Imperva WAF Export Integration with Maltiverse
Requirements
- An Imperva Cloud Security Console account with permission to create API keys.
- An existing ACL policy in your Imperva account.
- Outbound connectivity from Maltiverse to the Imperva API endpoint (
https://api.imperva.comor your regional endpoint).
The connector never creates the policy, it only looks it up by name and updates its entries on every run.
Integration Overview
Maltiverse repopulates an Imperva ACL policy on a recurring hourly schedule with the latest IoCs from the feeds you select. The connector authenticates using an Imperva API ID/Key pair, resolves the ACL policy by name, and writes the current set of exportable indicators. This is a full-sync connector. Every run replaces the previous set of indicators in the policy with the current state of your selected feeds. Expired or removed indicators disappear automatically, keeping your blocklist up to date without manual intervention.
Supported Indicator Types
Only three indicator families are exported. Anything else in your feeds is silently skipped.
- IPv4 addresses
- Hostnames (domains)
- URLs
Email and file-sample indicators are not supported by the Imperva WAF ACL policy model and are never exported.
Preliminary Setup - Imperva Environment
To set up the integration you will need to:
The following sections will guide you through these tasks.
Create an API Key
Log in to the Imperva Cloud Security Console and do the following.
maltiverse-export.The API key only needs write access to the ACL policy you intend to update. If your organization uses role-based permissions, confirm the key’s associated user has permission to modify ACL policies.
Identify the Target ACL Policy
Now, you need to locate or create the ACL policy that is going to be populated with the IoCS from Maltiverse. To do so, follow the step below:
If the policy name provided to Maltiverse does not match any policy in your account, the connector will report an error and list the available policy names in the status message to help you correct the configuration.
Configure the Integration in the Maltiverse Portal
Log in to the Maltiverse Portal and navigate to Intelligence > Collectors.
Then, look for the Imperva connector and click on Add Imperva.
You will be prompted to fill out the integration form. Fill its fields as follows:
| Field | Required | Description |
| Connection Name | Required | A descriptive name for this connection (3–120 characters). |
| Description | Optional | A free-text description (3–500 characters). Shown as a tooltip in the connections table. |
| Connection Status | Toggle | Enable or disable the connector. Disabled connectors will not run on schedule. |
| API ID | Required | The numeric API ID from your Imperva API key. |
| API Key | Required | The API Key value. Displayed as a password field for security. |
| ACL Policy Name | Required | The exact name of the Imperva ACL policy to update obtained during the Identify the Target ACL Policy step. Defaults to Maltiverse IoC Blocklist. The policy must already exist in your account. |
| API Base URL | Optional | Defaults to https://api.imperva.com. Change this only if your Imperva account uses a regional or custom endpoint. Must start with https:// |
| Feeds to Export | Required | Select one or more Maltiverse feeds whose indicators will be exported to the ACL policy. |
- Success (green): Credentials are valid and the ACL policy was found. The Save button appears to finish the configuration.
- Error (yellow): Authentication failed or the policy was not found. The error message includes the list of available policy names when the policy lookup fails.
If the connection test fails, you can still save the connection and fix the issue later.
Once you click Save, the new connection appears in the Manage Connections table within the Imperva Connector page.
Managing Existing Connections
The Manage Connections table displays all configured Imperva WAF connections with the following columns:
- Connection Name: The name of the connection. Hover to see the description in a tooltip.
- ACL Policy: The name of the target Imperva ACL policy.
- Feeds to Export: The names of the selected feeds, shown as tags. Hover to see the full list.
- Status: Shows the last execution result. The statuses displayed are the following:
- Online (green) - last execution succeeded
- Unreachable (red) - last execution failed
- Pending (yellow) - awaiting first execution
- Disabled (gray) - connector disabled.
- Actions: Edit, Run, and Delete buttons.
Running a Connection
Click the play icon in the Actions column to trigger an immediate export. The Status column updates to show the result of the run.
Editing a Connection
Click the edit icon to modify a connection. If you change the API credentials or ACL policy name, click Test Connection again before saving to confirm the new configuration is valid.
Deleting a Connection
Click the trash icon to remove a connection. This stops all future scheduled exports. Indicators previously pushed to your Imperva ACL policy remain.
the policy is not cleared automatically. If you want to empty the policy, do so manually in the Imperva console.
Key Concepts
The following concepts will help you clarify how the integration works.
Full-Sync Model
Every export run performs a full replacement of the indicators in the ACL policy:
- Maltiverse resolves the ACL policy by name.
- It clears the existing set of Maltiverse-managed entries.
- It writes the current state of all selected feeds (IP, hostname, URL indicators only).
If a previous run wrote 10,000 indicators and the current run produces 8,000, the policy ends with exactly 8,000. Stale indicators are removed automatically.
Schedule and On-Demand Runs
The connector runs hourly by default (at the top of each hour). You can also trigger a run on demand from the connection table by clicking the Run button.
Indicator Limit
Imperva ACL policies have a maximum capacity that varies by account tier. Select feeds deliberately — start with a focused set and expand only when you have a clear use case.
ACL Policy Ownership
The connector does not create, rename, or delete the ACL policy itself. It only updates the entries (IP addresses, domains, URLs) within the policy you specify. If you rename the policy in Imperva, update the ACL Policy Name field in Maltiverse to match.
Troubleshooting
The Test Connection fails with an authentication error
Verify that the API ID and API Key are correct and that the key has not been revoked or expired. Regenerate the key in the Imperva console if necessary.
The Test Connection fails with a policy not found error
The ACL Policy Name does not match any policy in your Imperva account. The error message lists the available policy names. Copy the exact name — including capitalization — into the ACL Policy Name field.
Status shows Unreachable
Maltiverse could not reach the Imperva API or the ACL policy was not found during the last run. Check:
- The API Base URL is correct and reachable from Maltiverse.
- The API key is still valid and has not been rotated.
- The ACL policy still exists under the same name.
- There are no firewall rules blocking Maltiverse’s outbound requests to the Imperva API.
Status shows Pending
The connection has been saved but has not run yet. Wait for the next scheduled run (top of the hour) or click the Run button to trigger an immediate export.
IoCs not appearing in the ACL policy after the integration
- Confirm the connection Status is Online, not Unreachable or Disabled.
- Verify that the selected feeds contain IP, hostname, or URL indicators — email and sample indicators are skipped.
- Click Run to force an immediate sync and check the status message for errors.
API key rotated and now the connector is failing
Click the edit icon on the connection, enter the new API ID and API Key, click Test Connection, and save. The next scheduled run will succeed.
Frequently Asked Questions
Can I use the same ACL policy for multiple connections?
It is not recommended. Each connection performs a full sync that replaces the policy’s entries. If two connections target the same policy, they will overwrite each other’s data on each run.
What happens if I delete a connection?
The connection is removed from Maltiverse and no further exports are scheduled. The ACL policy in Imperva is not modified — indicators previously pushed remain in place. Remove them manually from the Imperva console if needed.
Can I change the schedule?
No. The schedule is fixed at every hour. You can trigger a run on demand at any time using the Run button.
Does the connector create the ACL policy if it doesn’t exist?
No. The policy must already exist in your Imperva account before you configure the connector. The connector only updates the entries within the policy — it never creates, renames, or deletes policies.
Why are file hashes and email addresses not exported?
Imperva WAF ACL policies operate at the network layer and support IP addresses, hostnames, and URLs only. File hashes and email addresses are not applicable to this policy type and are automatically skipped.
How do I point the connector to a regional Imperva endpoint?
Edit the connection and change the API Base URL field to your regional endpoint. The URL must start with https://. Contact your Imperva account team to confirm the correct regional URL for your account.
What roles can manage Imperva WAF Export connections?
The same roles that manage other connectors in your tenant — typically Admin, Platform Leader, and Researcher. Read-only roles can see the connection list but cannot edit or run connections.
Get an AI Summary
Related Articles
Splunk Export Integration with Maltiverse
The Splunk Export connector allows you to operationalize Maltiverse threat intelligence in any Splunk deployment — including Splunk Core / Cloud without an Enterprise Security license — by populating a KV Store collection that your correlation ...Microsoft Defender Export Integration
This guide explains how to configure the Microsoft Defender for Endpoint export connector in Maltiverse. The integration pushes threat intelligence indicators (IoCs) from your Maltiverse feeds directly into Microsoft Defender, enabling automated ...Maltiverse Plans
Maltiverse offers three different subscription plans designed to fit a wide range of security needs, from individuals and small teams just starting with threat intelligence, to large enterprises requiring advanced integrations and full platform ...Getting Started with Maltiverse
Maltiverse by Lumu enhances your cybersecurity stack's Continuous Compromise Assessment by injecting curated threat intelligence feeds, thereby empowering threat detection. This article will guide you through the initial steps to integrate ...Maltiverse Threat Observatory
The Maltiverse Threat Observatory is a real-time cyber threat intelligence panel designed to provide high-level situational awareness and actionable context regarding global cyber attacks. Thanks to the convergence of Lumu's extensive detection ...