V 2.0 : Access And Security Events | LogRhythm Documentation

Vendor Documentation

https://docs.imperva.com/bundle/cloud-application-security/page/more/log-file-structure.htm

https://docs.imperva.com/bundle/cloud-application-security/page/more/example-logs.htm

Classification

Rule Name	Rule Type	Common Event	Classification
V 2.0 : Access And Security Events	Base Rule	General Information Log Message	Information

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
N/A	<vendorinfo>	Text/String	Vendor.
N/A	N/A	N/A	Device Product.
N/A	N/A	N/A	Version.
N/A	<vmid>	Number	Event ID.
N/A	<threatname>	Text/String	Attack Name.
Attack Severity	<severity>	Number	The rule type that was triggered, and the corresponding Imperva internal rule ID number. ACL: -1 SQL Injection: 0 Cross Site Scripting: 1 Illegal Resource Access: 3 Bot Access Control: 4 DDoS: 8 Backdoor Protect: 9 Remote File Inclusion: 10 Manual rule (IncapRule): 11 API Specification Violation: 12 Account Takeover Protection: 13 Bad Bot (Advanced Bot Protection): 14
suid	N/A	N/A	The numeric identifier of the account of the site owner.
Customer	N/A	N/A	The account name of the site owner.
tag	N/A	N/A	Account level reference ID. Corresponds to the Reference ID option in the Cloud Security Console Account Settings. For details, see Account Settings.
cicode	N/A	N/A	The city code of the site visitor.
src	<sip>	IP Address	The client IP that made the request.
in	<size>	Number	The content length.
ccode	N/A	N/A	The country code of the site visitor.
cn1	<responsecode>	Number	The HTTP response code returned to the client.
fileId	N/A	N/A	The unique identification.
requestMethod	<command>	Text/String	The request method.
deviceFacility	N/A	N/A	The Imperva PoP that handled the request.
app	<protname>	Text/String	The request protocol.
ver	<version>	Text/String	The TLS version and encryption algorithms used in the request.
ref	N/A	N/A	The URL of the previous page that the client visited.
additionalReqHeaders	N/A	N/A	Request headers in JSON format, with each field represented as a name-value pair.
deviceExternalId	N/A	N/A	A unique identifier of the request that can be used to correlate with reports and data from the Imperva Cloud Security Console
act	<action>	Text/String	The method in which Imperva processed the request: REQ_PASSED: If the request was routed to the site's web server REQ_CACHED_X: If a response was returned from the data center's cache REQ_BAD_X: If a protocol or network error occurred REQ_CHALLENGED_X: If a challenge was returned to the client REQ_BLOCKED_X: If the request was blocked For more details, see Cloud WAF Error Pages and Codes.
start	N/A	N/A	The time in which this visit started, in UTC. In UNIX epoch time format.
end	N/A	N/A	The end time of the response to the request, in UTC. In UNIX epoch time format.
additionalResHeaders	N/A	N/A	Response headers in JSON format, with each field represented as a name-value pair. Note: Use of these fields for CEF and LEEF formats require enablement by Imperva Support.
siteid	N/A	N/A	The numeric identifier of the site.
sourceServiceName	<process>	Text/String	The name of the site.
siteTag	N/A	N/A	Site level reference ID. Corresponds to the Reference ID option in the Cloud Security Console Website Settings. For details, see Website General Settings.
cpt	<sport>	Number	The client port used to communicate the request.
request	<url>	Text/String	The URL of the request.
requestClientApplication	<useragent>	Text/String	The UserAgent header value.
xff	N/A	N/A	The X-Forwarded-For request header. This log field is populated only if the request received from the client contained the XFF header, and/or the request received from the client was passed to the origin.
cs11	N/A	N/A	Additional information on the violation that triggered the rule, in JSON format. Used for API Specification Violation events. JSON structure: {“api_specification_violation_type”:”<type>”,”parameter_name”:”<parameter name>”} The possible values for api_specification_violation_type are: INVALID_URL INVALID_METHOD MISSING_PARAM INVALID_PARAM_VALUE INVALID_PARAM_NAME The “parameter_name” is present only if the violation occurs in the context of a parameter. Its value is the relevant parameter name.
filePermission	<threatid>	Number	Imperva attack ID.
fileType	N/A	N/A	The type of attack.
dproc	N/A	N/A	The browser type.
cs1	N/A	N/A	Whether or not the client application supports Captcha.
cs6	N/A	N/A	The client application software.
cs3	N/A	N/A	Whether or not the client application supports cookies.
cs5	N/A	N/A	For internal use.
cs2	N/A	N/A	Whether or not the client application supports JavaScript.
cs7	N/A	N/A	The latitude of the event.
cs8	N/A	N/A	The longitude of the event.
postbody	N/A	N/A	The post body data of the request.
qstr	N/A	N/A	The query string of the request.
cs9	<policy>	Text/String	The threat rule name that this request triggered. For example, SQL Injection or Blocked IP (ACL).
sip	<dip>	N/A	The IP address of the server.
spt	<dport>	Number	The port of the server.
cs4	N/A	N/A	The ID of the visitor.
cs10	N/A	N/A	JSON describing all actions that were applied to a specific request (detailed JSON structure below)
cs2Label	N/A	N/A	N/A
cs3Label	N/A	N/A	N/A
cs1Label	N/A	N/A	N/A
cs4Label	N/A	N/A	N/A
cs5Label	N/A	N/A	N/A
cs6Label	N/A	N/A	N/A
cs7Label	N/A	N/A	N/A
cs8Label	N/A	N/A	N/A
deviceExternalID	N/A	N/A	N/A
cs9Label	N/A	N/A	N/A
cs11Label	N/A	N/A	N/A