Documentation Center
AlienVault® USM Anywhere™

Incapsula Web Application Firewall

When you configure Incapsula Web Application Firewall to send log data to USM Anywhere, you can use the Incapsula CEF plugin to translate the raw log data into normalized events for analysis.

Device Details
Vendor Imperva
Device Type Web Application Firewall
Connection Type Syslog

Integrating Incapsula

Before you configure the Incapsula integration, you must have the IP Address of the USM Anywhere Sensor.

To configure Incapsula to send log files to USM Anywhere

  1. Clone logs-downloader, a script for downloading log files from Incapsula, from the Incapsula repository on GitHub (https://github.com/Incapsula/logs-downloader).

    Note: The logs-downloader script is not directly related to AlienVault, but you need to run the script in your own environment to send log files to USM Anywhere.

  2. Edit the Settings.Config file, located in the config folder, to configure the syslog settings. You can open and edit the configuration file using any standard text editor.

    The following code segment shows the default parameter settings typically defined in the Settings.Config file.

  3. [SETTINGS]

    APIID=41986

    APIKEY=25a21c10-ebf4-4c4c-8c1e-d588c4050d5d

    PROCESS_DIR= /tmp/processed/

    BASEURL=https://255.255.255.255/1234_5678/

    USEPROXY=NO

    PROXYSERVER=

    SYSLOG_ENABLE=NO

    SYSLOG_ADDRESS=

    SYSLOG_PORT=

    USE_CUSTOM_CA_FILE=NO

    CUSTOM_CA_FILE=

    The following table describes all the various parameters that may be specified in the configuration file. The parameters shown in bold are the ones you need to modify to direct log messages to USM Anywhere.

    Parameter Value Description
    APIID Your API ID.
    APIKey Your API key.
    PROCESS_DIR Specifies the directory into which Incapsula automatically saves the logs after unzipping and decrypting them.
    BASEURL Specifies the URL of your logs repository in the Incapsula cloud. This URL is displayed in the Incapsula Administration Console Settings window as the Log Server URL field.
    USEPROXY Specify YES to use a proxy to download the files.
    PROXYSERVER If you choose to use a proxy, supply the proxy URL in the following format: https://1.1.1.1:8080.
    SYSLOG_ENABLE A Yes/No value that instructs Incapsula about whether to send the files by syslog.
    SYSLOG_ADDRESS If syslog is enabled, provide the USM Anywhere IP address to which to send the logs.
    SYSLOG_PORT If syslog is enabled, provide the syslog port. Port 514 is used to send logs to USM Anywhere.
    USE_CUSTOM_CA_FILE Default "no" in case the service's certificate is not in the default bundle.
    CUSTOM_CA_FILE Path for the custom certificate file.
  4. After updating the syslog configuration settings, run the LogsDownloader.py file in the script folder, following the instructions provided with the script.

Plugin Enablement

The Incapsula CEF plugin will automatically process all messages when the raw message contains "Incapsula\|SIEMintegration".

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • account_name
  • application
  • application_protocol
  • bytes_in
  • customfield_0
  • customfield_1
  • customfield_2
  • customfield_4
  • customfield_10
  • customheader_0
  • customheader_1
  • customheader_2
  • customheader_4
  • customheader_10
  • device_external_id
  • event_action
  • event_description
  • event_name
  • event_severity
  • file_permission
  • file_type
  • highlight_fields
  • http_referer
  • incident_id
  • ip_addresses
  • plugin_device
  • rep_device_rule_id
  • rep_device_type
  • rep_device_vendor
  • rep_device_version
  • request_method
  • request_url
  • request_user_agent
  • response_code
  • session
  • source_address
  • source_service_name
  • source_userid
  • time_start
  • transient

Additional Resources and Troubleshooting

https://docs.incapsula.com/Content/management-console-and-settings/log-integration.htm

https://docs.incapsula.com/Content/read-more/log-configuration.htm

https://github.com/Incapsula/logs-downloader

For troubleshooting, refer to the vendor documentation:

https://incapsula.zendesk.com/hc/en-us/articles/209074918-Common-Incapsula-Errors-and-Their-Solutions