Skip to main content

Imperva WAF

This Integration is part of the Imperva WAF Pack.#

Use the Imperva WAF integration to manage IP groups and Web security policies in Imperva WAF. This integration was integrated and tested with version 14.2 of Imperva WAF and based on Imperva On-Premises WAF (SecureSphere) REST API.

Configure Imperva WAF on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Imperva WAF.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
urlServer URL (e.g. https://example.net\)True
credentialsUsernameTrue
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
  1. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

imperva-waf-ip-group-list#


Get a list of existing IP Group names.

Base Command#

imperva-waf-ip-group-list

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
ImpervaWAF.IpGroup.NameStringThe name of the IP Group

Command Example#

!imperva-waf-ip-group-list

Context Example#

{
"ImpervaWAF": {
"IpGroup": [
{
"Name": "All Search Engines"
},
{
"Name": "FireEye Trusted Appliances"
},
{
"Name": "Bad IP Adresses"
},
{
"Name": "Google IP Addresses"
}
]
}
}

Human Readable Output#

IP groups#

Name
All Search Engines
FireEye Trusted Appliances
Bad IP Adresses
Google IP Addresses

imperva-waf-ip-group-list-entries#


Get a list of the entries in the requested IP group.

Base Command#

imperva-waf-ip-group-list-entries

Input#

Argument NameDescriptionRequired
ip-group-nameThe name of the IP GroupRequired

Context Output#

PathTypeDescription
ImpervaWAF.IpGroup.Entries.TypeStringType of address (Single, range or network)
ImpervaWAF.IpGroup.Entries.CidrMaskNumberNetwork significant bits
ImpervaWAF.IpGroup.Entries.NetworkAddressStringNetwork address
ImpervaWAF.IpGroup.Entries.IpAddressToStringEnd IP address
ImpervaWAF.IpGroup.Entries.IpAddressFromStringStart IP address

Command Example#

``!imperva-waf-ip-group-list-entries ip-group-name=Google IP Addresses````

Context Example#

{
"ImpervaWAF": {
"IpGroup": {
"Entries": [
{
"CidrMask": null,
"IpAddressFrom": "1.2.3.4",
"IpAddressTo": "2.3.4.5",
"NetworkAddress": null,
"Type": "range"
},
{
"CidrMask": null,
"IpAddressFrom": "1.2.3.4",
"IpAddressTo": "2.3.4.5",
"NetworkAddress": null,
"Type": "range"
},
{
"CidrMask": null,
"IpAddressFrom": "2.3.4.5",
"IpAddressTo": "2.3.4.5",
"NetworkAddress": null,
"Type": "range"
}
],
"Name": "Google IP Addresses"
}
}
}

Human Readable Output#

IP group entries for Google IP Addresses#

TypeIpAddressFromIpAddressTo
range1.2.3.42.3.4.5
range1.2.3.42.3.4.5
range1.2.3.42.3.4.5

imperva-waf-ip-group-remove-entries#


Remove all the entries from an IP Group indicated by group name.

Base Command#

imperva-waf-ip-group-remove-entries

Input#

Argument NameDescriptionRequired
ip-group-nameThe name of the IP GroupRequired

Context Output#

There is no context output for this command.

Command Example#

``!imperva-waf-ip-group-remove-entries ip-group-name=test_policy````

Context Example#

{}

Human Readable Output#

The IP group test_policy is now empty

imperva-waf-sites-list#


Returns a list of the names of all sites in the system.

Base Command#

imperva-waf-sites-list

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
ImpervaWAF.Site.NameStringThe name of the site

Command Example#

!imperva-waf-sites-list

Context Example#

{
"ImpervaWAF": {
"Site": {
"Name": "Default Site"
}
}
}

Human Readable Output#

All sites in the system#

Name
Default Site

imperva-waf-server-group-list#


Returns a list of all server group names under the site.

Base Command#

imperva-waf-server-group-list

Input#

Argument NameDescriptionRequired
site-nameThe name of the siteRequired

Context Output#

PathTypeDescription
ImpervaWAF.ServerGroup.NameStringThe name of the server group
ImpervaWAF.ServerGroup.SiteNameStringThe name of the parent site of the server groups to access

Command Example#

``!imperva-waf-server-group-list site-name=Default Site````

Context Example#

{
"ImpervaWAF": {
"ServerGroup": {
"Name": "Tel Aviv",
"SiteName": "Default Site"
}
}
}

Human Readable Output#

Server groups in Default Site#

NameSiteName
Tel AvivDefault Site

imperva-waf-server-group-list-policies#


Get server groups applied web security policies.

Base Command#

imperva-waf-server-group-list-policies

Input#

Argument NameDescriptionRequired
site-nameSite nameRequired
server-group-nameServer group nameRequired

Context Output#

PathTypeDescription
ImpervaWAF.SecurityPolicy.PolicyNameStringPolicy Name
ImpervaWAF.SecurityPolicy.PolicyTypeStringPolicy type
ImpervaWAF.SecurityPolicy.ServerGroupStringServer group name
ImpervaWAF.SecurityPolicy.SiteNameStringSite name
ImpervaWAF.SecurityPolicy.SystemBooleanFI policy

Command Example#

``!imperva-waf-server-group-list-policies site-name=Default Site server-group-name=Tel Aviv````

Context Example#

{
"ImpervaWAF": {
"SecurityPolicy": [
{
"PolicyName": "Network Protocol Violations Policy",
"PolicyType": "NetworkProtocolViolations",
"ServerGroup": "Tel Aviv",
"SiteName": "Default Site",
"System": true
},
{
"PolicyName": "Firewall Policy",
"PolicyType": "Firewall",
"ServerGroup": "Tel Aviv",
"SiteName": "Default Site",
"System": true
}
]
}
}

Human Readable Output#

Policies for Tel Aviv#

PolicyNamePolicyTypeServerGroupSiteNameSystem
Network Protocol Violations PolicyNetworkProtocolViolationsTel AvivDefault Sitetrue
Firewall PolicyFirewallTel AvivDefault Sitetrue

imperva-waf-web-service-custom-policy-list#


Returns a list of names of all Web Application Custom Policies in the system.

Base Command#

imperva-waf-web-service-custom-policy-list

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
ImpervaWAF.CustomWebPolicy.NameStringThe name of the policy

Command Example#

!imperva-waf-web-service-custom-policy-list

Context Example#

{
"ImpervaWAF": {
"CustomWebPolicy": [
{
"Name": "HTML Injection"
},
{
"Name": "OS Commands injection"
},
{
"Name": "Malicious File Upload"
},
{
"Name": "ThreatRadar - Emergency - GET Requests"
},
{
"Name": "ThreatRadar - Emergency - POST Requests"
},
{
"Name": "ThreatRadar - Emergency - Authenticated Sessions"
},
{
"Name": "Sensitive Error Messages Leakage"
}
]
}
}

Human Readable Output#

Custom web policies#

Name
HTML Injection
OS Commands injection
Malicious File Upload
ThreatRadar - Emergency - GET Requests
ThreatRadar - Emergency - POST Requests
ThreatRadar - Emergency - Authenticated Sessions
ThreatRadar - Emergency - Authenticated Sessions
Sensitive Error Messages Leakage

imperva-waf-web-service-custom-policy-get#


Returns a Web Application Custom Policy indicated by policy name.

Base Command#

imperva-waf-web-service-custom-policy-get

Input#

Argument NameDescriptionRequired
policy-nameThe name of the policyRequired

Context Output#

PathTypeDescription
ImpervaWAF.CustomWebPolicy.EnabledBooleanWhether the policy is enabled
ImpervaWAF.CustomWebPolicy.FollowedActionStringName of the Action Set
ImpervaWAF.CustomWebPolicy.NameStringThe name of the policy
ImpervaWAF.CustomWebPolicy.OneAlertPerSessionBooleanIndicates whether to allow only one alert to be created for every web session
ImpervaWAF.CustomWebPolicy.DisplayResponsePageBooleanIndicates whether to show response page in alerts
ImpervaWAF.CustomWebPolicy.ActionStringPolicy Action
ImpervaWAF.CustomWebPolicy.SeverityStringAlert Severity
ImpervaWAF.CustomWebPolicy.ApplyTo.serverGroupNameStringName of the server group to apply
ImpervaWAF.CustomWebPolicy.ApplyTo.siteNameStringName of the site to apply
ImpervaWAF.CustomWebPolicy.ApplyTo.webServiceNameStringName of the web service to apply
ImpervaWAF.CustomWebPolicy.MatchCriteria.operationStringMatch operation for values
ImpervaWAF.CustomWebPolicy.MatchCriteria.typeStringMatch Criterion name
ImpervaWAF.CustomWebPolicy.MatchCriteria.ipGroups.Group nameStringName of IP Group to search in
ImpervaWAF.CustomWebPolicy.MatchCriteria.userDefined.IP AddressStringIP address to search in
ImpervaWAF.CustomWebPolicy.MatchCriteria.values.countryStringCountry name to match

Command Example#

``!imperva-waf-web-service-custom-policy-get policy-name=Suspicious File Extension Access````

Context Example#

{
"ImpervaWAF": {
"CustomWebPolicy": {
"Action": "none",
"ApplyTo": [
{
"serverGroupName": "Tel Aviv",
"siteName": "Default Site",
"webServiceName": "Orders"
}
],
"DisplayResponsePage": false,
"Enabled": true,
"FollowedAction": null,
"MatchCriteria": [
{
"operation": "atLeastOne",
"type": "httpRequestFileExtension",
"values": [
".swp",
".sqlite",
".pem",
".bp",
".conf",
".der",
".ini",
".git",
".db",
".svn",
".core",
".DS_Store",
".raw",
".dmp",
".log",
".pkcs12",
".bak",
".pfx.p12"
]
}
],
"Name": "Suspicious File Extension Access",
"OneAlertPerSession": false,
"Severity": "high"
}
}
}

Human Readable Output#

Policy data for Suspicious File Extension Access#

ActionDisplayResponsePageEnabledNameOneAlertPerSessionSeverity
nonefalsetrueSuspicious File Extension Accessfalsehigh

Services to apply the policy to#

serverGroupNamesiteNamewebServiceName
Tel AvivDefault SiteOrders

imperva-waf-ip-group-create#


Create an IP Group.

Base Command#

imperva-waf-ip-group-create

Input#

Argument NameDescriptionRequired
group-nameGroup name to createRequired
entry-typeType of address (Single, range or network)Required
ip-address-fromStart IP address, Mandatory for types: single, rangeOptional
ip-address-toEnd IP address, Mandatory for type: rangeOptional
network-addressNetwork address, Mandatory for type: networkOptional
cidr-maskNetwork significant bits, Mandatory for type: networkOptional
json-entriesList of entries values in json format, e.g. [{"type":"single","ipAddressFrom":"1.2.3.4"}]Optional

Context Output#

PathTypeDescription
ImpervaWAF.IpGroup.NameStringThe name of the IP Group

Command Example#

!imperva-waf-ip-group-create group-name=`test_policy` entry-type=range ip-address-from=127.0.0.1 ip-address-to=127.0.0.2

Context Example#

{
"ImpervaWAF": {
"IpGroup": {
"Name": "test_policy"
}
}
}

Human Readable Output#

Group test_policy created successfully

imperva-waf-ip-group-update-entries#


Add or remove rows in an IP Group indicated by ip Group Name.

Base Command#

imperva-waf-ip-group-update-entries

Input#

Argument NameDescriptionRequired
group-nameGroup name to updateRequired
entry-typeType of address (Single, range or network)Required
ip-address-fromStart IP address, Mandatory for types: single, rangeOptional
ip-address-toEnd IP address, Mandatory for type: rangeOptional
network-addressNetwork address, Mandatory for type: networkOptional
cidr-maskNetwork significant bits, Mandatory for type: networkOptional
operationOperation to apply on the entryRequired
json-entriesList of entries values in json format, e.g. [{"operation":"add","type":"single","ipAddressFrom":"1.2.3.4"}]Optional

Context Output#

There is no context output for this command.

Command Example#

!imperva-waf-ip-group-update-entries group-name=test_policy entry-type=range ip-address-from=10.0.0.1 ip-address-to=10.0.0.2 operation=add

Context Example#

{}

Human Readable Output#

Group test_policy updated successfully

imperva-waf-ip-group-delete#


Delete a IP Group indicated by group name.

Base Command#

imperva-waf-ip-group-delete

Input#

Argument NameDescriptionRequired
group-nameGroup name to deleteRequired

Context Output#

There is no context output for this command.

Command Example#

!imperva-waf-ip-group-delete group-name=test_policy

Context Example#

{}

Human Readable Output#

Group test_policy deleted successfully

imperva-waf-web-service-custom-policy-create#


Create a Web Service Custom Policy.

Base Command#

imperva-waf-web-service-custom-policy-create

Input#

Argument NameDescriptionRequired
policy-nameThe name of the policy to createRequired
enabledWhether the policy is enabled, Default: TrueOptional
severityAlert Severity, Default: mediumOptional
actionPolicy Action, Default: noneOptional
followed-actionName of the Action SetOptional
one-alert-per-sessionIndicates whether to allow only one alert to be created for every web session, Default: FalseOptional
display-response-pageIndicates whether to show the response page in alerts, Default: FalseOptional
site-name-to-applyName of the site to applyRequired
server-group-name-to-applyName of the server group to applyRequired
web-service-name-to-applyName of the web service to applyRequired
geo-location-criteria-operationMatch operation for Source GeolocationOptional
ip-groupsComma separated list of names of IP Groups to search inOptional
ip-addressesComma separated list of IP addresses to search inOptional
country-namesComma separated list of country names to search in, mandatory when geo-location-criteria-operation is setOptional
ip-addresses-criteria-operationMatch operation for Source IP addressesOptional
match-criteria-jsonList of match criteria in json format, e.g. [{"type": "sourceIpAddresses","operation": "atLeastOne","userDefined": ["1.2.3.4"]}]Optional

Context Output#

PathTypeDescription
ImpervaWAF.CustomWebPolicy.EnabledBooleanIndicates whether the policy is enabled.
ImpervaWAF.CustomWebPolicy.FollowedActionStringThe name of the action set.
ImpervaWAF.CustomWebPolicy.NameStringThe name of the policy.
ImpervaWAF.CustomWebPolicy.OneAlertPerSessionBooleanIndicates whether to allow only one alert to be created for every web session.
ImpervaWAF.CustomWebPolicy.DisplayResponsePageBooleanIndicates whether to show the response page in the alerts.
ImpervaWAF.CustomWebPolicy.ActionStringThe custom web policy action.
ImpervaWAF.CustomWebPolicy.SeverityStringThe custom web policy alert severity.
ImpervaWAF.CustomWebPolicy.ApplyTo.serverGroupNameStringThe name of the server group to apply.
ImpervaWAF.CustomWebPolicy.ApplyTo.siteNameStringThe name of the site to apply.
ImpervaWAF.CustomWebPolicy.ApplyTo.webServiceNameStringThe name of the web service to apply.
ImpervaWAF.CustomWebPolicy.MatchCriteria.operationStringThe match operation for values.
ImpervaWAF.CustomWebPolicy.MatchCriteria.typeStringThe match criterion name.
ImpervaWAF.CustomWebPolicy.MatchCriteria.ipGroups.Group nameStringThe name of the IP group in which to search.
ImpervaWAF.CustomWebPolicy.MatchCriteria.userDefined.IP AddressStringThe IP address in which to search.
ImpervaWAF.CustomWebPolicy.MatchCriteria.values.countryStringCountry name to match.

Command Example#

``!imperva-waf-web-service-custom-policy-create policy-name=test_policy server-group-name-to-apply=Tel Aviv site-name-to-apply=Default Site web-service-name-to-apply=Orders followed-action=Long IP Block````

Context Example#

{}

Human Readable Output#

Policy test_policy created successfully

imperva-waf-web-service-custom-policy-update#


Update a Web Service Custom Policy.

Base Command#

imperva-waf-web-service-custom-policy-update

Input#

Argument NameDescriptionRequired
policy-nameThe name of the policy to updateRequired
enabledWhether the policy is enabledOptional
severityAlert SeverityOptional
actionPolicy ActionOptional
followed-actionName of the Action SetOptional
one-alert-per-sessionIndicates whether to allow only one alert to be created for every web sessionOptional
display-response-pageIndicates whether to show the response page in alertsOptional
site-name-to-applyName of the site to applyOptional
server-group-name-to-applyName of the server group to applyOptional
web-service-name-to-applyName of the web service to applyOptional
geo-location-criteria-operationMatch operation for Source GeolocationOptional
ip-groupsComma separated list of names of IP Groups to search inOptional
ip-addressesComma separated list of IP addresses to search inOptional
country-namesComma separated list of country names to search in, mandatory when geo-location-criteria-operation is setOptional
ip-addresses-criteria-operationMatch operation for Source IP addressesOptional
apply-operationOperation to applyOptional
match-criteria-jsonList of match criteria in json format, e.g. [{"type":"sourceIpAddresses","operation":"atLeastOne","userDefined":["1.2.3.4"]}]Optional

Context Output#

There is no context output for this command.

Command Example#

!imperva-waf-web-service-custom-policy-update policy-name=test_policy enabled=False

Context Example#

{}

Human Readable Output#

Policy test_policy updated successfully

imperva-waf-web-service-custom-policy-delete#


Delete a Web Service Custom Policy indicated by policy name.

Base Command#

imperva-waf-web-service-custom-policy-delete

Input#

Argument NameDescriptionRequired
policy-nameThe name of the policy to deleteRequired

Context Output#

There is no context output for this command.

Command Example#

``!imperva-waf-web-service-custom-policy-delete policy-name=test_policy````

Context Example#

{}

Human Readable Output#

Policy test_policy deleted successfully