--- id: imperva-incapsula title: Imperva Incapsula sidebar_label: Imperva Incapsula description: The Imperva Incapsula - Web Application Firewall (WAF) app helps you monitor your web application protection service. The preconfigured dashboards provide insights on the threat alerts events on the BOT access control, blocked countries, and user agents. slug: /help/docs/integrations/security-threat-detection/imperva-incapsula/ canonical: https://www.sumologic.com/help/docs/integrations/security-threat-detection/imperva-incapsula/ --- import useBaseUrl from '@docusaurus/useBaseUrl'; Imperva icon Imperva Incapsula is a cloud-based application delivery service that includes web security, DDoS protection, CDN, and load balancing. The Sumo Logic app for Imperva Incapsula - Web Application Firewall (WAF) helps you monitor your web application protection service. The preconfigured dashboards provide insights on the threat alerts events. ## Log types The Imperva Incapsula - Web Application Firewall app uses security and access logs. For more details, see [here](https://docs.incapsula.com/Content/management-console-and-settings/log-integration.htm?Highlight=siem#Overview). ### Sample queries ```sumo title="Parse Command for all CEF items in Imperva Incapsula" | parse "fileId=* " as ID nodrop | parse "src=* " as main_client_ip nodrop | parse "caIP=* " as additional_client_ip nodrop | parse "requestClientApplication=* cs2" as user_agent nodrop | parse "request=* " as URL nodrop | parse "tag=* " as ref_id nodrop | parse "ccode=* " as country_code nodrop | parse "cicode=* " as City nodrop | parse "ccode=[*] " as country_code nodrop | parse "app=* " as Protocol nodrop | parse "deviceExternalId=* " as request_id nodrop | parse "ref=* " as Referrer nodrop | parse "requestMethod=* " as Method nodrop | parse "cn1=* " as http_status_code nodrop | parse "xff=* " as X_Forwarded_For nodrop | parse "in=* " as content_length nodrop | parse "suid=* " as account_id nodrop | parse "Customer=* " as account_name nodrop | parse "siteid=* " as site_id nodrop | parse "sourceServiceName=* " as site_name nodrop | parse "act=* " as request_result nodrop | parse "postbody=* " as post_body nodrop | parse "start=* " as request_start_time nodrop | parse "sip=* " as server_ip nodrop | parse "spt=* " as server_port nodrop | parse "qstr=* " as query_string nodrop | parse "cs1=* " as captcha_support nodrop | parse "cs2=* cs2" as js_support nodrop | parse "cs3=* cs3" as cookies_support nodrop | parse "cs4=* cs4" as visitor_id nodrop | parse "cs5=* cs5" as Debug nodrop | parse "cs6=* cs6" as client_app | parse "cs7=* cs7" as Latitude nodrop | parse "cs8=* cs8" as Longitude nodrop | parse "cs9=* cs9" as rule_name nodrop | parse "filePermission=* " as attack_id nodrop | parse "fileType=* " as attack_type nodrop | parse "dproc=* cs6" as browser_type nodrop ``` ```sumo title="Top attack vectors" _sourceCategory="Incapsula" | parse "SIEMintegration|1|1|*|" as policy_type | parse "sourceServiceName=* " as site_name | count by policy_type | top 10 policy_type by _count ``` ## Collecting logs for the Imperva-Incapsula WAF app This section provides instructions on configuring log collection for the Imperva - Incapsula Web Application Firewall app, as well as query samples. ### Set up log integration in Imperva Incapsula To configure log integration, do the following: 1. Log into your [my.incapsula.com](https://my.incapsula.com/admin/login) account. 2. On the sidebar, click **Logs > Log Setup**. 3. **Connection**. Select **Amazon S3**. 4. Next, fill in your credentials: * Your S3 **Access key, Secret key, and Path**, where path is the location of the folder where you want to store the logs. Enter the path in the following format: `/`. For example: MyBucket/MyIncapsulaLogFolder. * Click **Test connection** to perform a full testing cycle in which a test file will be transferred to your designated folder. The test file does not contain real data, and will be removed by Incapsula when the transfer is complete. 5. Configure the additional options: * **Format**. Select the format for the log files: **CEF** * **Compress logs**. By default, log files are compressed. Clear this option to keep the logs uncompressed. For detailed instructions, see [here](https://docs.incapsula.com/Content/management-console-and-settings/log-integration.htm?Highlight=siem#Enable). #### Set up in Sumo Logic To configure log collection for Sumo Logic, do the following: 1. Add a [Sumo Logic Hosted Collector](/docs/send-data/hosted-collectors/configure-hosted-collector) 2. Configure [Amazon S3 Source](/docs/send-data/hosted-collectors/amazon-aws/aws-s3-source). ## Installing the Imperva-Incapsula WAF app import AppInstall2 from '../../reuse/apps/app-install-v2.md'; ## Viewing Imperva-Incapsula WAF dashboards​ import ViewDashboards from '../../reuse/apps/view-dashboards.md'; ### Overview See the overview of your WAF service including the source IP address, client app, user agent, country, ADR rules, and policy type. Imperva - Incapsula dashboards **Client App Top Values**. See the top 10 client apps by count in the last 14 days on a bar chart. **Source IP Top Values.** See the top 10 source IP addresses by count in the last 14 days on a column chart. **Browser Type Top Values**. See the top 10 browser types by count in the last 14 days on a pie chart. **Country Top Values**. See the top 10 countries by count in the last 14 days on a column chart. **User Agent Top Values**. See the top 10 user agents by count in the last 14 days displayed in a table. **URL Top Values**. See the top 10 URLs by count in the last 14 days displayed in a table. **Policy Type**. See the count and percentage of policy types in the last 14 days on a pie chart. **Top Applied ADR Rules**. See the top 10 applied ADR rules by count in the last 14 days displayed in a table. ### Blocked Countries See the details of blocked countries in your WAF service including the source IP address, browser type, top countries, and user agent. Imperva - Incapsula dashboards **Blocked Countries Top Values**. See the top 10 blocked countries by count in the last 14 days on a pie chart. **Source IP Top Values**. See the top 10 source IP addresses by count in the last 14 days on a column chart. **Browser Type Top Values**. See the top 10 browser types by count in the last 14 days on a pie chart. **User Agent Top Values**. See the top 10 user agents by count in the last 14 days displayed in a table. **Threat Table based on Client IP**. See the details of threats in the last 24 hours based on client IP address including the main client IP address, malicious confidence, actor, source, label name, browser type, attack type, rule name, country code, server IP, server port , client app, method, post body, URL, user agent, and count, displayed in a table. ### BOT - Access Control See the details of BOT access control in your WAF service including the city, country, browser type, source IP address, and user agent. Imperva - Incapsula dashboards **City Top Values**. See the top 10 cities by count in the last 14 days on a column chart. **Country Top Values.** See the top 10 countries by count in the last 14 days on a column chart. **Browser Type Top Values**. See the top 10 browser types by count in the last 14 days on a column chart. **Geo Lookup.** See the count and location of BOT access controls in the last 14 days on a world map. **User Agents Top Values**. See the top 10 user agents by count in the last 14 days on a bar chart. **Source IP Top Values**. See the top 10 source IP addresses by count in the last 14 days on a bar chart. ## Upgrade/Downgrade the Imperva-Incapsula WAF app (Optional) import AppUpdate from '../../reuse/apps/app-update.md'; ## Uninstalling the Imperva-Incapsula WAF app (Optional) import AppUninstall from '../../reuse/apps/app-uninstall.md';