Hi Guys, I Currently have a problem with Imperva Incapsula Integration with the QRadar SIEM. For the integration we are using Universal REST API integration from the Incapsula cloud. In the QRadar Log Source interface, I have configured the log source as needed when first created, and for the automation workflow, we are using the XML Workflow and parameters under IBM GitHub page for community developed scripts for known vendor components (see links below). Incapsula-Workflow.xml: https://github.com/IBM/IBM-QRadar-Universal-Cloud-REST-API/blob/master/Community%20Developed/Imperva%20Incapsula/Incapsula-Workflow.xml Incapsula-Workflow-Parameters.xml: https://github.com/IBM/IBM-QRadar-Universal-Cloud-REST-API/blob/master/Community%20Developed/Imperva%20Incapsula/Incapsula-Workflow-Parameters.xml When testing the log source in the Test tab under the log source interface - seems like in the test I'm able fetching logs (which according to their UNIX timestamp - from 2 days ago), but when looking for logs while filtering for the Log Source, Associated Processor, Collector, and DSM, seems like no logs present under any of the components. In the workflow parameters I inserted the host (Incapsula cloud subdomain) path (the dedicated path provided by Imperva for the client), API ID (username), and API Key (password) as requested in the XML Workflow Parameters. Seems like the logs are not passing to the configured collector and therefore not arriving to the desired DSM for parsing. I have already talked with Imperva support, which told me that as far as their concern the problem could be with certain internal QRadar component and not associated to Imperva in any way, since we used Postman to navigate to the desired folder, and saw logs present in the Incapsula cloud folder under the Incapsula domain. According to Imperva Documentation, a Python script is required for downloading the logs from the Imperva cloud (see reference in Imperva GitHub page as Imperva suggests) but as far as I understand, the <PostEvent> parameters in the XML Workflow, should be enough for automation mechanism for the log reception. Link: https://github.com/imperva/incapsula-logs-downloader Please, I would highly appreciate if someone can help me with this issue since the technical support can't help with this issue. Thank you in advance!

IBM QRadar

View Only

QRadar SIEM and Imperva Incapsula integration interrupted

Mishel Kons posted Thu January 23, 2025 08:23 AM

Hi Guys,
I Currently have a problem with Imperva Incapsula Integration with the QRadar SIEM.

For the integration we are using Universal REST API integration from the Incapsula cloud.

In the QRadar Log Source interface, I have configured the log source as needed when first created, and for the automation workflow, we are using the XML Workflow and parameters under IBM GitHub page for community developed scripts for known vendor components (see links below).

Incapsula-Workflow.xml:
https://github.com/IBM/IBM-QRadar-Universal-Cloud-REST-API/blob/master/Community%20Developed/Imperva%20Incapsula/Incapsula-Workflow.xml

Incapsula-Workflow-Parameters.xml:
https://github.com/IBM/IBM-QRadar-Universal-Cloud-REST-API/blob/master/Community%20Developed/Imperva%20Incapsula/Incapsula-Workflow-Parameters.xml

When testing the log source in the Test tab under the log source interface - seems like in
the test I'm able fetching logs (which according to their UNIX timestamp - from 2 days ago), but when looking for logs while filtering for the Log Source, Associated Processor, Collector, and DSM, seems like no logs present under any of the components.

In the workflow parameters I inserted the host (Incapsula cloud subdomain) path (the dedicated path provided by Imperva for the client), API ID (username), and API Key (password) as requested in the XML Workflow Parameters.

Seems like the logs are not passing to the configured collector and therefore not arriving to the desired DSM for parsing.

I have already talked with Imperva support, which told me that as far as their concern the problem could be with certain internal QRadar component and not associated to Imperva in any way, since we used Postman to navigate to the desired folder, and saw logs present in the Incapsula cloud folder under the Incapsula domain.

According to Imperva Documentation, a Python script is required for downloading the
logs from the Imperva cloud (see reference in Imperva GitHub page as Imperva suggests) but as far as I understand, the <PostEvent> parameters in the XML Workflow, should be enough for automation mechanism for the log reception.

Link: https://github.com/imperva/incapsula-logs-downloader

Please, I would highly appreciate if someone can help me with this issue since the technical support can't help with this issue.

Thank you in advance!

IBM QRadar

QRadar SIEM and Imperva Incapsula integration interrupted

Additional
Resources

Office

Quick Links

IBM QRadar

QRadar SIEM and Imperva Incapsula integration interrupted

Related Content

#BeyondTheDSMGuide: NEW Microsoft Cloud App Security Workflow

Introducing the Universal Cloud Connector

Ingesting IBM VPC Flow logs into QRadar using LogDNA

#BeyondTheDSMGuide: NEW Microsoft Cloud App Security Early Access DSM

#BeyondTheDSMGuide: Working with the Universal Cloud RestAPI Protocol

Additional Resources

Office

Quick Links

Additional
Resources