Imperva Cloud WAF (Incapsula)

In this guide, you will configure Imperva Cloud WAF to forward security and access logs to Radiant Security via Amazon S3. Imperva Cloud WAF protects web applications from threats such as SQL injection, cross-site scripting (XSS), and DDoS attacks by monitoring and filtering HTTP/HTTPS traffic. This integration supports all Imperva Cloud services including Cloud WAF, Attack Analytics, Advanced Bot Protection, Account Takeover Protection, Client-Side Protection, and DDoS Protection.

Prerequisites

• AWS account with permissions to create/modify S3 buckets, SNS topics, and IAM policies

• Admin access to Imperva Cloud Application Security portal

• An S3 bucket where Imperva will store logs (follow this AWS guide to create one: Create an S3 bucket)

• AWS Access Key ID and Secret Access Key with s3:PutObject permissions on the bucket

Configure Imperva Cloud WAF

Step 1:

Ensure that you have your S3 bucket information at hand. Remember to Allow List Imperva's IP addresses. Please Refer to Imperva's documentation.

Step 2: Configure SIEM log integration

For detailed Imperva configuration instructions, refer to the Imperva SIEM Log Configuration documentation.

1. Log in to the Imperva Cloud Application Security portal.

2. On the top menu bar, click Account > Account Management.

3. Navigate to SIEM Logs > Log Configuration.

4. Click Add Connection.

5. Select Amazon S3 as the storage type.

6. Configure the connection:

   • Connection Name: Radiant Security S3

   • Access Key: AWS Access Key ID with s3:PutObject permissions

   • Secret Key: AWS Secret Access Key

   • Path: Your bucket name with prefix (e.g., your-bucket-name/cloudwaf)

   • Format: Select CEF (if available)

   • Compress logs: Select Yes (if available)

7. Click Test Connection to verify.

8. Click Save.

Step 3: Enable logging for services

After creating the connection, enable logging for the Imperva services you want to monitor. The following configuration depend on your subscribed services. If this section is not available, you can skip this step.

1. In the Connections table, expand the connection you created and click the Edit button.

2. For every service available in the Select Services section:

   • Log Types: Select All available log types

   • Format: Select Json or CEF (Preferably json)

   • State: Enabled

3. Click Save.

Step 4: Note your configuration details

Save the following information as you'll need it for the next steps:

• S3 bucket name

• S3 bucket path/prefix (e.g., imperva/ or cloudwaf/)

• AWS region where your bucket is located

Configure S3 bucket for Radiant Security

Now that Imperva is configured to send logs to your S3 bucket, you need to configure the bucket to allow Radiant Security to collect the logs.

Follow the Configure Amazon S3 to forward logs to Radiant Security guide to:

1. Configure bucket policy to allow Radiant Security read access

2. Create and configure an SNS topic for event notifications

3. Set up S3 event notifications for the folder prefix(es) you configured in Imperva

4. Create the Amazon S3 Connector on Radiant Security