Package imperva/cloud-waf Release Notes
Package imperva/cloud-waf Release Notes Version 1.3.0
The old parser cwaf-cef is deprecated, and replaced by the new parser imperva-cloudwaf. While the old parser will remain available during a tranisition period, all future changes will only go into the new imperva-cloudwaf parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old cwaf-cef parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.
Duplicated vendor fields dropped in new parserThe old cwaf-cef parser would duplicate certain fields, which the new imperva-cloudwaf parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:
Vendor.act
Vendor.ccode
Vendor.cicode
Vendor.cn1
Vendor.cpt
Vendor.end
Vendor.id
Vendor.in
Vendor.latitude
Vendor.longitude
Vendor.ref
Vendor.requestClientApplication
Vendor.requestMethod
Vendor.severity
Vendor.sip
Vendor.spt
Vendor.src
Vendor.start
Package imperva/cloud-waf Release Notes Version 1.2.0
Sets the event.category and event.type to threat/indicator for events where an attack took place.
Package imperva/cloud-waf Release Notes Version 1.1.0
Sets the event.kind based on the attack name field.
Package imperva/cloud-waf Release Notes Version 1.0.0
Adds new event.module and Cps.version fields
Removes the Product, related.host and related.ip fields
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
Package imperva/cloud-waf Release Notes Version 0.1.1
Now Imperva CWAF logs can be pulled directly from AWS S3 bucket by LogScale
Bumps minimum LogScale version to 1.120 to support AWS S3 ingest feed