IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

Universal Cloud REST API got interrupted.

  • 1.  Universal Cloud REST API got interrupted.

    Posted Mon February 03, 2025 07:46 AM

    Hi Guys,
    I Currently have a problem with Imperva Incapsula Integration with the QRadar SIEM.

    For the integration we are using Universal REST API integration from the Incapsula cloud.

    In the QRadar Log Source interface, I have configured the log source as needed when first created, and for the automation workflow, we are using the XML Workflow and parameters under IBM GitHub page for community developed scripts for known vendor components (see links below).

    Incapsula-Workflow.xml:
    https://github.com/IBM/IBM-QRadar-Universal-Cloud-REST-API/blob/master/Community%20Developed/Imperva%20Incapsula/Incapsula-Workflow.xml


    Incapsula-Workflow-Parameters.xml:
    https://github.com/IBM/IBM-QRadar-Universal-Cloud-REST-API/blob/master/Community%20Developed/Imperva%20Incapsula/Incapsula-Workflow-Parameters.xml


    When testing the log source in the Test tab under the log source interface - seems like in
    the test I'm able fetching logs (which according to their UNIX timestamp - from 2 days ago), but when looking for logs while filtering for the Log Source, Associated Processor, Collector, and DSM, seems like no logs present under any of the components.


    In the workflow parameters I inserted the host (Incapsula cloud subdomain) path (the dedicated path provided by Imperva for the client), API ID (username), and API Key (password) as requested in the XML Workflow Parameters.

    Seems like the logs are not passing to the configured collector and therefore not arriving to the desired DSM for parsing.

    I have already talked with Imperva support, which told me that as far as their concern the problem could be with certain internal QRadar component and not associated to Imperva in any way, since we used Postman to navigate to the desired folder, and saw logs present in the Incapsula cloud folder under the Incapsula domain.

    According to Imperva Documentation, a Python script is required for downloading the
    logs from the Imperva cloud (see reference in Imperva GitHub page as Imperva suggests) but as far as I understand, the <PostEvent> parameters in the XML Workflow, should be enough for automation mechanism for the log reception.

    Link: https://github.com/imperva/incapsula-logs-downloader


    Please, I would highly appreciate if someone can help me with this issue since the technical support can't help with this issue. 

    Thank you in advance!



    ------------------------------
    Nehoray Kanizo
    ------------------------------