Imperva WAF
Applies to: Imperva WAF
Imperva WAF (Web Application Firewall) provides user with advanced bot detection, and access control technologies to secure any website against known and emerging threats. This includes common web 2.0 threats, such as spammers, scrapers, and vulnerability scanners, in addition to sophisticated SQL Injection, Cross Site Scripting, and other application-level attacks.
Imperva WAF integrates with Netsurion Open XDR to provide organizations with comprehensive data security analytics. Imperva WAF reports provided by Netsurion Open XDR contain summaries of web attack activities, including cross-site scripting detection or DDoS (Distributed Denial of Service) attack detection.
Dashboards are the graphical representations of activities occurring in Imperva WAF. These dashboards can be a pie chart, or a bar diagram, or even a map. This allows user to view the key highlights of Imperva WAF detection events. Some of the dashboards includes, geo location of sources, action taken, etc.
Alerts such as, DDoS detection, SQL injection detection have been Identified, and are included in the Data Source Integrations. These alerts can be configured to forward emails to users/admin of Imperva WAF as soon as any suspicious events are detected.
Once Imperva WAF is configured to deliver events to Netsurion Open XDR Manager, alerts, dashboards, and reports can be configured in Netsurion Open XDR.
The following are the key Data Source Integration available in Netsurion Open XDR.
Alerts
| Type | Name | Description |
|---|---|---|
| Security | Imperva WAF – Account Takeover Detected | Account takeover is a form of identity theft and fraud, where a malicious third party successfully gains access to the user’s account credentials. By appearing as a real user, cyber-criminals can change account details, send phishing emails, steal financial information or sensitive data, or access stolen information to access more accounts in the organization. As soon as such attacks are detected, they are alerted to admin. |
| Security | Imperva WAF – ACL Detected | The Access Control List (ACL) contains rules that deny or deny access to digital environments. Depending upon the list kept in the Imperva WAF Environment as soon as the rule is triggered an alert is generated. |
| Security | Imperva WAF – Advanced Bot Detected | Advanced bots are attacks beyond the simple scripts; these attacks use advanced tactics such as headless browsers. Such advanced bot attack detected are sent as an alert from Netsurion. |
| Security | Imperva WAF – API Specification Detected | Vulnerabilities related to poor authentication, lack of encryption, business logic malfunctions, and insecure endpoints are detected under this alert. These vulnerabilities lead to cyber-attack such as man-in-middle attack. This alert will trigger whenever such an activity is detected. |
| Security | Imperva WAF – Backdoor Detected | Backdoor is a type of malware that defies common authentication mechanisms to access the system. As a result, remote access is allowed to resource within an application, such as databases and file servers, giving corrupters the ability to remove system commands and update malware. This alert will trigger whenever such an activity is detected. |
| Security | Imperva WAF – Bot Access Control Detected | Devices which are infected under bots command control are detected in this alert. These devices are controlled under command control and are used for attacks such as DDoS, etc. This alert will trigger whenever such an activity is detected |
| Security | Imperva WAF – Remote File Inclusion Detected | Remote File Inclusion (RFI) is an attack, targeting bugs in web applications that dynamically render external scripts. The purpose of the offender is to exploit the function in an application for uploading malware (for example, backdoor shell) within a domain separate from the remote URL. The results of a successful RFI attack include the theft, compromised server and running a site that allows for content modification. This alert will trigger whenever such an activity is detected. |
| Security | Imperva WAF – Cross Site Scripting Detected | Cross-site scripting (XSS) attacks are a type of injection in which scripts are otherwise inserted into random and trusted websites. XSS instances occur when an attacker uses a web application to send malicious code, usually in the form of scripts by the browser, to different end users. The flaws that allow these attacks to succeed are widely available and anywhere validated or encoded by a web application user using their input. This alert will trigger whenever such an activity is detected. |
| Security | Imperva WAF – DDoS Detected | Distribution Denial of Service (DDoS) attack is a malicious attempt to distort the normal traffic of the target server, service, or network by flooding the Internet traffic or affecting its surrounding infrastructure. This alert will trigger whenever such an activity is detected. |
| Security | Imperva WAF – Illegal Resource Access Detected | An Illegal Resource Access attack attempts to access private or restricted pages or attempts to view or process system files. This is mostly done using URL fuzzing, directory trajectories or command injection techniques. This alert will trigger whenever such an activity is detected. |
| Security | Imperva WAF- SQL Injection Detected | SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into the entry field for execution (for example to dump the contents of the database to the attacker). SQL injection must exploit security vulnerabilities in an application’s software, for example, when user input or string literal escape characters embedded in STS statements are incorrectly filtered or Unused Typed and Unexpectedly Processed SQL injections are often known as attack vectors for websites but can be used to attack any type of SQL database. This alert will trigger whenever such an activity is detected. |
Reports
| Type | Name | Description |
|---|---|---|
| Security | Imperva WAF – Attack Activities | This report allows user to extract the detailed summary of events that are specific to web attack such as Cross site scripting, SQL injection etc. |
| Security | Imperva WAF – Blocked Traffic | This report allows user to extract the detailed summary of events that are blocked by Imperva WAF. |
| Operations | Imperva WAF – Allowed Traffic | This report allows user to extract the detailed summary of events that are allowed by Imperva WAF. |
Documentation
The configuration details are consistent with Netsurion Open XDR 9.x and later, and Imperva WAF.
Download Integration Guide and How-to Guide for configuration instructions and more information.