imperva/cloud-waf Dashboards | Integrations | LogScale Documentation

Skip to content

LogScale Documentation Full Library Knowledge Base Release Notes Integrations Query Examples Training API GraphQL API Contacting Support

Reading time: 6 minutes

imperva/cloud-waf Dashboards

Account Overview

Widget	Description	Type
Sites	Count of all seen web applications and websites in the last 24 hours. Hide Query Show Query logscale `\| groupBy(("source.domain"), function=count()) \| stats()`	`Single Value`
Blocked Requests	REQ_BAD_X: If a protocol or network error occurred Hide Query Show Query logscale `\| event.action="REQ_BLOCKED_*" \| source.domain = ?FQDN \| count(event.action)`	`Single Value`
Allowed Requests	REQ_PASSED: If the request was routed to the site's web server Hide Query Show Query logscale `\| event.action="REQ_PASSED" \| source.domain = ?FQDN \| count(event.action)`	`Single Value`
Top 5 countries	Table list of the top 5 countries by visit. Hide Query Show Query logscale `\| source.domain = ?FQDN \| top(source.geo.country_iso_code, limit=5)`	`Table`
All Requests	All incoming requests inclusive of both good and bad traffic. Hide Query Show Query logscale `\| event.action=* \| source.domain = ?FQDN \| count(event.action)`	`Single Value`
Countries Accessing Web Application / Websites	Visually shows source traffic to onboarded web applications and websites. Hide Query Show Query logscale `\| source.domain = ?FQDN \| worldMap(lat=source.geo.location.lat, lon=source.geo.location.lon)`	`World Map`
All Traffic over time	Visually shows all traffic over the last 1 day in buckets of 15 minutes across all web applications and websites. Hide Query Show Query logscale `\| event.action = * \| source.domain = ?FQDN \| timeChart()`	`Time Chart`
Challenged Requests	REQ_BLOCKED_X: If the request was blocked Hide Query Show Query logscale `\| event.action="REQ_CHALLENGE_*" \| source.domain = ?FQDN \| count(event.action)`	`Single Value`
Bad Requests	REQ_CHALLENGED_X: If a challenge was returned to the client Hide Query Show Query logscale `\| event.action="REQ_BAD_*" \| source.domain = ?FQDN \| count(event.action)`	`Single Value`
Cached Requests	REQ_CACHED_X: If a response was returned from the data center's cache Hide Query Show Query logscale `\| event.action="REQ_CACHED_*" \| source.domain = ?FQDN \| count(event.action)`	`Single Value`
Web Application/s	Basic information about web applications and websites onboarded in the Imperva Cloud WAF Platform including Account and Site ID's useful for API Calls. Note: This may not show all onboarded web application if there has been no traffic to them in the last 24 hours. Hide Query Show Query logscale `\| groupby(field=[source.domain, Vendor.siteid, Vendor.suid])`	`Table`

Search

Widget	Description	Type
Top 3 Locations	Top 3 locations when default. Hide Query Show Query logscale `\| source.ip = ?sourceIP \| source.domain = ?FQDN \| top(source.ip, limit=3) \| ipLocation(source.ip)`	`Table`
Events	Displays a list of events with source IP and domain data. Hide Query Show Query logscale `\| source.ip=?sourceIP \| source.domain = ?FQDN \| urlDecode(Vendor.qstr)`	`Event List`
Actions taken	Displays a pie chart of actions taken by source IP address. Hide Query Show Query logscale `\| source.ip = ?sourceIP \| source.domain = ?FQDN \| groupby(field=[Vendor.name])`	`Pie Chart`
Non-Security Events	Displays the number of non-security events by IP address and domain. Hide Query Show Query logscale `\| Vendor.name = "Normal" \| source.ip=?sourceIP \| source.domain = ?FQDN \| count(event.action)`	`Single Value`
Security Events	Displays a list of security events by IP address and domain. Hide Query Show Query logscale `\| Vendor.name != "Normal" \| source.ip=?sourceIP \| source.domain = ?FQDN \| count(event.action)`	`Single Value`
Events over time	Events over time, filtered using parameter sourceIP and/or FQDN. Default value is . Hide Query Show Query logscale `\| event.action = \| source.ip = ?sourceIP \| source.domain = ?FQDN \| timeChart()`	`Time Chart`
Client used	Displays a list of source IP addresses and domains used by vendor. Hide Query Show Query logscale `\| source.ip = ?sourceIP \| source.domain = ?FQDN \| groupby(field=[Vendor.clapp])`	`Pie Chart`

WAF Overview

Widget	Description	Type
Top Attacker	Displays a list of top attackers with associated location data. Hide Query Show Query logscale `\| Vendor.name != "Normal" \| source.domain = ?FQDN \| source.geo.country_iso_code = ?Country \| top(["source.geo.country_iso_code"], limit=1) \| match("imperva/cloud-waf/ccode.csv",column="alpha-2", field="source.geo.country_iso_code") \| select(["name"])`	`Single Value`
Bot Access Control	Bots are identified according to Imperva's system of client classification. All detected bad bots on any onboarded web application are detected here. Hide Query Show Query logscale `\| Vendor.name != "Normal" \| source.domain = ?FQDN \| source.geo.country_iso_code = ?Country \| match("imperva/cloud-waf/imperva_severity.csv",column="sev_level",field="event.severity") \| "sev_name"="Bot Access Control" \| count()`	`Single Value`
Events	Displays a list of events with source IP and domain data. Hide Query Show Query logscale `\| source.ip=?sourceIP \| source.domain = ?FQDN \| urlDecode(Vendor.qstr)`	`Event List`
Traffic by Location	Displays a list of security event traffic by location using latitude and longitude. Hide Query Show Query logscale `\| Vendor.name != "Normal" \| source.domain = ?FQDN \| source.geo.country_iso_code = ?Country \| event.severity = ?security_event \| worldMap(lat=source.geo.location.lat, lon=source.geo.location.lon)`	`World Map`
SQL Injection	SQL injection is used to take advantage of non-validated input vulnerabilities to pass SQL commands through a web application for execution by a backend database Hide Query Show Query logscale `\| Vendor.name != "Normal" \| source.domain = ?FQDN \| source.geo.country_iso_code = ?Country \| match("imperva/cloud-waf/imperva_severity.csv",column="sev_level",field="event.severity") \| "sev_name"="SQL Injection" \| count()`	`Single Value`
Actions taken	Displays a pie chart of actions taken by source IP address. Hide Query Show Query logscale `\| source.ip = ?sourceIP \| source.domain = ?FQDN \| groupby(field=[Vendor.name])`	`Pie Chart`
DDoS	Distributed denial-of-service attack (DDoS attack) detected on onboarded web application/s. Websites using Imperva DDoS Protection are protected from any type of DDoS attack, including both network (Layer 3 and 4) and application (Layer 7) attacks. Hide Query Show Query logscale `\| Vendor.name != "Normal" \| source.domain = ?FQDN \| source.geo.country_iso_code = ?Country \| match("imperva/cloud-waf/imperva_severity.csv",column="sev_level",field="event.severity") \| "sev_name"="DDoS" \| count()`	`Single Value`
Bad Bot (Advanced Bot Protection)	Displays a list of Imperva Advanced Bad Bot Protection instances by vendor, domain, and country. Hide Query Show Query logscale `\| Vendor.name != "Normal" \| source.domain = ?FQDN \| source.geo.country_iso_code = ?Country \| match("imperva/cloud-waf/imperva_severity.csv",column="sev_level",field="event.severity") \| "sev_name"="Bad Bot (Advanced Bot Protection)" \| count()`	`Single Value`
Backdoor Protect	Backdoor Protect identifies backdoors not only by their HTTP signatures but also by tracing back suspicious remote commands on any onboarded web application. Hide Query Show Query logscale `\| Vendor.name != "Normal" \| source.domain = ?FQDN \| source.geo.country_iso_code = ?Country \| match("imperva/cloud-waf/imperva_severity.csv",column="sev_level",field="event.severity") \| "sev_name"="Backdoor Protect" \| count()`	`Single Value`
Remote File Inclusion	Remote File Inclusion (RFI) is an attack that targets the web servers that run websites and their applications. It represents an attempt to manipulate an application into downloading or executing a file from a remote location. Hide Query Show Query logscale `\| Vendor.name != "Normal" \| source.domain = ?FQDN \| source.geo.country_iso_code = ?Country \| match("imperva/cloud-waf/imperva_severity.csv",column="sev_level",field="event.severity") \| "sev_name"="Remote File Inclusion" \| count()`	`Single Value`
API Specification Violation	Any requests incoming that does not meet the API schema specification defined in Imperva. Hide Query Show Query logscale `\| Vendor.name != "Normal" \| source.domain = ?FQDN \| source.geo.country_iso_code = ?Country \| match("imperva/cloud-waf/imperva_severity.csv",column="sev_level",field="event.severity") \| "sev_name"="API Specification Violation" \| count()`	`Single Value`
Manual Rule	Any manually defined rule within Imperva used to implement security, delivery, and access control. Hide Query Show Query logscale `\| Vendor.name != "Normal" \| source.domain = ?FQDN \| source.geo.country_iso_code = ?Country \| match("imperva/cloud-waf/imperva_severity.csv",column="sev_level",field="event.severity") \| "sev_name"="Manual rule (IncapRule)" \| count()`	`Single Value`
ACL	Any Imperva defined WAF Policies. Hide Query Show Query logscale `\| Vendor.name != "Normal" \| source.domain = ?FQDN \| source.geo.country_iso_code = ?Country \| match("imperva/cloud-waf/imperva_severity.csv",column="sev_level",field="event.severity") \| "sev_name"="ACL" \| count()`	`Single Value`
Cross Site Scripting	Cross Site Scripting (XSS or CSS) is an attack that attempts to run malicious code on your website visitor's browser. Hide Query Show Query logscale `\| Vendor.name != "Normal" \| source.domain = ?FQDN \| source.geo.country_iso_code = ?Country \| match("imperva/cloud-waf/imperva_severity.csv",column="sev_level",field="event.severity") \| "sev_name"="Cross Site Scripting" \| count()`	`Single Value`
Account Takeover Protection	Account Takeover (ATO) Protection detects and mitigates account takeover attempts, protecting your web applications against volumetric and low and slow ATO attacks. Hide Query Show Query logscale `\| Vendor.name != "Normal" \| source.domain = ?FQDN \| source.geo.country_iso_code = ?Country \| match("imperva/cloud-waf/imperva_severity.csv",column="sev_level",field="event.severity") \| "sev_name"="Account Takeover Protection" \| count()`	`Single Value`
Events over time	Events over time, filtered using parameter sourceIP and/or FQDN. Default value is . Hide Query Show Query logscale `\| event.action = \| source.ip = ?sourceIP \| source.domain = ?FQDN \| timeChart()`	`Time Chart`
Illegal Resource Access	An Illegal Resource Access attack attempts to access otherwise private or restricted pages, or tries to view or execute system files. This is commonly done using URL Fuzzing, Directory Traversal or Command Injection techniques. Hide Query Show Query logscale `\| Vendor.name != "Normal" \| source.domain = ?FQDN \| source.geo.country_iso_code = ?Country \| match("imperva/cloud-waf/imperva_severity.csv",column="sev_level",field="event.severity") \| "sev_name"="Illegal Resource Access" \| count()`	`Single Value`

Enter search term