marcredhat-siem-toolkit-patched/parsers/imperva_waf_logs-latest

{
  // specify a time zone if the timestamps in your log are not in GMT
  // timezone: "GMT-0800"
  attributes: {
    "dataSource.name": "Imperva WAF",
    "dataSource.vendor": "Imperva",
    "dataSource.category": "security"
    "metadata.product.name": "Imperva WAF",
    "metadata.product.vendor_name": "Imperva"
  },
    
  patterns: {
    tsPattern: "\\d+",
    value: "[^\\s]+",
    toDrop: "^(?!CEF).*$"   
  },
    
  formats: [
    //drop logs
    {
      id: "drop",
      format: "$unwanted=toDrop$",
      discard: true
    },
    
    {
      format: "$unmapped.cef.version$\\|$metadata.vendor_name$\\|$metadata.product$\\|$metadata.product.version$\\|$unmapped.signature$\\|$event.type$\\|$severity$\\|",
    },
    {
      format: ".*\\sstart=$timestamp=tsPattern$",
    }, 
    {
      format: ".*requestClientApplication=$unmapped.requestClientApplication$\\sdeviceFacility",
    },
 	{
      format: ".*\\scs2=$unmapped.cs2$\\scs2Label=$unmapped.cs2Label$\\scs3=$unmapped.cs3$\\scs3Label=$unmapped.cs3Label$\\scs1=$unmapped.cs1$\\scs1Label=$unmapped.cs1Label$\\scs4=$unmapped.cs4$\\scs4Label=$unmapped.cs4Label$\\scs5=$unmapped.cs5$\\scs5Label=$unmapped.cs5Label$\\scs6=$unmapped.cs6$\\scs6Label=$unmapped.cs6Label$\\scs7=$unmapped.cs7$\\scs7Label=$unmapped.cs7Label$\\scs8=$unmapped.cs8$\\scs8Label=$unmapped.cs8Label$\\sCustomer",
    },
    {
      format: ".*\\scs10=$unmapped.cs10$\\scs10Label=$unmapped.cs10Label$\\scpt",
    },
    {
      format: ".*\\sver=$unmapped.ver$\\s$unmapped.cipher$\\s",
    },
    {
      format: ".*$_=identifier$=$unmapped._=value$",
      repeat: true
    }
  ], 
  mappings: {
    version: 0,
    mappings: [
      {
        predicate: "",
        renames: [
          {
            inputs : ["unmapped.dst"],
            output : "dst_endpoint.ip",
            type: "string"
          }, 
          {
            inputs: ["unmapped.dpt"],
            output: "dst_endpoint.port",
            type: "string"
          },
          {
            inputs: ["unmapped.src"],
            output: "src_endpoint.ip",
            type: "string"
          },            
          {
            inputs: ["unmapped.spt"],
            output: "src_endpoint.port",
            type: "string"
          },
          {
            inputs: ["unmapped.Customer"],
            output: "Account Name",
            type: "string"
          }
        ]
      }
    ]
  }
}