Document toolboxDocument toolbox

waf.incapsula

Introduction

The tags beginning with waf.incapsula identify events generated by Imperva Web Application Firewall (formerly Incapsula Web Application Firewall) belonging to Imperva.

Valid tags and data tables 

The full tag must have 3 levels. The first two are fixed as waf.incapsula and the third identifies the type of events sent.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Imperva Web Application Firewall (formerly Incapsula Web Application Firewall)

waf.incapsula.audit

waf.incapsula.audit

waf.incapsula.events

waf.incapsula.events

waf.incapsula.siemintegration

waf.incapsula.siemintegration

For more information, read more About Devo tags.

Table structure

These are the fields displayed in these tables:

waf.incapsula.audit

Field

Type

Field Transformation

Source field name

Extra fields

Field

Type

Field Transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

MD5OfBody

str

 

 

 

ApproximateReceiveCount

str

 

 

 

SenderId

str

 

 

 

SentTimestamp

str

 

 

 

ApproximateFirstReceiveTimestamp

str

 

 

 

event

str

 

 

 

site_id

str

 

 

 

user_id

str

 

 

 

account_id

str

ifthenelse(startswith(account_id_aux, '"'), substring(account_id_aux, 1, length(account_id_aux), -2), account_id_aux)

account_id_aux

 

creation_date

str

 

 

 

domain

str

 

 

 

user_email

str

 

 

 

account_name

str

 

 

 

MessageId

str

 

 

 

Body

str

 

 

 

ReceiptHandle

str

 

 

 

hostchain

str

 

 

✓

tag

str

 

 

✓

rawMessage

str

 

rawSource

✓

waf.incapsula.events

Field

Type

Field Transformation

Source field name

Extra fields

Field

Type

Field Transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

timestamp

timestamp

timestamp(dateTime)

dateTime

 

Visitor_ID

str

 

 

 

Client_App

str

 

 

 

Browser_Type

str

 

 

 

JS_Support

bool

 

 

 

Cookies_Support

bool

 

 

 

Main_Client_IP

ip4

 

 

 

Additional_Client_IPS

str

 

 

 

Debug

str

 

 

 

Captcha_Support

str

 

 

 

Account_ID

str

 

 

 

User_Agent

str

 

 

 

ID

str

 

 

 

Site_ID

str

 

 

 

Country_Code

str

 

 

 

Ref_ID

str

 

 

 

City

str

 

 

 

Site_Name

str

 

 

 

Latitude

float8

 

 

 

Longitude

float8

 

 

 

Account_Name

str

 

 

 

url

str

 

 

 

Post_Body

str

 

 

 

Protocol

str

 

 

 

Request_Result

str

 

 

 

Request_ID

str

 

 

 

Referrer

str

 

 

 

Server_IP

ip4

 

 

 

Server_Port

int8

 

 

 

Method

str

 

 

 

Query_String

str

 

 

 

HTTP_Status_Code

int8

 

 

 

X_Forwarded_For

ip4

 

 

 

Content_Length

int8

 

 

 

Request_Start_Time

int8

 

 

 

Delivery_Rule_Details

str

 

 

 

Attack_Severity

str

 

 

 

Attack_Type

str

 

 

 

Attack_ID

str

 

 

 

Rule_Name

str

 

 

 

hostchain

str

 

 

✓

tag

str

 

 

✓

rawMessage

str

 

rawSource

✓

waf.incapsula.siemintegration

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

hostname

str

 

leefVer

str

 

vendor

str

 

product

str

 

version

str

 

eventID

str

 

file_id

str

 

source_service_name

str

 

siteid

str

 

source_user_id

str

 

request_client_application

str

 

pop_name

str

 

cs1_label

str

 

cs1

str

 

cs2_label

str

 

cs2

str

 

cs3_label

str

 

cs3

str

 

cs4_label

str

 

cs4

str

 

cs5_label

str

 

cs5

str

 

cs6_label

str

 

cs6

str

 

cs7_label

str

 

cs7

str

 

cs8_label

str

 

cs8

str

 

destination_process_name

str

 

cal_country_or_region

str

 

cicode

str

 

customer

str

 

start

timestamp

 

url

str

 

ref

str

 

request_method

str

 

cn1

int8

 

protocol

str

 

category

str

 

device_external_id

str

 

bytes_in

int8

 

source_ip

ip4

 

source_port

int4

 

destination_ip

ip4

 

destination_port

int4

 

xff

ip4

 

proto_ver

str

 

end

timestamp

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓