# Imperva Cloud WAF (Incapsula) In this guide, you will configure Imperva Cloud WAF to forward security and access logs to Radiant Security via Amazon S3. Imperva Cloud WAF protects web applications from threats such as SQL injection, cross-site scripting (XSS), and DDoS attacks by monitoring and filtering HTTP/HTTPS traffic. This integration supports all Imperva Cloud services including Cloud WAF, Attack Analytics, Advanced Bot Protection, Account Takeover Protection, Client-Side Protection, and DDoS Protection. ### Prerequisites * [ ] AWS account with permissions to create/modify S3 buckets, SNS topics, and IAM policies * [ ] Admin access to Imperva Cloud Application Security portal * [ ] An S3 bucket where Imperva will store logs (follow this AWS guide to create one: [Create an S3 bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-bucket-overview.html)) * [ ] AWS Access Key ID and Secret Access Key with `s3:PutObject` permissions on the bucket ### Configure Imperva Cloud WAF #### Step 1: Ensure that you have your S3 bucket information at hand. Remember to Allow List Imperva's IP addresses. Please Refer to [Imperva's documentation](https://docs-cybersec.thalesgroup.com/bundle/z-kb-articles-knowledgebase-support/page/290228110.html?pk_vid=1762968334d1890b). #### Step 2: Configure SIEM log integration For detailed Imperva configuration instructions, refer to the [Imperva SIEM Log Configuration documentation](https://docs.imperva.com/bundle/cloud-application-security/page/siem-log-configuration.htm). 1. Log in to the [Imperva Cloud Application Security portal](https://my.imperva.com/). 2. On the top menu bar, click **Account** > **Account Management**. 3. Navigate to **SIEM Logs** > **Log Configuration**. 4. Click **Add Connection**. 5. Select **Amazon S3** as the storage type. 6. Configure the connection: * **Connection Name**: `Radiant Security S3` * **Access Key**: AWS Access Key ID with `s3:PutObject` permissions * **Secret Key**: AWS Secret Access Key * **Path**: Your bucket name with prefix (e.g., `your-bucket-name/cloudwaf`) * **Format**: Select **CEF** (if available) * **Compress logs**: Select **Yes** (if available) 7. Click **Test Connection** to verify. 8. Click **Save**. #### Step 3: Enable logging for services After creating the connection, enable logging for the Imperva services you want to monitor. The following configuration depend on your subscribed services. If this section is not available, you can skip this step. 1. In the **Connections** table, expand the connection you created and click the **Edit** button. 2. For every service available in the **Select Services** section: * Log Types: Select All available log types * Format: Select **Json** or **CEF** (Preferably json) * State: Enabled 3. Click **Save**. #### Step 4: Note your configuration details Save the following information as you'll need it for the next steps: * S3 bucket name * S3 bucket path/prefix (e.g., `imperva/` or `cloudwaf/`) * AWS region where your bucket is located ### Configure S3 bucket for Radiant Security Now that Imperva is configured to send logs to your S3 bucket, you need to configure the bucket to allow Radiant Security to collect the logs. Follow the [Configure Amazon S3 to forward logs to Radiant Security](https://help.radiantsecurity.ai/~/revisions/922Q246ivW25E7jQi4sE/radiant-connectors/data-connectors/configure-amazon-s3-to-forward-logs-to-radiant-security) guide to: 1. Configure bucket policy to allow Radiant Security read access 2. Create and configure an SNS topic for event notifications 3. Set up S3 event notifications for the folder prefix(es) you configured in Imperva 4. Create the Amazon S3 Connector on Radiant Security --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://help.radiantsecurity.ai/radiant-connectors/data-connectors/imperva-cloud-waf-incapsula.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.