Imperva

Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types	3rd party detection	IOC search	Search	Table name	Log format	Collection method
Impreva Cloud WAF (Incapsula) Logs		✅	✅	imperva_waf_logs	CEF	S3
Impreva On-Prem WAF (SecureSphere) Logs		✅	✅	imperva_secure_sphere_waf	CEF	S3
Imperva Attack Analytics	✅	✅		imperva_attack_analytics	CEF	S3
Imperva Advanced Bot Protection logs		✅	✅	imperva_nrt	NDJSON	S3

Overview

Imperva is a cybersecurity company specializing in protecting critical data and applications. It offers solutions like Web Application Firewalls (WAF), DDoS protection, API security, and data protection to safeguard against cyber threats. Imperva ensures compliance, performance, and security for on-premises, cloud, and hybrid environments.

Supported data types

Impreva Cloud WAF (Incapsula) Logs

Overview

Table name: imperva_waf_logs

Retrieve your Imperva access and event logs from the Imperva cloud repository and archive or push these events into your SIEM solution. These contain Security logs (detailed alert for each suspicious event detected by the Imperva proxy) and Access logs (specify every request and response sent between your customers and the Imperva proxy).

Learn more here.

Send data to Hunters

Hunters supports the ingestion of Impreva Cloud WAF logs via an intermediary AWS S3 bucket.

To connect Impreva Cloud WAF logs:

Export your logs from Impreva to an AWS S3 bucket by following this guide.
Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in CEF format.

CEF:0|Incapsula|SIEMintegration|1|1|Normal|0| fileId=1021021021021021 sourceServiceName=www.test.com siteid=59269999 suid=1733444 requestClientApplication=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Edg/119.0.0.0 deviceFacility=aaa cs2=false cs2Label=Javascript Support cs3=false cs3Label=CO Support cs1=NA cs1Label=Cap Support cs4=abcd-abcd-abcd-abcd-abcd cs4Label=VID cs5=abcdeabcdeabcdeabcdeabcdevabcdeabcdeabcdeabcdeabcdeabcdeabcdeabcdeabcdeabcdeabcdeabcdeabcdeabcdeabcdeabcdeabcdeabcdeabcdeabcdeabcdeabcde cs5Label=clappsig dproc=Browser cs6=Microsoft Edge cs6Label=clapp ccode=ZA cicode=Johannesburg cs7=-99.9999 cs7Label=latitude cs8=99.9999 cs8Label=longitude Customer=WAFTesting start=1700735106804 request=www.test.com/manifest.json ref=https://www.test.com/ requestMethod=GET cn1=200 app=HTTPS act=REQ_PASSED deviceExternalId=197567897657 sip=10.1.1.127 spt=443 in=210 xff=196.1.1.1, 163.1.6.3 cs10=[{"rule_id":"1998888","type":"AD_HEADER_RW","header_name":"X-Content-Type-Options","header_orig":"nosniff","header_rewrite":"nosniff"},{"rule_id":"1993333","type":"AD_HEADER_RW","header_name":"Content-Security-Policy","header_rewrite":"upgrade-insecure-requests; frame-ancestors: self"},{"rule_id":"1991111","type":"AD_HEADER_RW","header_name":"Server"},{"rule_id":"1992222","type":"AD_HEADER_RW","header_name":"X-Powered-By"},{"rule_id":"1994444","type":"AD_HEADER_RW","header_name":"X-Frame-Options","header_orig":"DENY","header_rewrite":"SameOrigin"}] cs10Label=Rule Info cpt=36914 src=163.2.4.5 ver=TLSv1.3 TLS_AES_128_GCM_SHA256 end=1700735107355

Impreva On-Prem WAF (SecureSphere) Logs

Overview

Table name: imperva_secure_sphere_waf

Imperva On-Prem WAF (Web Application Firewall) logs are critical for tracking and analyzing web traffic to identify and mitigate potential threats. These logs provide detailed records of all transactions between web applications and users, including attempts to exploit vulnerabilities. They are instrumental in understanding attack patterns, ensuring compliance with data protection regulations, and optimizing web application security measures.

Send data to Hunters

Hunters supports the ingestion of Imperva On-Prem WAF logs via an intermediary AWS S3 bucket.

To connect Imperva On-Prem WAF logs:

Export your logs from Impreva to an AWS S3 bucket by following this guide.
Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in CEF format.

CEF:0|Test Inc.|TestProduct|10.0.0.01_0|Custom|Server Side Request Forgery|High|act=block dst=123.45.67.890 dpt=123 duser= src=111.22.333.44 spt=12345 proto=TCP rt=Jan 11 2024 01:11:29 cat=Alert cs1=communication.group cs1Label=ServerGroup cs2=HTTP cs2Label=ServiceName cs3=Default Web Application cs3Label=ApplicationName deviceExternalId=sample01 cs4=11.11.111.11 cs4Label=MxIP cs5="test-services"\="""","simulation-mode"\="False","client-type"\="","bot-classification"\="","soap-action"\="" cs5Label=AdditionalInfo externalId=123634455663311111 reason=custom-policy-violation requestMethod=POST flexString2Label=HttpInfo flexString2="response-size"\="","response-time"\="","response-code"\="","http-version"\="HTTP/1.1","session-id"\="1119977997999667701" cs6Label=ViolationAttributes cs6=${Violation.AttributesList} request=http://communication.group/Web/Reserved.ReportViewerWebControl?OpType\=SessionKeepAlive&ControlID\=14768&RSProxy\=http://123.11.22.33:1020/ReportServer requestClientApplication=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/123.12 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/123.36 flexString1Label=RequestParameters flexString1="OpType"\="SessionKeepAlive", "ControlID"\="14768", "RSProxy"\="http://123.11.22.33:1020/ReportServer"

Impreva Attack Analytics Logs

Overview

Table name: imperva_attack_analytics

Imperva Attack Analytics is a cybersecurity product that leverages machine learning and artificial intelligence to provide advanced threat detection and analysis capabilities. It is designed to help organizations identify and respond to sophisticated cyber threats in real time. Attack Analytics monitors network traffic, application logs, and user behavior to detect anomalies and suspicious activities that may indicate a security breach. It correlates data from multiple sources to provide a comprehensive view of the organization's security posture and prioritizes alerts based on risk level. By using Attack Analytics, organizations can improve their ability to detect and respond to cyber threats, ultimately enhancing their overall security posture.

Learn more here.

Send data to Hunters

Hunters supports the ingestion of Impreva Attack Analytics logs via an intermediary AWS S3 bucket.

To connect Impreva Attack Analytics logs:

Export your logs from Impreva to an AWS S3 bucket by following this guide.
Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in CEF format.

CEF:0|Imperva Inc|Attack Analytics|0|1|Bad Bots attack by a distributed Origin mostly from Russian Federation using Comment Spammer CommentSpamBot |MAJOR|msg=Doing a host scan on 98 hosts targeting the URL "/"  start=1711596515885 end=1711639684777 src=Distributed dhost=Distributed request=/ requestClientApplication=Comment Spammer cs1=1137 cs1Label=ImpervaAANumberOfEvents cs2=100 cs2Label=ImpervaAAPercentBlocked cs3=Distributed cs3Label=ImpervaAACountry cs4=CloudWAF cs4Label=ImpervaAAPlatform cs5=1.2.3.4,1.2.3.4,1.2.3.4,1.2.3.4,1.2.3.4,1.2.3.4,1.2.3.4,1.2.3.4,1.2.3.4,1.2.3.4 cs5Label=ImpervaAADominantIps cs6=108000030260449537-231747909789155528,108000030260449537-561621958130401486,536001290208809758-305133666656854088,536001290208809758-363547725848387652,727001290246169389-261626829076897865,727001290246169389-471130403153322061,878000980127961207-248306666623080590,878000980127961207-222181256734840973,878000980127961207-222181570267453581,1309001940142861605-298957632584888462,1309001940142861605-285164173315092621,730000040256987902-145026270946263297,730000040256987902-372935832880414989,728000120286324161-570524008036434704,728000120286324161-495818566660522767,1083001880031739807-85291938831085326,1083001880031739807-37428131794726663,1083001880031739807-7811278567059201,2223000060237390688-100387211352932768,2223000060237390688-17237945877463434,8219001670090975397-193908458168986061,8219001670090975397-193908608492841421,8219001670090974309-207928635877435854,730000040258404336-300286611392430343,512000030030395417-53624633819136195 cs6Label=ImpervaAASampleEvents cs7=Bad Bots cs7Label=ImpervaAAAttackType cs8=13529551,50184432,90058572,89347655,82531837,35074111,1926700,23638610,59847897,84457795 cs8Label=ImpervaAADominantSiteIds cs9= cs9Label=ImpervaAACves

Imperva Advanced Bot Protection

Overview

Table name: imperva_nrt

Imperva Advanced Bot Protection provides detailed logs that offer visibility into bot traffic across web, mobile, and API channels. These logs include data points such as request source, user-agent, IP reputation, bot classification (e.g., scraper, automation tool, crawler), decision outcome (allowed, challenged, blocked), and detection methods used. They help security teams analyze bot behavior, track trends over time, and investigate specific incidents.

Send data to Hunters

Hunters supports the ingestion of Imperva Advanced Bot Protection logs via an intermediary AWS S3 bucket.

To connect Imperva Advanced Bot Protection logs:

Export your logs from Impreva to an AWS S3 bucket by following this guide.
Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in NDJSON format.

[
    {
        "@timestamp": 1711350006000,
        "client": {
            "domain": "a.b.com.",
            "geo": {
                "country_iso_code": "US",
                "name": "john tech"
            },
            "ip": "1.2.3.4"
        },
        "event": {
            "category": "web",
            "code": "",
            "dataset": "ABP",
            "id": "95cbf9fa-e0e9-4ea2-b580-76adace1070f",
            "provider": "abp"
        },
        "http": {
            "request": {
                "body": {
                    "bytes": 164
                },
                "method": "GET"
            }
        },
        "imperva": {
            "abp": {
                "apollo_rule_versions": [
                    "t=2024-03-25T07:23:03Z",
                    "t=2024-03-25T07:41:03Z",
                    "t=2024-03-25T10:03:03Z"
                ],
                "bot_behaviors": [
                    "frequent_flyer",
                    "load_balancer_flags",
                    "mesas",
                    "missing_gen_zid",
                    "web_scraping_low_confidence",
                    "web_scraping_medium_confidence"
                ],
                "bot_deciding_condition_ids": [],
                "bot_deciding_condition_names": [],
                "bot_triggered_condition_ids": [
                    "b0b65193-395e-4e65-90bb-8a93c201ac39",
                    "431f9bf4-80e2-4fe7-bb96-2700c966c62b",
                    "5855a09a-79d0-4e23-82c0-e195465f585c"
                ],
                "bot_triggered_condition_names": [
                    "Identify Eventually"
                ],
                "bot_violations": [
                    "no_token"
                ],
                "captcha_solved_timestamp": 0,
                "category": "suspicious",
                "cookie_lengths": [],
                "cookie_names": [],
                "customer_request_id": "146858005761242884",
                "deciding_tags": [],
                "fpid": "",
                "header_id": "1.2.3.4:6d4e4d1d-7094-375d-a439-0568a6a70836",
                "header_lengths": [
                    18,
                    70,
                    3,
                    4
                ],
                "header_names": [
                    "Host",
                    "User-Agent",
                    "Accept",
                    "Accept-Encoding"
                ],
                "headers_accept": "*/*",
                "headers_accept_charset": "",
                "headers_accept_encoding": "gzip",
                "headers_accept_language": "",
                "headers_cf_connecting_ip": "",
                "headers_connection": "",
                "headers_cookie_length": 0,
                "headers_host": "a.b.com:12142",
                "headers_referer": "",
                "headers_x_forwarded_for": "",
                "headers_x_forwarded_proto": "",
                "headers_x_real_ip": "",
                "hsig": "HUAE",
                "monitor_action": "identify",
                "pid": "6d4e4d1d-7094-375d-a439-0568a6a70836",
                "policy_id": "34de2b8e-495a-4065-ae4a-be9226d16fb5",
                "policy_name": "Global ABP Default",
                "random_id": "",
                "rate_limiting_scope": "",
                "request_path_decoded": "/",
                "request_type": "post_analysis",
                "requests_per_minute": 0.0,
                "requests_per_session": 0,
                "requests_since_captcha_succeeded": 0,
                "requests_with_expired_token": 0,
                "requests_with_no_token": 62,
                "seconds_with_expired_token": 0.0,
                "seconds_with_no_token": 28902.374703102,
                "selector": "path_prefix: /",
                "selector_derived_id": "c990c5f1-cca4-50af-96c3-c523efca1936",
                "session_length_seconds": 0.0,
                "tcp_rtt_ms": 0,
                "tls_fingerprint": "",
                "tls_rtt_ms": 0,
                "token_expire": 0,
                "token_id": "",
                "triggered_tags": [
                    "force_identify",
                    "identify_eventually"
                ],
                "web_browser_fonts": [],
                "zid": "",
                "zuid": ""
            },
            "ids": {
                "account_id": "045c75e3-fb5d-4e46-b0f7-b14f7a97685a",
                "account_name": "Global",
                "site_id": "95600940-13c7-4fa4-98f9-6dbfd36b84fa",
                "site_name": "Global ABP"
            }
        },
        "server": {
            "domain": "a.b.com",
            "geo": {
                "name": "eu-west-3"
            }
        },
        "url": {
            "path": "/",
            "query": ""
        },
        "user_agent": {
            "device_name": "",
            "name": "",
            "original": "Mozilla/5.0 (compatible; CensysInspect/1.1; +a.b.com)",
            "version": ""
        }
    }
]