Imperva WAF

Imperva is a unified security platform that provides web applications real-time protection from threats like DDoS, bots, and API exploitation. Imperva WAF Gateway is a SaaS product managed through the Imperva Management Console.

You can configure Imperva to send Web Application Firewall (WAF) Activity through an API endpoint to generate data in InsightIDR from event collection through the Cloud.

Only CEF log types are supported

The Rapid7 Imperva WAF event source integration currently only supports logs in the CEF format.

To set up the Imperva WAF event source, complete these steps:

  1. Read the requirements and complete the prerequisite steps.
  2. Configure Imperva to send data to InsightIDR.
  3. Configure InsightIDR to receive data from the event source.
  4. Test the configuration.

You can also:

Visit the third-party vendor's documentation

For the most accurate information about preparing your event source product for integration with InsightIDR, we recommend that you visit the Imperva product documentation.

Requirements

Before InsightIDR can start ingesting data from Imperva, you must:

  • Create an SIEM connection
  • Generate an API key

Configure Imperva to send data to InsightIDR

To ensure InsightIDR can receive data from Imperva, you must configure a few settings within the Imperva platform. Read the documentation from Imperva for further guidance.

  1. Log in to your Imperva account and create an SIEM connection from Account Management > SIEM Logs > Log Configuration.
  2. Click Add connection and ensure you select Imperva API as your delivery method.
  3. Click Generate API keys. Then, copy and store the API id, API key, and Log Server URL in a secure place for later use.
  4. Click Add log type and select Cloud WAF service. Ensure security and access logs are collected.

Configure InsightIDR to receive data from the event source

After you create your API User in Imperva and obtain the API token, you can set up your Imperva WAF event source in InsightIDR.

Task 1: Select Imperva WAF

  1. Go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Imperva WAF in the event sources search bar.
    • In the Product Type filter, select Cloud Service.
  3. Select the Imperva WAF event source tile.

Task 2: Set up the Cloud Connection

  1. In the Add Event Source panel, name the event source. This will be the name of the log that contains the event data in Log Search. If you do not name the event source, the log name will default to Imperva WAF.
  2. Optionally, select the option to send unparsed data.
  3. Click Add a New Connection.
  4. In the Create a Cloud Connection screen, enter a name for the new connection.
  5. Use the information that you previously stored to fill out the Log Server URI, API ID, and API Key fields.
  6. Optionally, from the Private.pem file, copy the private key and enter it in the Private Key field. This is only needed if you chose to encrypt your Imperva log files.
  7. Click Save & Test Connection.
  8. Click Save.

Set up a new Imperva WAF event source if your encryption keys are updated

If you update the keys used for log file encryption on Imperva, it is recommended to set up a new event source with the updated private key to ensure that collection continues and no data is lost.

Test the configuration

The event types that InsightIDR parses from this event source are:

  • WAF Activity

To test that event data is flowing into InsightIDR through the Cloud Connection:

  1. View the raw logs:
    1. From the Data Collection Management page, click the Event Sources tab.
    2. Find the event source you created and click View raw log. If the Raw Logs modal displays raw log entries, logs are successfully flowing to InsightIDR.
  2. Use Log Search to find the log entries. After approximately seven minutes, you can verify that log entries are appearing in Log Search.
    1. From the left menu, go to Log Search.
    2. In the Log Search filter, search for the new event source you created.
    3. Select the log sets and the log names under each log set. Imperva logs flow into these log sets:
      • WAF Activity
    4. Set the time range to Last 10 minutes and click Run.

The Results table displays all log entries that flowed into InsightIDR in the last 10 minutes. The keys and values that are displayed are helpful when you want to build a query and search your logs.

Sample logs

WAF Activity log

json
1
{
2
  "timestamp": "2016-01-21T09:48:41.336Z",
3
  "is_blocked": "true",
4
  "rule": "Block Malicious User,High Risk Resources",
5
  "mapped_severity": "MEDIUM",
6
  "product_severity": "med",
7
  "source_address": "xx.xxx.xxx.xx",
8
  "source_port": "xxxxx",
9
  "geoip_organization": "Example ISP",
10
  "geoip_country_code": "US",
11
  "geoip_country_name": "United States",
12
  "geoip_city": "Example City",
13
  "geoip_region": "CA",
14
  "server_address": "xx.xx.xxx.x",
15
  "url_host": "example.host.com",
16
  "http_method": "GET",
17
  "url_path": "/index.cgi",
18
  "url_query": "p=%2fetc%2fpasswd",
19
  "destination_port": "443",
20
  "incoming_bytes": "2341",
21
  "outgoing_bytes": "265",
22
  "user_agent": "Generic User Agent",
23
  "referer": "/",
24
  "forwarded_for": ["xx.xxx.xxx.xx", "xx.xxx.xxx.xxx", "xx.xx.x.xx"],
25
  "auth_user": "jdoe",
26
  "source_data/source_json": "source data"
27
}