Skip to main content
Skip table of contents

V 2.0 : Access And Security Events

Vendor Documentation

https://docs.imperva.com/bundle/cloud-application-security/page/more/log-file-structure.htm
https://docs.imperva.com/bundle/cloud-application-security/page/more/example-logs.htm

Classification

Rule NameRule TypeCommon EventClassification
V 2.0 : Access And Security EventsBase RuleGeneral Information Log MessageInformation

Mapping with LogRhythm Schema

Device Key in Log Message

LogRhythm Schema

Data Type

Schema Description

N/A <vendorinfo>Text/StringVendor.
N/AN/AN/ADevice Product.
N/AN/AN/AVersion.
N/A<vmid> NumberEvent ID.
N/A<threatname>Text/StringAttack Name.
Attack Severity<severity>NumberThe rule type that was triggered, and the corresponding Imperva internal rule ID number.
ACL: -1
SQL Injection: 0
Cross Site Scripting: 1
Illegal Resource Access: 3
Bot Access Control: 4
DDoS: 8
Backdoor Protect: 9
Remote File Inclusion: 10
Manual rule (IncapRule): 11
API Specification Violation: 12
Account Takeover Protection: 13
Bad Bot (Advanced Bot Protection): 14
suidN/AN/AThe numeric identifier of the account of the site owner.
CustomerN/AN/AThe account name of the site owner.
tagN/AN/AAccount level reference ID. Corresponds to the Reference ID option in the Cloud Security Console Account Settings. For details, see Account Settings.
cicodeN/AN/AThe city code of the site visitor.
src<sip>IP Address The client IP that made the request.
in<size>NumberThe content length.
ccodeN/AN/AThe country code of the site visitor.
cn1<responsecode>NumberThe HTTP response code returned to the client.
fileIdN/AN/AThe unique identification.
requestMethod<command>Text/StringThe request method.
deviceFacilityN/AN/AThe Imperva PoP that handled the request.
app<protname>Text/StringThe request protocol.
ver<version>Text/StringThe TLS version and encryption algorithms used in the request.
refN/AN/AThe URL of the previous page that the client visited.
additionalReqHeadersN/AN/ARequest headers in JSON format, with each field represented as a name-value pair.
deviceExternalIdN/AN/AA unique identifier of the request that can be used to correlate with reports and data from the Imperva Cloud Security Console
act<action>Text/String

The method in which Imperva processed the request:
REQ_PASSED: If the request was routed to the site's web server
REQ_CACHED_X: If a response was returned from the data center's cache
REQ_BAD_X: If a protocol or network error occurred
REQ_CHALLENGED_X: If a challenge was returned to the client
REQ_BLOCKED_X: If the request was blocked


For more details, see Cloud WAF Error Pages and Codes.

startN/AN/AThe time in which this visit started, in UTC. In UNIX epoch time format.
endN/AN/AThe end time of the response to the request, in UTC. In UNIX epoch time format.
additionalResHeadersN/AN/A

Response headers in JSON format, with each field represented as a name-value pair.

Note: Use of these fields for CEF and LEEF formats require enablement by Imperva Support.

siteidN/AN/AThe numeric identifier of the site.
sourceServiceName<process>Text/StringThe name of the site.
siteTagN/AN/A

Site level reference ID. Corresponds to the Reference ID option in the Cloud Security Console Website Settings.

For details, see Website General Settings.

cpt<sport>NumberThe client port used to communicate the request.
request<url>Text/StringThe URL of the request.
requestClientApplication<useragent>Text/StringThe UserAgent header value.
xffN/AN/AThe X-Forwarded-For request header. This log field is populated only if the request received from the client contained the XFF header, and/or the request received from the client was passed to the origin.
cs11N/AN/AAdditional information on the violation that triggered the rule, in JSON format.
Used for API Specification Violation events.
JSON structure: {“api_specification_violation_type”:”<type>”,”parameter_name”:”<parameter name>”}
The possible values for api_specification_violation_type are:
INVALID_URL
INVALID_METHOD
MISSING_PARAM
INVALID_PARAM_VALUE
INVALID_PARAM_NAME
The “parameter_name” is present only if the violation occurs in the context of a parameter. Its value is the relevant parameter name.
filePermission<threatid>NumberImperva attack ID.
fileTypeN/AN/AThe type of attack.
dprocN/AN/AThe browser type.
cs1N/AN/AWhether or not the client application supports Captcha.
cs6N/AN/AThe client application software.
cs3N/AN/AWhether or not the client application supports cookies.
cs5N/AN/AFor internal use.
cs2N/AN/AWhether or not the client application supports JavaScript.
cs7N/AN/AThe latitude of the event.
cs8N/AN/AThe longitude of the event.
postbodyN/AN/AThe post body data of the request.
qstrN/AN/AThe query string of the request.
cs9<policy>Text/StringThe threat rule name that this request triggered. For example, SQL Injection or Blocked IP (ACL).
sip<dip>N/AThe IP address of the server.
spt<dport>NumberThe port of the server.
cs4N/AN/AThe ID of the visitor.
cs10N/AN/AJSON describing all actions that were applied to a specific request (detailed JSON structure below)
cs2LabelN/AN/AN/A
cs3LabelN/AN/AN/A
cs1LabelN/AN/AN/A
cs4LabelN/AN/AN/A
cs5LabelN/AN/AN/A
cs6LabelN/AN/AN/A
cs7LabelN/AN/AN/A
cs8LabelN/AN/AN/A
deviceExternalIDN/AN/AN/A
cs9LabelN/AN/AN/A
cs11LabelN/AN/AN/A
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close