Connect your Imperva WAF Gateway appliance to Azure Sentinel
This article explains how to connect your Imperva WAF Gateway appliance to Azure Sentinel. The Imperva WAF Gateway data connector allows you to easily connect your Imperva WAF Gateway logs with Azure Sentinel, so that you can view the data in workbooks, use it to create custom alerts, and incorporate it to improve investigation. Integration between Imperva WAF Gateway and Azure Sentinel makes use of CEF-formatted Syslog, a Linux-based log forwarder, and the Log Analytics agent.
Data will be stored in the geographic location of the workspace on which you are running Azure Sentinel.
You must have read and write permissions on your Azure Sentinel workspace.
You must have read permissions to shared keys for the workspace. Learn more about workspace keys.
Send Imperva WAF Gateway logs to Azure Sentinel
To get its logs into Azure Sentinel, configure your Imperva WAF Gateway appliance to send Syslog messages in CEF format to a Linux-based log forwarding server (running rsyslog or syslog-ng). This server will have the Log Analytics agent installed on it, and the agent forwards the logs to your Azure Sentinel workspace.
In the Azure Sentinel navigation menu, select Data connectors.
From the Data connectors gallery, select Imperva WAF Gateway (Preview), and then Open connector page.
Follow the instructions in the Instructions tab, under Configuration:
Under 1. Linux Syslog agent configuration - Do this step if you don't already have a log forwarder running, or if you need another one. See STEP 1: Deploy the log forwarder in the Azure Sentinel documentation for more detailed instructions and explanation.
Under 2. Forward Common Event Format (CEF) logs to Syslog agent - This connector requires an Action Interface and Action Set to be created on the Imperva SecureSphere MX management console. Follow Imperva's instructions to enable Imperva WAF Gateway alert logging to Azure Sentinel. This configuration should include the following elements:
- Log destination – the hostname and/or IP address of your log forwarding server
- Protocol and port – TCP 514
- Log format – CEF
- Log types – all available
Under 3. Validate connection - Verify data ingestion by copying the command on the connector page and running it on your log forwarder. See STEP 3: Validate connectivity in the Azure Sentinel documentation for more detailed instructions and explanation.
It may take up to 20 minutes until your logs start to appear in Log Analytics.
Find your data
After a successful connection is established, the data appears in Logs, under the Azure Sentinel section, in the CommonSecurityLog table.
To query Imperva WAF Gateway data in Log Analytics, copy the following into the query window, applying other filters as you choose:
CommonSecurityLog | where DeviceVendor == "Imperva Inc." | where DeviceProduct == "WAF Gateway" | where TimeGenerated == ago(5m)
See the Next steps tab in the connector page for more useful query samples.
In this document, you learned how to connect Imperva WAF Gateway to Azure Sentinel. To learn more about Azure Sentinel, see the following articles:
- Learn how to get visibility into your data and potential threats.
- Get started detecting threats with Azure Sentinel.
- Use workbooks to monitor your data.