Thank you for your post!
I understand that you're deploying an Imperva WAF Gateway within an Azure VM and need to implement a Sentinel Data Connector to send CEF and commmonsecuritylog
table data to Microsoft Sentinel. To hopefully help point you in the right direction or resolve your issue, I'll share my findings below.
Findings:
When it comes to connecting the Imperva WAF Gateway to Sentinel, you can use the Imperva WAF Gateway (Preview) connector from the Microsoft Sentinel Data Connectors page.
Prerequisites:
To integrate with Imperva WAF Gateway (Preview) make sure you have:
- Workspace: read and write permissions.
- Keys: Read permissions to shared keys for the workspace. See the documentation to learn more about workspace keys.
Alternatively, you can also leverage the Imperva Cloud WAF (using Azure Functions) connector for Microsoft Sentinel which provides the capability to integrate and ingest Web Application Firewall events into Microsoft Sentinel through the REST API.
I'm not too familiar with Imperva products, but when it comes to the Imperva WAF Management Server (MX), it looks like the connector requires an Action Interface and Action Set to be created on the Imperva SecureSphere MX. For more info on how to create the requirements.
I'd also recommend reaching out the Imperva Cyber Community when it comes to Imperva WAF specific questions.
Additional Links:
- Imperva Community Home Page
- Steps for Enabling Imperva WAF Gateway Alert Logging to Azure Sentinel
- Imperva Cloud WAF Log Integration
- How to make Imperva (waf) incident logs integration to Microsoft Sentinel - Similar Issue
I hope this helps!
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.