Imperva Cloud WAF

Connect Imperva Cloud WAF to Radiant Security to forward security and access logs for AI triage.

Imperva Cloud WAF is a cloud-delivered web application firewall that protects internet-facing applications from threats such as SQL injection, cross-site scripting, credential stuffing, automated bot abuse, and volumetric DDoS attacks. Connecting Imperva Cloud WAF forwards security and access logs to Radiant Security via Amazon S3. Radiant uses these logs to correlate external attack attempts against your web applications with downstream identity, endpoint, and authentication signals during AI triage, giving analysts the full attack chain behind every alert.

This integration supports all Imperva Cloud Application Security services, including Cloud WAF, Attack Analytics, Advanced Bot Protection, Account Takeover Protection, Client-Side Protection, and DDoS Protection. Customers who used Imperva's legacy Incapsula product configure the integration the same way.

Prerequisites

Admin access to Imperva Cloud Application Security
An AWS account with permissions to create or modify S3 buckets, SNS topics, and IAM policies
An S3 bucket where Imperva will store logs (follow Create an S3 bucket to create one)
An AWS Access Key ID and Secret Access Key with s3:PutObject permission on the bucket
Imperva's source IP ranges allow-listed on your AWS account (see Imperva's IP allow-list documentation)

Configure Imperva Cloud WAF

For full vendor instructions, see Imperva SIEM Log Configuration.

Add the S3 connection in Imperva

Sign in to the Imperva Cloud Application Security portal.
On the top menu bar, click Account > Account Management.
Navigate to SIEM Logs > Log Configuration.
Click Add Connection and select Amazon S3 as the storage type.
Configure the connection:
- Connection Name: Radiant Security S3
- Access Key: your AWS Access Key ID with s3:PutObject permission
- Secret Key: your AWS Secret Access Key
- Path: your bucket name with a prefix (e.g., your-bucket-name/cloudwaf)
- Format: select .cef if available
- Compress logs: select Yes if available
Click Test Connection to verify, then click Save.

Enable logging for subscribed services

The available services in this section depend on your Imperva subscription. If the section is not visible, skip this step.

In the Connections table, expand the connection you created and click Edit.
For every service listed under Select Services, set:
- Log Types: all available log types
- Format: select .json or .cef (preferably .json)
- State: Enabled
Click Save.

Record your configuration details

You will need the following values when you set up the Radiant side:

S3 bucket name
S3 bucket path or prefix (e.g., imperva/ or cloudwaf/)
AWS region where your bucket is located

Configure S3 and add the data connector in Radiant Security

Now that Imperva is writing logs to your S3 bucket, complete the setup by following the Configure Amazon S3 to forward logs to Radiant Security guide. That guide walks through:

Configuring the bucket policy and creating an SNS topic.
Adding the Amazon Web Services S3 data connector in Radiant Security.
Configuring S3 event notifications so new objects trigger ingestion.

Verify ingestion

After Imperva Cloud WAF begins forwarding, confirm events are reaching Radiant.

In Radiant, navigate to Log Management.
Filter by rs_connectorType:"imperva_cloud_waf".
Confirm recent events appear.

Allow several minutes for events to be parsed, indexed, and available for search.

PreviousGoogle Workspace IAM only NextInstall the Radiant Security Agent

Last updated 19 days ago

Was this helpful?