waf.imperva

Introduction

The tags beginning with waf.imperva identify events generated by SecureSphere Web Application Firewall belonging to Imperva.

The full tag must have 3 levels. The first two are fixed as web.imperva and the third identifies the type of events sent.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service	Tags	Data tables

Product / Service	Tags	Data tables
SecureSphere Web Application Firewall	`waf.imperva.securesphere`	`waf.imperva.securesphere`

For more information, read more About Devo tags.

These are the fields displayed in this table:

Field	Type	Field Transformation	Source field name	Extra fields

Field	Type	Field Transformation	Source field name	Extra fields
eventdate	`timestamp`
host	`str`		vhost
deviceVersion	`str`
signatureID	`str`
name	`str`
severity	`str`
src	`ip4`
spt	`int4`
duser	`str`
dst	`ip4`
dpt	`int4`
geo	`str`
action	`str`	`isnotnull(act_aux) ? act_aux : isnotnull(act_aux2) ? act_aux2 : null("")`	act_aux act_aux2
user_agent	`str`
Policy	`str`
Method	`str`
ServerGroup	`str`
Response	`str`
ApplicationName	`str`
RequestedURLPath	`str`
AlertDescription	`str`
ServiceName	`str`
EventID	`str`
GatewayName	`str`
message	`str`
rule_id	`str`
rule_name	`str`
parameter_name	`str`
parameter_value	`str`
observed_content_type	`str`
post_request_missing_content_type	`str`
proto	`str`
suser	`str`
rt	`timestamp`
cat	`str`
cs1	`str`
cs1Label	`str`
cs2	`str`
cs2Label	`str`
cs3	`str`
cs3Label	`str`
cs4	`str`
cs4Label	`str`
cs5	`str`
cs5Label	`str`
hostchain	`str`			✓
rawMessage	`str`		rawSource