALLOW').
- REQ_BAD_X: If a protocol or network error occurred (security_result.action = 'FAIL').
- REQ_CHALLENGE_X: If a challenge was returned to the client (security_result.action = 'BLOCK').
- REQ_BLOCKED_X: If the request was blocked (security_result.action = 'BLOCK').
2022-06-14
- Bug-fix - Added gsub and modified the kv filter to avoid incorrect mapping of fields 'cs1Label', 'cs2Label', 'cs3Label' mapped to UDM field 'security_result.detection_fields'.
2022-05-26
- Bug-fix - Removed key name and colon character from the value of the detection fields.
2022-05-10
- Enhancement - Mapped the following fields:
- 'cs1', 'cs2', 'cs3', 'cs4', 'cs5', 'fileType', 'filePermission' to 'security_result.detection_fields'.
- 'cs7' to 'principal.location.region_latitude'.
- 'cs8' to 'principal.location.region_longitude'.
- 'cn1', 'cn2' to 'security_result.detection_fields' for CEF format logs.
- 'act' to 'security_result.action' and 'security_result.action_details' for CEF format logs.
- 'app' to 'network.application_protocol' for CEF format logs.
- 'requestClientApplication' to 'network.http.user_agent' for CEF format logs.
- 'dvc' to 'about.ip' for CEF format logs.