Skip to main content

Imperva Incapsula

thumbnail icon

Imperva Incapsula is a cloud-based application delivery service that includes web security, DDoS protection, CDN, and load balancing.

The Sumo Logic app for Imperva Incapsula - Web Application Firewall (WAF) helps you monitor your web application protection service. The preconfigured dashboards provide insights on the threat alerts events.

Log types

The Imperva Incapsula - Web Application Firewall app uses security and access logs. For more details, see here.

Sample queries

Parse Command for all CEF items in Imperva Incapsula
| parse "fileId=* " as ID nodrop
| parse "src=* " as main_client_ip nodrop
| parse "caIP=* " as additional_client_ip nodrop
| parse "requestClientApplication=* cs2" as user_agent nodrop
| parse "request=* " as URL nodrop
| parse "tag=* " as ref_id nodrop
| parse "ccode=* " as country_code nodrop
| parse "cicode=* " as City nodrop
| parse "ccode=[*] " as country_code nodrop
| parse "app=* " as Protocol nodrop
| parse "deviceExternalId=* " as request_id nodrop
| parse "ref=* " as Referrer nodrop
| parse "requestMethod=* " as Method nodrop
| parse "cn1=* " as http_status_code nodrop
| parse "xff=* " as X_Forwarded_For nodrop
| parse "in=* " as content_length nodrop
| parse "suid=* " as account_id nodrop
| parse "Customer=* " as account_name nodrop
| parse "siteid=* " as site_id nodrop
| parse "sourceServiceName=* " as site_name nodrop
| parse "act=* " as request_result nodrop
| parse "postbody=* " as post_body nodrop
| parse "start=* " as request_start_time nodrop
| parse "sip=* " as server_ip nodrop
| parse "spt=* " as server_port nodrop
| parse "qstr=* " as query_string nodrop
| parse "cs1=* " as captcha_support nodrop
| parse "cs2=* cs2" as js_support nodrop
| parse "cs3=* cs3" as cookies_support nodrop
| parse "cs4=* cs4" as visitor_id nodrop
| parse "cs5=* cs5" as Debug nodrop
| parse "cs6=* cs6" as client_app
| parse "cs7=* cs7" as Latitude nodrop
| parse "cs8=* cs8" as Longitude nodrop
| parse "cs9=* cs9" as rule_name nodrop
| parse "filePermission=* " as attack_id nodrop
| parse "fileType=* " as attack_type nodrop
| parse "dproc=* cs6" as browser_type nodrop
Top attack vectors
_sourceCategory="Incapsula"
| parse "SIEMintegration|1|1|*|" as policy_type
| parse "sourceServiceName=* " as site_name
| count by policy_type
| top 10 policy_type by _count

Collecting logs for the Imperva-Incapsula WAF app

This section provides instructions on configuring log collection for the Imperva - Incapsula Web Application Firewall app, as well as query samples.

Set up log integration in Imperva Incapsula

To configure log integration, do the following:

  1. Log into your my.incapsula.com account.
  2. On the sidebar, click Logs > Log Setup.
  3. Connection. Select Amazon S3.
  4. Next, fill in your credentials:
    • Your S3 Access key, Secret key, and Path, where path is the location of the folder where you want to store the logs. Enter the path in the following format: <Amazon S3 bucket name>/<log folder>. For example: MyBucket/MyIncapsulaLogFolder.
    • Click Test connection to perform a full testing cycle in which a test file will be transferred to your designated folder. The test file does not contain real data, and will be removed by Incapsula when the transfer is complete.
  5. Configure the additional options:
    • Format. Select the format for the log files: CEF
    • Compress logs. By default, log files are compressed. Clear this option to keep the logs uncompressed.

For detailed instructions, see here.

Set up in Sumo Logic

To configure log collection for Sumo Logic, do the following:

  1. Add a Sumo Logic Hosted Collector
  2. Configure Amazon S3 Source.

Installing the Imperva-Incapsula WAF app

To install the app, do the following:

  1. From the Sumo Logic navigation, select App Catalog.
  2. In the Search Apps field, search for and then select your app.
    Optionally, you can scroll down to preview the dashboards included with the app.
  3. To install the app, click Install App.
  4. Click Next in the Setup Data section.
  5. In the Configure section of the respective app, complete the following fields.
    1. Key. Select either of these options for the data source.
      • Choose Source Category, and select a source category from the list for Default Value.
      • Choose Custom, and enter a custom metadata field. Insert its value in Default Value.
  6. Click Next. You will be redirected to the Preview & Done section.

Your app will be installed in the Installed Apps folder and dashboard panels will start to fill automatically.

Each panel slowly fills with data matching the time range query and received since the panel was created. Results will not immediately be available, updating with full graphs and charts over time.

Viewing Imperva-Incapsula WAF dashboards​

All dashboards have a set of filters that you can apply to the entire dashboard. Use these filters to drill down and examine the data to a granular level.

  • You can change the time range for a dashboard or panel by selecting a predefined interval from a drop-down list, choosing a recently used time range, or specifying custom dates and times. Learn more.
  • You can use template variables to drill down and examine the data on a granular level. For more information, see Filter with template variables.
  • Most Next-Gen apps allow you to provide the scope at the installation time and are comprised of a key (_sourceCategory by default) and a default value for this key. Based on your input, the app dashboards will be parameterized with a dashboard variable, allowing you to change the dataset queried by all panels. This eliminates the need to create multiple copies of the same dashboard with different queries.

Overview

See the overview of your WAF service including the source IP address, client app, user agent, country, ADR rules, and policy type.

Imperva - Incapsula dashboards

Client App Top Values. See the top 10 client apps by count in the last 14 days on a bar chart.

Source IP Top Values. See the top 10 source IP addresses by count in the last 14 days on a column chart.

Browser Type Top Values. See the top 10 browser types by count in the last 14 days on a pie chart.

Country Top Values. See the top 10 countries by count in the last 14 days on a column chart.

User Agent Top Values. See the top 10 user agents by count in the last 14 days displayed in a table.

URL Top Values. See the top 10 URLs by count in the last 14 days displayed in a table.

Policy Type. See the count and percentage of policy types in the last 14 days on a pie chart.

Top Applied ADR Rules. See the top 10 applied ADR rules by count in the last 14 days displayed in a table.

Blocked Countries

See the details of blocked countries in your WAF service including the source IP address, browser type, top countries, and user agent.

Imperva - Incapsula dashboards

Blocked Countries Top Values. See the top 10 blocked countries by count in the last 14 days on a pie chart.

Source IP Top Values. See the top 10 source IP addresses by count in the last 14 days on a column chart.

Browser Type Top Values. See the top 10 browser types by count in the last 14 days on a pie chart.

User Agent Top Values. See the top 10 user agents by count in the last 14 days displayed in a table.

Threat Table based on Client IP. See the details of threats in the last 24 hours based on client IP address including the main client IP address, malicious confidence, actor, source, label name, browser type, attack type, rule name, country code, server IP, server port , client app, method, post body, URL, user agent, and count, displayed in a table.

BOT - Access Control

See the details of BOT access control in your WAF service including the city, country, browser type, source IP address, and user agent.

Imperva - Incapsula dashboards

City Top Values. See the top 10 cities by count in the last 14 days on a column chart.

Country Top Values. See the top 10 countries by count in the last 14 days on a column chart.

Browser Type Top Values. See the top 10 browser types by count in the last 14 days on a column chart.

Geo Lookup. See the count and location of BOT access controls in the last 14 days on a world map.

User Agents Top Values. See the top 10 user agents by count in the last 14 days on a bar chart.

Source IP Top Values. See the top 10 source IP addresses by count in the last 14 days on a bar chart.

Status
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.