Collect Imperva WAF logs

Supported in:

This document explains how to collect Imperva WAF logs by setting up a Google Security Operations feed using the Third Party API.

Imperva WAF is a cloud-based web application firewall that protects websites and applications from web-based attacks, including SQL injection, cross-site scripting (XSS), and DDoS threats. Imperva WAF analyzes incoming HTTP/HTTPS traffic in real time, applying security rules and bot mitigation policies to block malicious requests before they reach the origin server.

Before you begin

Make sure that you have the following prerequisites:

  • A Google SecOps instance
  • Privileged access to the Imperva Cloud Security Console ( my.imperva.com )
  • An Imperva account with permissions to generate API keys

Configure Imperva WAF API access

To enable Google SecOps to retrieve WAF logs, you need to generate API credentials from the Imperva Cloud Security Console.

Generate API credentials

  1. Sign in to the Imperva Cloud Security Consoleat my.imperva.com .
  2. Go to Account > Account Settings.
  3. Scroll down to the API Informationsection.
  4. Copy and save the following values:

    • API ID: Your unique API identifier (for example, 12345 ).
    • API Key: Your API key (for example, abcdef-123456-ghijkl-789012 ).

Important: Store the API ID and API Key securely. These credentials provide access to your Imperva account data through the API.

Configure a feed in Google SecOps to ingest Imperva WAF logs

  1. Go to SIEM Settings > Feeds.
  2. Click Add New Feed.
  3. On the next page, click Configure a single feed.
  4. In the Feed namefield, enter a name for the feed (for example, Imperva WAF Logs ).
  5. Select Third Party APIas the Source type.
  6. Select Impervaas the Log type.
  7. Click Next.
  8. Specify values for the following input parameters:

    • Authentication HTTP header: Enter the authentication credentials in the following format:

       apiId:your-api-id-value
      apiKey:your-api-key-value 
      

      Each credential must be on a separate line in key:value format.

    • Asset namespace: The asset namespace .

    • Ingestion labels: The label to be applied to the events from this feed.

  9. Click Next.

  10. Review your new feed configuration in the Finalizescreen, and then click Submit.

After setup, the feed begins to retrieve WAF event logs from the Imperva Cloud WAF instance.

UDM mapping table

Log Field UDM Mapping Logic
csv_message
about Mapped: CEF: about
csv_message
about.asset.ip Mapped: CEF: kv.dvc
kv.dvc
about.asset.ip Merged
csv_message
about.ip Mapped: CEF: kv.dvc
kv.dvc
about.ip Merged
additional_devicedata
additional.fields Merged
additional_factors_label
additional.fields Merged
additional_severity
additional.fields Merged
cn1_value_label
additional.fields Merged
csv_message
additional.fields Mapped: CEF: additional_severity , CEF: cn1_value_label
random_id_label
additional.fields Merged
site_id_label
additional.fields Merged
site_name_label
additional.fields Merged
zuid_labels
additional.fields Merged
csv_message
extensions.vulns.vulnerabilities Mapped: CEF: vuln
message
extensions.vulns.vulnerabilities Mapped: LEEF: vuln
vuln
extensions.vulns.vulnerabilities Merged
message
intermediary Mapped: LEEF: intermediary
forwardedIp
intermediary.asset.hostname Directly mapped
forwardedIp
intermediary.asset.ip Merged
xff
intermediary.asset.ip Merged
forwardedIp
intermediary.hostname Directly mapped
forwardedIp
intermediary.ip Merged
log.mx-ip
intermediary.ip Merged
xff
intermediary.ip Merged
popName
intermediary.location.country_or_region Renamed/mapped
csv.description
metadata.description Mapped when csv_message =~ CEF:
log.message
metadata.description Mapped when json_array != ``
deviceReceiptTime
metadata.event_timestamp Parsed as MMM dd HH:mm:ss
log.@timestamp
metadata.event_timestamp Parsed as UNIX_MS
log.time
metadata.event_timestamp Parsed as UNIX
log_timestamp
metadata.event_timestamp Parsed as UNIX_MS
start
metadata.event_timestamp Parsed as UNIX_MS
timestamp
metadata.event_timestamp Parsed as MMM dd yyyy HH:mm:ss
csv_message
metadata.event_type Mapped values (6 total, e.g. CEF: NETWORK_HTTP , CEF: SCAN_UNCATEGORIZED , CEF: ...
has_principal
metadata.event_type Mapped: true NETWORK_CONNECTION
message
metadata.event_type Mapped: LEEF: NETWORK_HTTP
principal_present
metadata.event_type Mapped: true NETWORK_HTTP , true NETWORK_CONNECTION , true STATUS_UPDATE
csv.event_id
metadata.product_event_type Directly mapped
log.type_key
metadata.product_event_type Mapped when json_array != ``
log.imperva.ids.account_id
metadata.product_log_id Mapped when json_array != ``
log.header.product-version
metadata.product_version Mapped when json_array != ``
product_version
metadata.product_version Mapped when csv_message =~ CEF:
csv_message
network.application_protocol Mapped: CEF: HTTPS , CEF: HTTP
proto
network.application_protocol Renamed/mapped
deviceExternalId
network.community_id Renamed/mapped
message
network.direction Mapped: LEEF: INBOUND
kv.cs8
network.http.method Mapped when csv_message =~ CEF:
kv.requestMethod
network.http.method Renamed/mapped
log.http.request.method
network.http.method Mapped when json_array != ``
requestMethod
network.http.method Renamed/mapped
http_user_agent
network.http.parsed_user_agent Renamed/mapped
log.http.request.user-agent
network.http.parsed_user_agent Renamed/mapped
log.imperva.abp.headers_referer
network.http.referral_url Mapped when json_array != ``
log.imperva.referrer
network.http.referral_url Mapped when json_array != ``
ref
network.http.referral_url Renamed/mapped
cn1
network.http.response_code Renamed/mapped
cn1_value
network.http.response_code Renamed/mapped
kv.flexString1
network.http.response_code Renamed/mapped
kv.flexString2
network.http.response_code Renamed/mapped
log.http.response.code
network.http.response_code Renamed/mapped
kv.requestClientApplication
network.http.user_agent Mapped when csv_message =~ CEF:
log.http.request.user-agent
network.http.user_agent Mapped when json_array != ``
requestClientApplication
network.http.user_agent Renamed/mapped
user_agent
network.http.user_agent Renamed/mapped
kv.proto
network.ip_protocol Renamed/mapped
log.protocol
network.ip_protocol Mapped when json_array != ``
message
network.ip_protocol Mapped: LEEF: TCP
kv.Customer
network.organization_name Mapped when csv_message =~ CEF:
csv_message
network.received_bytes Mapped: CEF: uinteger
in
network.received_bytes Renamed/mapped
kv.in
network.received_bytes Mapped when csv_message =~ CEF:
message
network.received_bytes Mapped: LEEF: uinteger
log.http.request.body.bytes
network.sent_bytes Renamed/mapped
fileId
network.session_id Renamed/mapped
log.http.session-id
network.session_id Mapped when json_array != ``
log.imperva.abp.customer_request_id
network.session_id Mapped when json_array != ``
log.imperva.request_session_id
network.session_id Mapped when json_array != ``
tls_cipher
network.tls.cipher Renamed/mapped
tls_version
network.tls.version Renamed/mapped
cs6
principal.application Renamed/mapped
log.client.domain
principal.asset.hostname Mapped when json_array != ``
csv_message
principal.asset.ip Mapped: CEF: kvsrc
kvsrc
principal.asset.ip Merged
log.client.ip
principal.asset.ip Merged
log.source-ip
principal.asset.ip Merged
message
principal.asset.ip Mapped: LEEF: src
src
principal.asset.ip Merged
log.client.domain
principal.hostname Mapped when json_array != ``
csv_message
principal.ip Mapped: CEF: kvsrc
kvsrc
principal.ip Merged
log.client.ip
principal.ip Merged
log.source-ip
principal.ip Merged
message
principal.ip Mapped: LEEF: src
src
principal.ip Merged
request_type_label
principal.labels Merged
cicode
principal.location.city Renamed/mapped
kv.cicode
principal.location.city Mapped when csv_message =~ CEF:
calCountryOrRegion
principal.location.country_or_region Renamed/mapped
kv.ccode
principal.location.country_or_region Mapped when csv_message =~ CEF:
log.client.geo.country_iso_code
principal.location.country_or_region Mapped when json_array != ``
log.imperva.country
principal.location.country_or_region Mapped when json_array != ``
cs7
principal.location.region_latitude Renamed/mapped
csv_message
principal.location.region_latitude Mapped: CEF: float
kv.cs7
principal.location.region_latitude Renamed/mapped
message
principal.location.region_latitude Mapped: LEEF: float
cs8
principal.location.region_longitude Renamed/mapped
csv_message
principal.location.region_longitude Mapped: CEF: float
kv.cs8
principal.location.region_longitude Renamed/mapped
message
principal.location.region_longitude Mapped: LEEF: float
log.source-port
principal.port Renamed/mapped
port
principal.port Mapped when csv_message =~ CEF:
srcPort
principal.port Renamed/mapped
log.imperva.path
principal.process.file.full_path Mapped when json_array != ``
log.imperva.abp.pid
principal.process.pid Mapped when json_array != ``
header_map_label
principal.resource.attribute.labels Merged
log.user.email
principal.user.email_addresses Merged
log.user_details
principal.user.email_addresses Merged
log.event.provider
principal.user.user_display_name Mapped when json_array != ``
log.http.user-name
principal.user.userid Mapped when json_array != ``
log.user_id
principal.user.userid Mapped when json_array != ``
user_name
principal.user.userid Mapped when json_array != ``
csv_message
security_result Mapped: CEF: security_result
message
security_result Mapped: LEEF: security_result
_action
security_result.action Merged
action
security_result.action Merged
csv_message
security_result.action Mapped: CEF: action
message
security_result.action Mapped: LEEF: _action
security_action
security_result.action Merged
cat
security_result.action_details Directly mapped
kv.act
security_result.action_details Directly mapped
kv.cat
security_result.action_details Directly mapped
log.action
security_result.action_details Directly mapped
csv_message
security_result.category_details Mapped: CEF: kv.cat
dproc
security_result.category_details Merged
kv.cat
security_result.category_details Merged
message
security_result.category_details Mapped: LEEF: dproc
log.description
security_result.description Directly mapped
log.imperva.abp.tls_fingerprint
security_result.description Directly mapped
log.imperva.risk_reason
security_result.description Directly mapped
accept_encoding_label
security_result.detection_fields Merged
accept_language_label
security_result.detection_fields Merged
apollo_rule
security_result.detection_fields Merged
behavior
security_result.detection_fields Merged
class_label
security_result.detection_fields Merged
cn1_field
security_result.detection_fields Merged
cn2_field
security_result.detection_fields Merged
condition_id
security_result.detection_fields Merged
condition_name
security_result.detection_fields Merged
cs10Label_field
security_result.detection_fields Merged
cs11_field
security_result.detection_fields Merged
cs12Label_field
security_result.detection_fields Merged
cs1_field
security_result.detection_fields Merged
cs2_field
security_result.detection_fields Merged
cs3_field
security_result.detection_fields Merged
cs4_field
security_result.detection_fields Merged
cs5Label_field
security_result.detection_fields Merged
cs5_field
security_result.detection_fields Merged
cs6_field
security_result.detection_fields Merged
cs8_label
security_result.detection_fields Merged
cs97Label_field
security_result.detection_fields Merged
cs98_field
security_result.detection_fields Merged
cs99_field
security_result.detection_fields Merged
cs9_field
security_result.detection_fields Merged
cs9_label
security_result.detection_fields Merged
csv_message
security_result.detection_fields Mapped values (30 total, e.g. CEF: flexString1_field , CEF: cs1_field , CEF: → `...
detection_fields_domain_risk
security_result.detection_fields Merged
detection_fields_event_action
security_result.detection_fields Merged
detection_fields_event_context
security_result.detection_fields Merged
detection_fields_significant_domain_name
security_result.detection_fields Merged
detection_fields_violated_directive
security_result.detection_fields Merged
deviceExternalId_label
security_result.detection_fields Merged
deviceFacility_field
security_result.detection_fields Merged
dproc_label
security_result.detection_fields Merged
end_label
security_result.detection_fields Merged
filePermission_field
security_result.detection_fields Merged
fileType_field
security_result.detection_fields Merged
flexNumber1_field
security_result.detection_fields Merged
flexString1_field
security_result.detection_fields Merged
flexString2_field
security_result.detection_fields Merged
fname_field
security_result.detection_fields Merged
gateway_name_label
security_result.detection_fields Merged
headers_connection_label
security_result.detection_fields Merged
hsig
security_result.detection_fields Merged
log_imperva_classified_client_field
security_result.detection_fields Merged
log_imperva_credentials_leaked_field
security_result.detection_fields Merged
log_imperva_declared_client_field
security_result.detection_fields Merged
log_imperva_failed_logins_last_24h_field
security_result.detection_fields Merged
log_imperva_fingerprint_field
security_result.detection_fields Merged
log_imperva_successful_logins_last_24h_field
security_result.detection_fields Merged
message
security_result.detection_fields Mapped values (11 total, e.g. LEEF: siteid_label , LEEF: start_label , LEEF: → `...
policy_id
security_result.detection_fields Merged
policy_label
security_result.detection_fields Merged
policy_name
security_result.detection_fields Merged
postbody_field
security_result.detection_fields Merged
postbody_label
security_result.detection_fields Merged
request_user_label
security_result.detection_fields Merged
selector
security_result.detection_fields Merged
selector_derived_id
security_result.detection_fields Merged
siteTag_field
security_result.detection_fields Merged
siteid_label
security_result.detection_fields Merged
start_label
security_result.detection_fields Merged
tag_label
security_result.detection_fields Merged
triggered_condition_id
security_result.detection_fields Merged
triggered_condition_name
security_result.detection_fields Merged
violation
security_result.detection_fields Merged
violation_id_label
security_result.detection_fields Merged
violation_type_label
security_result.detection_fields Merged
cs9
security_result.rule_name Directly mapped
kv.cs9
security_result.rule_name Directly mapped
fileType
security_result.rule_type Mapped when message =~ LEEF:
kv.fileType
security_result.rule_type Directly mapped
csv_message
security_result.severity Mapped: CEF: HIGH , CEF: MEDIUM , CEF: LOW , CEF: UNKNOWN_SEVERITY
log.severity
security_result.severity Directly mapped
severity
security_result.severity Mapped: High HIGH , Medium MEDIUM , Low LOW , Unknown UNKNOWN_SEVERITY
sevs
security_result.severity Mapped: "error", "warning" HIGH , critical CRITICAL , "medium","notice" → `MED...
log.imperva.risk_level
security_result.severity_details Directly mapped
severity
security_result.threat_id Directly mapped
description
security_result.threat_name Directly mapped
log.application-name
target.application Mapped when json_array != ``
kv.dhost
target.asset.hostname Mapped when csv_message =~ CEF:
kv.sourceServiceName
target.asset.hostname Mapped when csv_message =~ CEF:
log.server.domain
target.asset.hostname Mapped when json_array != ``
csv_message
target.asset.ip Mapped: CEF: kv.dst , CEF: kv.sip
dst
target.asset.ip Merged
kv.dst
target.asset.ip Merged
kv.sip
target.asset.ip Merged
log.dest-ip
target.asset.ip Merged
message
target.asset.ip Mapped: LEEF: dst
kv.dhost
target.hostname Mapped when csv_message =~ CEF:
kv.sourceServiceName
target.hostname Mapped when csv_message =~ CEF:
log.server.domain
target.hostname Mapped when json_array != ``
sourceServiceName
target.hostname Renamed/mapped
csv_message
target.ip Mapped: CEF: kv.dst , CEF: kv.sip
dst
target.ip Merged
kv.dst
target.ip Merged
kv.sip
target.ip Merged
log.dest-ip
target.ip Merged
message
target.ip Mapped: LEEF: dst
log.server.geo.name
target.location.name Mapped when json_array != ``
dstPort
target.port Renamed/mapped
kv.cpt
target.port Renamed/mapped
kv.dpt
target.port Renamed/mapped
log.dest-port
target.port Renamed/mapped
kv.deviceProcessName
target.process.file.full_path Mapped when csv_message =~ CEF:
log.url.path
target.process.file.full_path Mapped when json_array != ``
header_map_label
target.resource.attribute.labels Merged
server_group_label
target.resource.attribute.labels Merged
server_group_simulation_mode_label
target.resource.attribute.labels Merged
service_label
target.resource.attribute.labels Merged
log.resource_id
target.resource.id Mapped when json_array != ``
log.context_key
target.resource.name Mapped when json_array != ``
log.imperva.audit_trail.resource_name
target.resource.name Mapped when json_array != ``
kv.fileId
target.resource.product_object_id Mapped when csv_message =~ CEF:
log.imperva.abp.token_id
target.resource.product_object_id Mapped when json_array != ``
log.resource_type_key
target.resource.type Mapped when json_array != ``
kv.request
target.url Renamed/mapped
url
target.url Renamed/mapped
Customer
target.user.user_display_name Renamed/mapped
log.imperva.ids.account_name
target.user.user_display_name Mapped when json_array != ``
kv.duser
target.user.userid Renamed/mapped
kv.suid
target.user.userid Mapped when csv_message =~ CEF:
log.account_id
target.user.userid Mapped when json_array != ``
suid
target.user.userid Renamed/mapped
N/A
metadata.event_type Constant: NETWORK_HTTP
N/A
network.direction Constant: INBOUND
N/A
network.ip_protocol Constant: TCP
N/A
security_result.severity Constant: HIGH
end
event.idm.read_only_udm.metadata.collected_timestamp Mapped from changelog
end
event.idm.read_only_udm.metadata.event_timestamp Mapped from changelog
kv.cs12
event.idm.read_only_udm.security_result.detection_fields Mapped from changelog
kv.cs10
event.idm.read_only_udm.security_result.detection_fields Mapped from changelog
kv.cat
event.idm.read_only_udm.security_result.category_details Mapped from changelog
Customer
event.idm.read_only_udm.network.organization_name Mapped from changelog
siteid
event.idm.read_only_udm.security_result.detection_fields Mapped from changelog
deviceExternalId
event.idm.read_only_udm.security_result.detection_fields Mapped from changelog
spt
event.idm.read_only_udm.principal.port Mapped from changelog
cpt
event.idm.read_only_udm.target.port Mapped from changelog
cat
event.idm.read_only_udm.security_result.action_details Mapped from changelog
cs9Label
event.idm.read_only_udm.security_result.detection_fields Mapped from changelog
cs8Label
event.idm.read_only_udm.principal.location.region_longitude Mapped from changelog
kv.cat
event.idm.read_only_udm.security_result.action_details Mapped from changelog
kv.cs8
event.idm.read_only_udm.network.http.method Mapped from changelog
timestamp
event.idm.read_only_udm.metadata.event_timestamp Mapped from changelog
metadata.vendor_name
Imperva Cloud WAF Mapped from changelog
log.imperva.request_user
security_result.detection_fields Mapped from changelog
log.imperva.classified_client
security_result.detection_fields Mapped from changelog
"log.imperva.successful_logins_last_24h","log.imperva.path" and "log.imperva.failed_logins_last_24h
security_result.detection_fields Mapped from changelog
additional_factor","log.imperva.device_reputation" and "log.imperva.credentials_leaked
additional.fields Mapped from changelog
log.imperva.fingerprint
security_result.description Mapped from changelog
log.imperva.classified_client
principal.process.file.full_path Mapped from changelog
kv.src", "src" and "log.client.ip
principal.asset.ip Mapped from changelog
kv.dst" and "dst
target.asset.ip Mapped from changelog
kv.cs9" and "cs9
security_result.rule_name Mapped from changelog
kv.fileType" and "fileType
security_result.rule_type Mapped from changelog
xff" and "forwardedIp
intermediary.asset.ip Mapped from changelog
security_action
BLOCK Mapped from changelog
significant_domain_name", "domain_risk", "violated_directives
security_result.detection_fields Mapped from changelog
imperva.audit_trail.event_action
security_result.detection_fields Mapped from changelog
imperva.audit_trail.event_action_description
security_result.detection_fields Mapped from changelog
imperva.audit_trail.event_context
security_result.detection_fields Mapped from changelog
imperva.audit_trail.event_context_description
security_result.detection_fields Mapped from changelog
imperva.abp.apollo_rule_versions
security_result.detection_fields Mapped from changelog
imperva.abp.bot_violations
security_result.detection_fields Mapped from changelog
imperva.abp.bot_behaviors
security_result.detection_fields Mapped from changelog
imperva.abp.bot_deciding_condition_ids
security_result.detection_fields Mapped from changelog
imperva.abp.bot_deciding_condition_names
security_result.detection_fields Mapped from changelog
imperva.abp.bot_triggered_condition_ids
security_result.detection_fields Mapped from changelog
imperva.abp.bot_triggered_condition_names
security_result.detection_fields Mapped from changelog
kvdata.ver
network.tls.version Mapped from changelog
kvdata.sip
principal.ip Mapped from changelog
kvdata.spt
principal.port Mapped from changelog
kvdata.requestMethod
network.http.method Mapped from changelog
imperva.abp.request_type
principal.labels Mapped from changelog
imperva.abp.random_id
additional.fields Mapped from changelog
user_agent.original
network.http.parsed_user_agent Mapped from changelog
imperva.abp.zuid
additional.fields Mapped from changelog
imperva.ids.site_name
additional.fields Mapped from changelog
imperva.ids.site_id
additional.fields Mapped from changelog
imperva.abp.headers_accept_encoding
security_result.detection_fields Mapped from changelog
imperva.abp.headers_accept_language
security_result.detection_fields Mapped from changelog
imperva.abp.headers_connection
security_result.detection_fields Mapped from changelog
imperva.abp.policy_id
security_result.detection_fields Mapped from changelog
imperva.abp.policy_name
security_result.detection_fields Mapped from changelog
imperva.abp.selector_derived_id
security_result.detection_fields Mapped from changelog
imperva.abp.monitor_action
security_result.action Mapped from changelog

Change Log

View the Change Log for this parser

Need more help? Get answers from Community members and Google SecOps professionals.

Create a Mobile Website
View Site in Mobile | Classic
Share by: