What Changed
The Imperva Cloud WAF CCF connector was updated to use the CommonEventFormatTransformer C# logic instead of pure regex parsing for CEF (Common Event Format) events. The connector also switched from pipe delimiter (|) to record separator ( ) for CSV parsing.
Security Impact (Visibility & Fidelity)
Critical data ingestion gap closed: The previous regex-based parser had fundamental limitations that caused complete parsing failures for CEF events containing both embedded quotes and pipes within field values. This meant security events with complex payloads — such as those containing JSON data structures, SQL injection attempts with quoted strings, or XSS payloads with embedded delimiters — were being dropped during ingestion.
Per PR discussion: The C# CommonEventFormatTransformer provides better testing and logic controls and specifically addresses the embedded delimiter handling that the regex solution could not process. Deployments running the previous version had a blind spot for any security events where attack payloads contained these character combinations.
Detection Surface Restored
With proper CEF parsing now in place, security teams regain visibility into:
- Complex injection attacks where payloads contain both quoted strings and pipe characters
- Malformed requests with embedded JSON structures in URL parameters or headers
- Multi-stage attacks where initial reconnaissance payloads are properly parsed alongside simpler probe attempts
- Attack campaigns using delimiter confusion techniques to evade detection
The connector now includes an additional security events metric (AttackSeverity != 0) providing focused visibility into active threats versus benign traffic.
Affected Files
Solutions/ImpervaCloudWAF/Data Connectors/ImpervaCloudWAFLogs_ccf/ImpervaCloudWAFLogs_ConnectorDefinition.json
Solutions/ImpervaCloudWAF/Data Connectors/ImpervaCloudWAFLogs_ccf/ImpervaCloudWAFLogs_PollingConfig.json
(packaging artefacts: 3.1.2.zip, ReleaseNotes.md, Solution_ImpervaCloudWAF.json, mainTemplate.json)