🌙

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Imperva Cloud Integration Guide

integrations imperva waf cloud waf


The following instructions are for configuring Imperva Cloud to facilitate log ingestion into Secureworks® Taegis™ XDR. This integration leverages Imperva's Near Real-Time SIEM log integration to send logs to your AWS S3 bucket.

Data Provided from Integration

The following Imperva Cloud WAF event types are supported by Secureworks® Taegis™ XDR in JSON format.

  Auth CloudAudit DNS HTTP Management Netflow NIDS Process Thirdparty
Imperva Cloud WAF D Y             Y
  Auth CloudAudit DNS HTTP Management Netflow NIDS Process Thirdparty
Imperva WAF       D          

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

Note

XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Note

Imperva Cloud event types not listed above are normalized to the generic schema.

Configure the Imperva Cloud to Send Logs to S3

Follow the instructions in the Imperva Cloud documentation to configure log forwarding to an S3 bucket.

Choose Amazon S3 as the log destination.

Imperva Cloud WAF Connection

Imperva Cloud WAF Connection

Deploy the XDR Lambda Function in Your AWS Environment

Follow all steps in these instructions to deploy the Lambda function that will send Imperva Cloud WAF logs from your S3 bucket to XDR.

Note

The above instructions reference CloudTrail; however, the mechanism to send logs from S3 to XDR are data source-agnostic. You must follow all steps in the instructions.

Advanced Search Using the Query Language

Example Query Language Searches

To search for http events from the last 24 hours:

FROM http WHERE sensor_type = 'IMPERVA_INCAPSULA' and EARLIEST=-24h

To search for high severity events:

WHERE sensor_type = 'Imperva Cloud' AND severity = 'high'

To search for http events for a specific host:

FROM http WHERE sensor_type = 'IMPERVA_INCAPSULA' AND @ip = 10.10.10.10

Event Details

Imperva Cloud WAF Event Details

Imperva Cloud WAF Event Details

 

On this page: