Collect Imperva WAF logs
This document explains how to collect Imperva WAF logs by setting up a Google Security Operations feed using the Third Party API.
Imperva WAF is a cloud-based web application firewall that protects websites and applications from web-based attacks, including SQL injection, cross-site scripting (XSS), and DDoS threats. Imperva WAF analyzes incoming HTTP/HTTPS traffic in real time, applying security rules and bot mitigation policies to block malicious requests before they reach the origin server.
Before you begin
Make sure that you have the following prerequisites:
- A Google SecOps instance
- Privileged access to the Imperva Cloud Security Console (
my.imperva.com) - An Imperva account with permissions to generate API keys
Configure Imperva WAF API access
To enable Google SecOps to retrieve WAF logs, you need to generate API credentials from the Imperva Cloud Security Console.
Generate API credentials
- Sign in to the Imperva Cloud Security Consoleat
my.imperva.com. - Go to Account > Account Settings.
- Scroll down to the API Informationsection.
-
Copy and save the following values:
- API ID: Your unique API identifier (for example,
12345). - API Key: Your API key (for example,
abcdef-123456-ghijkl-789012).
- API ID: Your unique API identifier (for example,
Important: Store the API ID and API Key securely. These credentials provide access to your Imperva account data through the API.
Configure a feed in Google SecOps to ingest Imperva WAF logs
- Go to SIEM Settings > Feeds.
- Click Add New Feed.
- On the next page, click Configure a single feed.
- In the Feed namefield, enter a name for the feed (for example,
Imperva WAF Logs). - Select Third Party APIas the Source type.
- Select Impervaas the Log type.
- Click Next.
-
Specify values for the following input parameters:
-
Authentication HTTP header: Enter the authentication credentials in the following format:
apiId:your-api-id-value apiKey:your-api-key-valueEach credential must be on a separate line in
key:valueformat. -
Asset namespace: The asset namespace .
-
Ingestion labels: The label to be applied to the events from this feed.
-
-
Click Next.
-
Review your new feed configuration in the Finalizescreen, and then click Submit.
After setup, the feed begins to retrieve WAF event logs from the Imperva Cloud WAF instance.
UDM mapping table
| Log Field | UDM Mapping | Logic |
|---|---|---|
csv_message
|
about
|
Mapped: CEF:
→ about
|
csv_message
|
about.asset.ip
|
Mapped: CEF:
→ kv.dvc
|
kv.dvc
|
about.asset.ip
|
Merged |
csv_message
|
about.ip
|
Mapped: CEF:
→ kv.dvc
|
kv.dvc
|
about.ip
|
Merged |
additional_devicedata
|
additional.fields
|
Merged |
additional_factors_label
|
additional.fields
|
Merged |
additional_severity
|
additional.fields
|
Merged |
cn1_value_label
|
additional.fields
|
Merged |
csv_message
|
additional.fields
|
Mapped: CEF:
→ additional_severity
, CEF:
→ cn1_value_label
|
random_id_label
|
additional.fields
|
Merged |
site_id_label
|
additional.fields
|
Merged |
site_name_label
|
additional.fields
|
Merged |
zuid_labels
|
additional.fields
|
Merged |
csv_message
|
extensions.vulns.vulnerabilities
|
Mapped: CEF:
→ vuln
|
message
|
extensions.vulns.vulnerabilities
|
Mapped: LEEF:
→ vuln
|
vuln
|
extensions.vulns.vulnerabilities
|
Merged |
message
|
intermediary
|
Mapped: LEEF:
→ intermediary
|
forwardedIp
|
intermediary.asset.hostname
|
Directly mapped |
forwardedIp
|
intermediary.asset.ip
|
Merged |
xff
|
intermediary.asset.ip
|
Merged |
forwardedIp
|
intermediary.hostname
|
Directly mapped |
forwardedIp
|
intermediary.ip
|
Merged |
log.mx-ip
|
intermediary.ip
|
Merged |
xff
|
intermediary.ip
|
Merged |
popName
|
intermediary.location.country_or_region
|
Renamed/mapped |
csv.description
|
metadata.description
|
Mapped when csv_message
=~ CEF:
|
log.message
|
metadata.description
|
Mapped when json_array
!= `` |
deviceReceiptTime
|
metadata.event_timestamp
|
Parsed as MMM dd HH:mm:ss
|
log.@timestamp
|
metadata.event_timestamp
|
Parsed as UNIX_MS
|
log.time
|
metadata.event_timestamp
|
Parsed as UNIX
|
log_timestamp
|
metadata.event_timestamp
|
Parsed as UNIX_MS
|
start
|
metadata.event_timestamp
|
Parsed as UNIX_MS
|
timestamp
|
metadata.event_timestamp
|
Parsed as MMM dd yyyy HH:mm:ss
|
csv_message
|
metadata.event_type
|
Mapped values (6 total, e.g. CEF:
→ NETWORK_HTTP
, CEF:
→ SCAN_UNCATEGORIZED
, CEF:
... |
has_principal
|
metadata.event_type
|
Mapped: true
→ NETWORK_CONNECTION
|
message
|
metadata.event_type
|
Mapped: LEEF:
→ NETWORK_HTTP
|
principal_present
|
metadata.event_type
|
Mapped: true
→ NETWORK_HTTP
, true
→ NETWORK_CONNECTION
, true
→ STATUS_UPDATE
|
csv.event_id
|
metadata.product_event_type
|
Directly mapped |
log.type_key
|
metadata.product_event_type
|
Mapped when json_array
!= `` |
log.imperva.ids.account_id
|
metadata.product_log_id
|
Mapped when json_array
!= `` |
log.header.product-version
|
metadata.product_version
|
Mapped when json_array
!= `` |
product_version
|
metadata.product_version
|
Mapped when csv_message
=~ CEF:
|
csv_message
|
network.application_protocol
|
Mapped: CEF:
→ HTTPS
, CEF:
→ HTTP
|
proto
|
network.application_protocol
|
Renamed/mapped |
deviceExternalId
|
network.community_id
|
Renamed/mapped |
message
|
network.direction
|
Mapped: LEEF:
→ INBOUND
|
kv.cs8
|
network.http.method
|
Mapped when csv_message
=~ CEF:
|
kv.requestMethod
|
network.http.method
|
Renamed/mapped |
log.http.request.method
|
network.http.method
|
Mapped when json_array
!= `` |
requestMethod
|
network.http.method
|
Renamed/mapped |
http_user_agent
|
network.http.parsed_user_agent
|
Renamed/mapped |
log.http.request.user-agent
|
network.http.parsed_user_agent
|
Renamed/mapped |
log.imperva.abp.headers_referer
|
network.http.referral_url
|
Mapped when json_array
!= `` |
log.imperva.referrer
|
network.http.referral_url
|
Mapped when json_array
!= `` |
ref
|
network.http.referral_url
|
Renamed/mapped |
cn1
|
network.http.response_code
|
Renamed/mapped |
cn1_value
|
network.http.response_code
|
Renamed/mapped |
kv.flexString1
|
network.http.response_code
|
Renamed/mapped |
kv.flexString2
|
network.http.response_code
|
Renamed/mapped |
log.http.response.code
|
network.http.response_code
|
Renamed/mapped |
kv.requestClientApplication
|
network.http.user_agent
|
Mapped when csv_message
=~ CEF:
|
log.http.request.user-agent
|
network.http.user_agent
|
Mapped when json_array
!= `` |
requestClientApplication
|
network.http.user_agent
|
Renamed/mapped |
user_agent
|
network.http.user_agent
|
Renamed/mapped |
kv.proto
|
network.ip_protocol
|
Renamed/mapped |
log.protocol
|
network.ip_protocol
|
Mapped when json_array
!= `` |
message
|
network.ip_protocol
|
Mapped: LEEF:
→ TCP
|
kv.Customer
|
network.organization_name
|
Mapped when csv_message
=~ CEF:
|
csv_message
|
network.received_bytes
|
Mapped: CEF:
→ uinteger
|
in
|
network.received_bytes
|
Renamed/mapped |
kv.in
|
network.received_bytes
|
Mapped when csv_message
=~ CEF:
|
message
|
network.received_bytes
|
Mapped: LEEF:
→ uinteger
|
log.http.request.body.bytes
|
network.sent_bytes
|
Renamed/mapped |
fileId
|
network.session_id
|
Renamed/mapped |
log.http.session-id
|
network.session_id
|
Mapped when json_array
!= `` |
log.imperva.abp.customer_request_id
|
network.session_id
|
Mapped when json_array
!= `` |
log.imperva.request_session_id
|
network.session_id
|
Mapped when json_array
!= `` |
tls_cipher
|
network.tls.cipher
|
Renamed/mapped |
tls_version
|
network.tls.version
|
Renamed/mapped |
cs6
|
principal.application
|
Renamed/mapped |
log.client.domain
|
principal.asset.hostname
|
Mapped when json_array
!= `` |
csv_message
|
principal.asset.ip
|
Mapped: CEF:
→ kvsrc
|
kvsrc
|
principal.asset.ip
|
Merged |
log.client.ip
|
principal.asset.ip
|
Merged |
log.source-ip
|
principal.asset.ip
|
Merged |
message
|
principal.asset.ip
|
Mapped: LEEF:
→ src
|
src
|
principal.asset.ip
|
Merged |
log.client.domain
|
principal.hostname
|
Mapped when json_array
!= `` |
csv_message
|
principal.ip
|
Mapped: CEF:
→ kvsrc
|
kvsrc
|
principal.ip
|
Merged |
log.client.ip
|
principal.ip
|
Merged |
log.source-ip
|
principal.ip
|
Merged |
message
|
principal.ip
|
Mapped: LEEF:
→ src
|
src
|
principal.ip
|
Merged |
request_type_label
|
principal.labels
|
Merged |
cicode
|
principal.location.city
|
Renamed/mapped |
kv.cicode
|
principal.location.city
|
Mapped when csv_message
=~ CEF:
|
calCountryOrRegion
|
principal.location.country_or_region
|
Renamed/mapped |
kv.ccode
|
principal.location.country_or_region
|
Mapped when csv_message
=~ CEF:
|
log.client.geo.country_iso_code
|
principal.location.country_or_region
|
Mapped when json_array
!= `` |
log.imperva.country
|
principal.location.country_or_region
|
Mapped when json_array
!= `` |
cs7
|
principal.location.region_latitude
|
Renamed/mapped |
csv_message
|
principal.location.region_latitude
|
Mapped: CEF:
→ float
|
kv.cs7
|
principal.location.region_latitude
|
Renamed/mapped |
message
|
principal.location.region_latitude
|
Mapped: LEEF:
→ float
|
cs8
|
principal.location.region_longitude
|
Renamed/mapped |
csv_message
|
principal.location.region_longitude
|
Mapped: CEF:
→ float
|
kv.cs8
|
principal.location.region_longitude
|
Renamed/mapped |
message
|
principal.location.region_longitude
|
Mapped: LEEF:
→ float
|
log.source-port
|
principal.port
|
Renamed/mapped |
port
|
principal.port
|
Mapped when csv_message
=~ CEF:
|
srcPort
|
principal.port
|
Renamed/mapped |
log.imperva.path
|
principal.process.file.full_path
|
Mapped when json_array
!= `` |
log.imperva.abp.pid
|
principal.process.pid
|
Mapped when json_array
!= `` |
header_map_label
|
principal.resource.attribute.labels
|
Merged |
log.user.email
|
principal.user.email_addresses
|
Merged |
log.user_details
|
principal.user.email_addresses
|
Merged |
log.event.provider
|
principal.user.user_display_name
|
Mapped when json_array
!= `` |
log.http.user-name
|
principal.user.userid
|
Mapped when json_array
!= `` |
log.user_id
|
principal.user.userid
|
Mapped when json_array
!= `` |
user_name
|
principal.user.userid
|
Mapped when json_array
!= `` |
csv_message
|
security_result
|
Mapped: CEF:
→ security_result
|
message
|
security_result
|
Mapped: LEEF:
→ security_result
|
_action
|
security_result.action
|
Merged |
action
|
security_result.action
|
Merged |
csv_message
|
security_result.action
|
Mapped: CEF:
→ action
|
message
|
security_result.action
|
Mapped: LEEF:
→ _action
|
security_action
|
security_result.action
|
Merged |
cat
|
security_result.action_details
|
Directly mapped |
kv.act
|
security_result.action_details
|
Directly mapped |
kv.cat
|
security_result.action_details
|
Directly mapped |
log.action
|
security_result.action_details
|
Directly mapped |
csv_message
|
security_result.category_details
|
Mapped: CEF:
→ kv.cat
|
dproc
|
security_result.category_details
|
Merged |
kv.cat
|
security_result.category_details
|
Merged |
message
|
security_result.category_details
|
Mapped: LEEF:
→ dproc
|
log.description
|
security_result.description
|
Directly mapped |
log.imperva.abp.tls_fingerprint
|
security_result.description
|
Directly mapped |
log.imperva.risk_reason
|
security_result.description
|
Directly mapped |
accept_encoding_label
|
security_result.detection_fields
|
Merged |
accept_language_label
|
security_result.detection_fields
|
Merged |
apollo_rule
|
security_result.detection_fields
|
Merged |
behavior
|
security_result.detection_fields
|
Merged |
class_label
|
security_result.detection_fields
|
Merged |
cn1_field
|
security_result.detection_fields
|
Merged |
cn2_field
|
security_result.detection_fields
|
Merged |
condition_id
|
security_result.detection_fields
|
Merged |
condition_name
|
security_result.detection_fields
|
Merged |
cs10Label_field
|
security_result.detection_fields
|
Merged |
cs11_field
|
security_result.detection_fields
|
Merged |
cs12Label_field
|
security_result.detection_fields
|
Merged |
cs1_field
|
security_result.detection_fields
|
Merged |
cs2_field
|
security_result.detection_fields
|
Merged |
cs3_field
|
security_result.detection_fields
|
Merged |
cs4_field
|
security_result.detection_fields
|
Merged |
cs5Label_field
|
security_result.detection_fields
|
Merged |
cs5_field
|
security_result.detection_fields
|
Merged |
cs6_field
|
security_result.detection_fields
|
Merged |
cs8_label
|
security_result.detection_fields
|
Merged |
cs97Label_field
|
security_result.detection_fields
|
Merged |
cs98_field
|
security_result.detection_fields
|
Merged |
cs99_field
|
security_result.detection_fields
|
Merged |
cs9_field
|
security_result.detection_fields
|
Merged |
cs9_label
|
security_result.detection_fields
|
Merged |
csv_message
|
security_result.detection_fields
|
Mapped values (30 total, e.g. CEF:
→ flexString1_field
, CEF:
→ cs1_field
, CEF:
→ `... |
detection_fields_domain_risk
|
security_result.detection_fields
|
Merged |
detection_fields_event_action
|
security_result.detection_fields
|
Merged |
detection_fields_event_context
|
security_result.detection_fields
|
Merged |
detection_fields_significant_domain_name
|
security_result.detection_fields
|
Merged |
detection_fields_violated_directive
|
security_result.detection_fields
|
Merged |
deviceExternalId_label
|
security_result.detection_fields
|
Merged |
deviceFacility_field
|
security_result.detection_fields
|
Merged |
dproc_label
|
security_result.detection_fields
|
Merged |
end_label
|
security_result.detection_fields
|
Merged |
filePermission_field
|
security_result.detection_fields
|
Merged |
fileType_field
|
security_result.detection_fields
|
Merged |
flexNumber1_field
|
security_result.detection_fields
|
Merged |
flexString1_field
|
security_result.detection_fields
|
Merged |
flexString2_field
|
security_result.detection_fields
|
Merged |
fname_field
|
security_result.detection_fields
|
Merged |
gateway_name_label
|
security_result.detection_fields
|
Merged |
headers_connection_label
|
security_result.detection_fields
|
Merged |
hsig
|
security_result.detection_fields
|
Merged |
log_imperva_classified_client_field
|
security_result.detection_fields
|
Merged |
log_imperva_credentials_leaked_field
|
security_result.detection_fields
|
Merged |
log_imperva_declared_client_field
|
security_result.detection_fields
|
Merged |
log_imperva_failed_logins_last_24h_field
|
security_result.detection_fields
|
Merged |
log_imperva_fingerprint_field
|
security_result.detection_fields
|
Merged |
log_imperva_successful_logins_last_24h_field
|
security_result.detection_fields
|
Merged |
message
|
security_result.detection_fields
|
Mapped values (11 total, e.g. LEEF:
→ siteid_label
, LEEF:
→ start_label
, LEEF:
→ `... |
policy_id
|
security_result.detection_fields
|
Merged |
policy_label
|
security_result.detection_fields
|
Merged |
policy_name
|
security_result.detection_fields
|
Merged |
postbody_field
|
security_result.detection_fields
|
Merged |
postbody_label
|
security_result.detection_fields
|
Merged |
request_user_label
|
security_result.detection_fields
|
Merged |
selector
|
security_result.detection_fields
|
Merged |
selector_derived_id
|
security_result.detection_fields
|
Merged |
siteTag_field
|
security_result.detection_fields
|
Merged |
siteid_label
|
security_result.detection_fields
|
Merged |
start_label
|
security_result.detection_fields
|
Merged |
tag_label
|
security_result.detection_fields
|
Merged |
triggered_condition_id
|
security_result.detection_fields
|
Merged |
triggered_condition_name
|
security_result.detection_fields
|
Merged |
violation
|
security_result.detection_fields
|
Merged |
violation_id_label
|
security_result.detection_fields
|
Merged |
violation_type_label
|
security_result.detection_fields
|
Merged |
cs9
|
security_result.rule_name
|
Directly mapped |
kv.cs9
|
security_result.rule_name
|
Directly mapped |
fileType
|
security_result.rule_type
|
Mapped when message
=~ LEEF:
|
kv.fileType
|
security_result.rule_type
|
Directly mapped |
csv_message
|
security_result.severity
|
Mapped: CEF:
→ HIGH
, CEF:
→ MEDIUM
, CEF:
→ LOW
, CEF:
→ UNKNOWN_SEVERITY
|
log.severity
|
security_result.severity
|
Directly mapped |
severity
|
security_result.severity
|
Mapped: High
→ HIGH
, Medium
→ MEDIUM
, Low
→ LOW
, Unknown
→ UNKNOWN_SEVERITY
|
sevs
|
security_result.severity
|
Mapped: "error", "warning"
→ HIGH
, critical
→ CRITICAL
, "medium","notice"
→ `MED... |
log.imperva.risk_level
|
security_result.severity_details
|
Directly mapped |
severity
|
security_result.threat_id
|
Directly mapped |
description
|
security_result.threat_name
|
Directly mapped |
log.application-name
|
target.application
|
Mapped when json_array
!= `` |
kv.dhost
|
target.asset.hostname
|
Mapped when csv_message
=~ CEF:
|
kv.sourceServiceName
|
target.asset.hostname
|
Mapped when csv_message
=~ CEF:
|
log.server.domain
|
target.asset.hostname
|
Mapped when json_array
!= `` |
csv_message
|
target.asset.ip
|
Mapped: CEF:
→ kv.dst
, CEF:
→ kv.sip
|
dst
|
target.asset.ip
|
Merged |
kv.dst
|
target.asset.ip
|
Merged |
kv.sip
|
target.asset.ip
|
Merged |
log.dest-ip
|
target.asset.ip
|
Merged |
message
|
target.asset.ip
|
Mapped: LEEF:
→ dst
|
kv.dhost
|
target.hostname
|
Mapped when csv_message
=~ CEF:
|
kv.sourceServiceName
|
target.hostname
|
Mapped when csv_message
=~ CEF:
|
log.server.domain
|
target.hostname
|
Mapped when json_array
!= `` |
sourceServiceName
|
target.hostname
|
Renamed/mapped |
csv_message
|
target.ip
|
Mapped: CEF:
→ kv.dst
, CEF:
→ kv.sip
|
dst
|
target.ip
|
Merged |
kv.dst
|
target.ip
|
Merged |
kv.sip
|
target.ip
|
Merged |
log.dest-ip
|
target.ip
|
Merged |
message
|
target.ip
|
Mapped: LEEF:
→ dst
|
log.server.geo.name
|
target.location.name
|
Mapped when json_array
!= `` |
dstPort
|
target.port
|
Renamed/mapped |
kv.cpt
|
target.port
|
Renamed/mapped |
kv.dpt
|
target.port
|
Renamed/mapped |
log.dest-port
|
target.port
|
Renamed/mapped |
kv.deviceProcessName
|
target.process.file.full_path
|
Mapped when csv_message
=~ CEF:
|
log.url.path
|
target.process.file.full_path
|
Mapped when json_array
!= `` |
header_map_label
|
target.resource.attribute.labels
|
Merged |
server_group_label
|
target.resource.attribute.labels
|
Merged |
server_group_simulation_mode_label
|
target.resource.attribute.labels
|
Merged |
service_label
|
target.resource.attribute.labels
|
Merged |
log.resource_id
|
target.resource.id
|
Mapped when json_array
!= `` |
log.context_key
|
target.resource.name
|
Mapped when json_array
!= `` |
log.imperva.audit_trail.resource_name
|
target.resource.name
|
Mapped when json_array
!= `` |
kv.fileId
|
target.resource.product_object_id
|
Mapped when csv_message
=~ CEF:
|
log.imperva.abp.token_id
|
target.resource.product_object_id
|
Mapped when json_array
!= `` |
log.resource_type_key
|
target.resource.type
|
Mapped when json_array
!= `` |
kv.request
|
target.url
|
Renamed/mapped |
url
|
target.url
|
Renamed/mapped |
Customer
|
target.user.user_display_name
|
Renamed/mapped |
log.imperva.ids.account_name
|
target.user.user_display_name
|
Mapped when json_array
!= `` |
kv.duser
|
target.user.userid
|
Renamed/mapped |
kv.suid
|
target.user.userid
|
Mapped when csv_message
=~ CEF:
|
log.account_id
|
target.user.userid
|
Mapped when json_array
!= `` |
suid
|
target.user.userid
|
Renamed/mapped |
|
N/A
|
metadata.event_type
|
Constant: NETWORK_HTTP
|
|
N/A
|
network.direction
|
Constant: INBOUND
|
|
N/A
|
network.ip_protocol
|
Constant: TCP
|
|
N/A
|
security_result.severity
|
Constant: HIGH
|
end
|
event.idm.read_only_udm.metadata.collected_timestamp
|
Mapped from changelog |
end
|
event.idm.read_only_udm.metadata.event_timestamp
|
Mapped from changelog |
kv.cs12
|
event.idm.read_only_udm.security_result.detection_fields
|
Mapped from changelog |
kv.cs10
|
event.idm.read_only_udm.security_result.detection_fields
|
Mapped from changelog |
kv.cat
|
event.idm.read_only_udm.security_result.category_details
|
Mapped from changelog |
Customer
|
event.idm.read_only_udm.network.organization_name
|
Mapped from changelog |
siteid
|
event.idm.read_only_udm.security_result.detection_fields
|
Mapped from changelog |
deviceExternalId
|
event.idm.read_only_udm.security_result.detection_fields
|
Mapped from changelog |
spt
|
event.idm.read_only_udm.principal.port
|
Mapped from changelog |
cpt
|
event.idm.read_only_udm.target.port
|
Mapped from changelog |
cat
|
event.idm.read_only_udm.security_result.action_details
|
Mapped from changelog |
cs9Label
|
event.idm.read_only_udm.security_result.detection_fields
|
Mapped from changelog |
cs8Label
|
event.idm.read_only_udm.principal.location.region_longitude
|
Mapped from changelog |
kv.cat
|
event.idm.read_only_udm.security_result.action_details
|
Mapped from changelog |
kv.cs8
|
event.idm.read_only_udm.network.http.method
|
Mapped from changelog |
timestamp
|
event.idm.read_only_udm.metadata.event_timestamp
|
Mapped from changelog |
metadata.vendor_name
|
Imperva Cloud WAF
|
Mapped from changelog |
log.imperva.request_user
|
security_result.detection_fields
|
Mapped from changelog |
log.imperva.classified_client
|
security_result.detection_fields
|
Mapped from changelog |
"log.imperva.successful_logins_last_24h","log.imperva.path" and "log.imperva.failed_logins_last_24h
|
security_result.detection_fields
|
Mapped from changelog |
additional_factor","log.imperva.device_reputation" and "log.imperva.credentials_leaked
|
additional.fields
|
Mapped from changelog |
log.imperva.fingerprint
|
security_result.description
|
Mapped from changelog |
log.imperva.classified_client
|
principal.process.file.full_path
|
Mapped from changelog |
kv.src", "src" and "log.client.ip
|
principal.asset.ip
|
Mapped from changelog |
kv.dst" and "dst
|
target.asset.ip
|
Mapped from changelog |
kv.cs9" and "cs9
|
security_result.rule_name
|
Mapped from changelog |
kv.fileType" and "fileType
|
security_result.rule_type
|
Mapped from changelog |
xff" and "forwardedIp
|
intermediary.asset.ip
|
Mapped from changelog |
security_action
|
BLOCK
|
Mapped from changelog |
significant_domain_name", "domain_risk", "violated_directives
|
security_result.detection_fields
|
Mapped from changelog |
imperva.audit_trail.event_action
|
security_result.detection_fields
|
Mapped from changelog |
imperva.audit_trail.event_action_description
|
security_result.detection_fields
|
Mapped from changelog |
imperva.audit_trail.event_context
|
security_result.detection_fields
|
Mapped from changelog |
imperva.audit_trail.event_context_description
|
security_result.detection_fields
|
Mapped from changelog |
imperva.abp.apollo_rule_versions
|
security_result.detection_fields
|
Mapped from changelog |
imperva.abp.bot_violations
|
security_result.detection_fields
|
Mapped from changelog |
imperva.abp.bot_behaviors
|
security_result.detection_fields
|
Mapped from changelog |
imperva.abp.bot_deciding_condition_ids
|
security_result.detection_fields
|
Mapped from changelog |
imperva.abp.bot_deciding_condition_names
|
security_result.detection_fields
|
Mapped from changelog |
imperva.abp.bot_triggered_condition_ids
|
security_result.detection_fields
|
Mapped from changelog |
imperva.abp.bot_triggered_condition_names
|
security_result.detection_fields
|
Mapped from changelog |
kvdata.ver
|
network.tls.version
|
Mapped from changelog |
kvdata.sip
|
principal.ip
|
Mapped from changelog |
kvdata.spt
|
principal.port
|
Mapped from changelog |
kvdata.requestMethod
|
network.http.method
|
Mapped from changelog |
imperva.abp.request_type
|
principal.labels
|
Mapped from changelog |
imperva.abp.random_id
|
additional.fields
|
Mapped from changelog |
user_agent.original
|
network.http.parsed_user_agent
|
Mapped from changelog |
imperva.abp.zuid
|
additional.fields
|
Mapped from changelog |
imperva.ids.site_name
|
additional.fields
|
Mapped from changelog |
imperva.ids.site_id
|
additional.fields
|
Mapped from changelog |
imperva.abp.headers_accept_encoding
|
security_result.detection_fields
|
Mapped from changelog |
imperva.abp.headers_accept_language
|
security_result.detection_fields
|
Mapped from changelog |
imperva.abp.headers_connection
|
security_result.detection_fields
|
Mapped from changelog |
imperva.abp.policy_id
|
security_result.detection_fields
|
Mapped from changelog |
imperva.abp.policy_name
|
security_result.detection_fields
|
Mapped from changelog |
imperva.abp.selector_derived_id
|
security_result.detection_fields
|
Mapped from changelog |
imperva.abp.monitor_action
|
security_result.action
|
Mapped from changelog |
Change Log
View the Change Log for this parser
Need more help? Get answers from Community members and Google SecOps professionals.

