waf.incapsula

[ 1 Introduction ] [ 2 Valid tags and data tables ] [ 3 Table structure ]

Introduction

The tags beginning with waf.incapsula identify events generated by Imperva Web Application Firewall (formerly Incapsula Web Application Firewall) belonging to Imperva.

Valid tags and data tables

The full tag must have 3 levels. The first two are fixed as waf.incapsula and the third identifies the type of events sent.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service	Tags	Data tables

Product / Service	Tags	Data tables
Imperva Web Application Firewall (formerly Incapsula Web Application Firewall)	`waf.incapsula.audit`	`waf.incapsula.audit`
	`waf.incapsula.events`	`waf.incapsula.events`
	`waf.incapsula.siemintegration`	`waf.incapsula.siemintegration`

For more information, read more About Devo tags.

Table structure

These are the fields displayed in these tables:

waf.incapsula.audit

Field	Type	Field Transformation	Source field name	Extra fields

Field	Type	Field Transformation	Source field name	Extra fields
eventdate	`timestamp`
MD5OfBody	`str`
ApproximateReceiveCount	`str`
SenderId	`str`
SentTimestamp	`str`
ApproximateFirstReceiveTimestamp	`str`
event	`str`
site_id	`str`
user_id	`str`
account_id	`str`	`ifthenelse(startswith(account_id_aux, '"'), substring(account_id_aux, 1, length(account_id_aux), -2), account_id_aux)`	account_id_aux
creation_date	`str`
domain	`str`
user_email	`str`
account_name	`str`
MessageId	`str`
Body	`str`
ReceiptHandle	`str`
hostchain	`str`			✓
tag	`str`			✓
rawMessage	`str`		rawSource	✓

waf.incapsula.events

Field	Type	Field Transformation	Source field name	Extra fields

Field	Type	Field Transformation	Source field name	Extra fields
eventdate	`timestamp`
timestamp	`timestamp`	`timestamp(dateTime)`	dateTime
Visitor_ID	`str`
Client_App	`str`
Browser_Type	`str`
JS_Support	`bool`
Cookies_Support	`bool`
Main_Client_IP	`ip4`
Additional_Client_IPS	`str`
Debug	`str`
Captcha_Support	`str`
Account_ID	`str`
User_Agent	`str`
ID	`str`
Site_ID	`str`
Country_Code	`str`
Ref_ID	`str`
City	`str`
Site_Name	`str`
Latitude	`float8`
Longitude	`float8`
Account_Name	`str`
url	`str`
Post_Body	`str`
Protocol	`str`
Request_Result	`str`
Request_ID	`str`
Referrer	`str`
Server_IP	`ip4`
Server_Port	`int8`
Method	`str`
Query_String	`str`
HTTP_Status_Code	`int8`
X_Forwarded_For	`ip4`
Content_Length	`int8`
Request_Start_Time	`int8`
Delivery_Rule_Details	`str`
Attack_Severity	`str`
Attack_Type	`str`
Attack_ID	`str`
Rule_Name	`str`
hostchain	`str`			✓
tag	`str`			✓
rawMessage	`str`		rawSource	✓

waf.incapsula.siemintegration

Field	Type	Extra fields

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
leefVer	`str`
vendor	`str`
product	`str`
version	`str`
eventID	`str`
file_id	`str`
source_service_name	`str`
siteid	`str`
source_user_id	`str`
request_client_application	`str`
pop_name	`str`
cs1_label	`str`
cs1	`str`
cs2_label	`str`
cs2	`str`
cs3_label	`str`
cs3	`str`
cs4_label	`str`
cs4	`str`
cs5_label	`str`
cs5	`str`
cs6_label	`str`
cs6	`str`
cs7_label	`str`
cs7	`str`
cs8_label	`str`
cs8	`str`
destination_process_name	`str`
cal_country_or_region	`str`
cicode	`str`
customer	`str`
start	`timestamp`
url	`str`
ref	`str`
request_method	`str`
cn1	`int8`
protocol	`str`
category	`str`
device_external_id	`str`
bytes_in	`int8`
source_ip	`ip4`
source_port	`int4`
destination_ip	`ip4`
destination_port	`int4`
xff	`ip4`
proto_ver	`str`
end	`timestamp`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓