Imperva WAF “Confirmed DDoS Bot Activity” alerts firing unexpectedly

mmur_gt4e · January 21, 2026, 6:57pm

Hey Community,

Recently we noticed that the native Imperva integration via API is available again, which is great news
It also created a new log set for WAF Activity, so far so good.

The strange thing is that today we suddenly started receiving a lot of alerts of type:

Imperva WAF – Confirmed DDoS Bot Activity

What puzzles me is that this integration has been in place for a while already, and we’ve had Imperva events coming in before that made sense with the existing detection logic.
I checked the audit of the detection rules and I don’t see any recent changes or modifications.

So I’m wondering:

Have these alerts/rules been newly activated on the backend?
Did anything change recently that could explain this sudden spike?

We ended up disabling the rule, because otherwise we would have been flooded with thousands of alerts.

Has anyone else experienced something similar?

Thanks!

orowan · January 29, 2026, 4:38pm

We also experienced the same thing and just ended up disabling the rule. Not too sure what changed but I’m pretty sure I disabled the rule when I created the log source. It’s almost as if it was re-enabled, but no one on my team did this. Quite strange.

david_smith1 · January 29, 2026, 8:21pm

There hasn’t been any changes on our end around this rule since Dec, I’d suggest its quite possible something changed on the Imperva side? Or some bot activity ramped up perhaps?