IMPERVAWEB APPLICATION FIREWALL

DEPLOYMENTGUIDE 6.2

Securonix Proprietary StatementThismaterial constitutes proprietary and trade secret information of Securonix, andshall not be disclosed to any thirdparty, nor usedby the recipient except under the terms andconditions prescribedby Securonix.

The trademarks, servicemarks, and logos of Securonix andothers usedherein are the property of Securonix or theirrespective owners.

Securonix Copyright StatementThismaterial is also protectedby FederalCopyright Lawand is not to be copiedor reproduced in any form,using anymedium,without the prior written authorization of Securonix.

However, Securonix allows the printing of the Adobe Acrobat PDF files for the purposes of client training and reference.

Information in this document is subject to change without notice. The software described in this document is furnishedunder a license agreement or nondisclosure agreement. The softwaremay be usedor copiedonly in accordance withthe terms of those agreements.Nothing herein shouldbe construedas constituting an additionalwarranty. Securonixshall not be liable for technical or editorial errors or omissions containedherein.Nopart of this publicationmay bereproduced, stored in a retrieval system,or transmitted in any formor anymeans electronicormechanical, includingphotocopying and recording for any purpose other than the purchaser's internal use without the written permission ofSecuronix.

Copyright 2019©Securonix All rights reserved.

Contact InformationSecuronix, Inc.

14665Midway Rd.Ste. 100,Addison, TX75001

www.securonix.com

855.732.6649

Revision History

Date Product Version Description

02/15/2019 6.2 First Release

Copyright©2019Securonix, Inc. Page | 2

SNYPR6.2DeploymentGuide

Table of ContentsImperva Web Application Firewall (WAF) 4

What is Imperva Web Application Firewall (WAF)? 4

Supported Collection Methods 4

Format 4

Taxonomy 4

Functionality 4

Device Event FieldMapping 5

Imperva Web Application Firewall Mappings to SNYPR Fields 5

Device Event Severity Mapping 6

Device Event Categorization 6

Import Activity Data into SNYPR 6

Step 1: Datasource 7

Step 2: Parsing &Normalization 7

Step 3: Conditional Actions 8

Step 4: Identity Attribution 9

Step 5: Summary 9

References 10

Copyright©2019Securonix, Inc. Page | 3

SNYPR6.2DeploymentGuide

Imperva Web Application Firewall(WAF)This deployment guide provides information about how the Imperva Web Application Firewall (WAF) eventsare parsed, normalized, and categorized to SNYPR fields. In particular, it provides the following:

l Device event field mapping

l Device event severity mapping

l Device event categorization

To download the Imperva Web Application Firewall (WAF) parser from the Securonix Threat Library, searchAvailable Resources Types for Deployment by Vendor name or Functionality. Downloading the resourcedownloads the parser along with the applicable dashboards, reports, policies, and threat models.

What is Imperva Web Application Firewall(WAF)?Imperva Web Application Firewall (WAF) analyzes and inspects requests coming in to applications andstops certain attacksmade onweb applications. It inspects and analyzes all requests to your websites, andAPIs and protects them from attacks aimed at exploiting vulnerabilities and automated attacks.

Supported Collection MethodsThemethods of collection is file/syslog.

FormatThe format is CEF.

TaxonomySecuronix Open Event Format (OEF) 1.0 is used. OEF is an event interoperability standard/schema. Itprovides a set of standardized attributes (fields) for consistent representation of logging output from disparatesecurity and non-security devices and applications. For additional information, refer to the Data Dictionarysection on the Securonix documentation portal.

FunctionalityThe functionality of Imperva Web Application Firewall (WAF) isWeb Application Firewall. See Use Cases byFunctionality for a complete list of policies for this functionality.

Copyright©2019Securonix, Inc. Page | 4

SNYPR6.2DeploymentGuideImpervaWebApplication Firewall (WAF)

Device Event Field Mapping

Imperva Web Application Firewall Mappings to SNYPRFieldsThis section lists the mappings of SNYPR fields to the device fields.

Imperva Web Application Firewall Field SNYPR Field

Receipt Time datetime

SignatureId customstring1

deviceseverity devicesevrity

Source IP sourceaddress

Source hostname sourcehostname

eventId alertid

proto applicationprotocol

categoryOutcome eventoutcome

Source Port sourceport

dhost destinationhostname

Destination IP destinationaddress

dpt destinationport

duser accountname

Database Name devicecustomstring2

ParsedQuery message

Operation devicecustomstring3

Message Deviceeventcategory

Device Hostname devicehostname

device IP deviceaddress

transactionstring Transactionstring1

protocol transportprotocol

Policy devicecustomstring1

Copyright©2019Securonix, Inc. Page | 5

SNYPR6.2DeploymentGuideImpervaWebApplication Firewall (WAF)

Imperva Web Application Firewall Field SNYPR Field

ServerGroup devicecustomstring2

Service Name devicecustomstring3

destination username destinationusername

Description devicecustomstring5

Application Name devicecustomstring4

IP Address ipaddress

action deviceaction

Device Event Severity MappingThe SNYPR category severity fields are mapped to the device severity fields.

Category Severity Device Severity

Alert Very High=0 ,1;

Critical High=2.3;

Warning Medium=4,5;

Info low=6,7

Device Event CategorizationThis section contains the rules used to categorize the device events.

Rule Name Rule Category Object Category BehaviorCategoryOutcome

BlockedEvents Action Equals toBlock

Domain Communication Blocked

Import Activity Data into SNYPRThis section provides screenshots to help guide you through the five step process of importing activity datainto SNYPR.

Copyright©2019Securonix, Inc. Page | 6

SNYPR6.2DeploymentGuideImpervaWebApplication Firewall (WAF)

Step 1: DatasourceOn this screen, provide the information to configure the datasource; including the vendor, device, collectionmethod, and parsing technique. The information you provide will differ, depending on the datasource, andcan be seen in the following examples.

Step 2: Parsing & NormalizationOnce you’ve configured the connection, create line filters to parse the data into individual attributes and mapthem to corresponding attributes in the Securonix open event schema. The number and type of line filters youadd depend on the data source type.

Note: This section is typically for reference only. When you deploy this datasource, thisstep has already been done for you. The attributes mapped for this datasource arerequired in order to run the use cases that you will enable in Step 5: Summary. For somedatasource, you can add additional line filters.

Copyright©2019Securonix, Inc. Page | 7

SNYPR6.2DeploymentGuideImpervaWebApplication Firewall (WAF)

Step 3: Conditional ActionsIn this section, you can specify the actions to performwhen eventsmeet conditions specified in filters. Multipleactions can be specified on the same condition.

Note: The action filters in this step are already created for you. You can add additionalline filters as needed.

Copyright©2019Securonix, Inc. Page | 8

SNYPR6.2DeploymentGuideImpervaWebApplication Firewall (WAF)

Step 4: Identity AttributionThis step is used to create rules to correlate activity accounts to user identities. The rules will differ based onthe account naming conventions in your environment.

Step 5: SummaryFrom this screen, you can review the import, configuration, enable or disable policies, analyze line filters,create a policy for the datasource, and schedule the job.

Copyright©2019Securonix, Inc. Page | 9

SNYPR6.2DeploymentGuideImpervaWebApplication Firewall (WAF)

Referenceshttps://www.imperva.com/products/on-premises-waf/

Copyright©2019Securonix, Inc. Page | 10

SNYPR6.2DeploymentGuideImpervaWebApplication Firewall (WAF)