Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
|---|---|---|---|---|---|---|---|
ThreatX WAF Alerts | ✅ | threatx_waf_alerts | NDJSON | S3 | |||
ThreatX Audit Logs | ✅ | threatx_audit_logs | NDJSON | S3 |
Overview
ThreatX WAF is a web application firewall that provides real-time protection against cyber threats, including bot attacks, DDoS, and API abuse. It uses behavioral analytics, machine learning, and risk-based detection to identify and block malicious traffic without relying on static rules. ThreatX WAF continuously adapts to evolving threats, offering automated threat response and API security to help organizations protect web applications and APIs from sophisticated attacks.
Supported data types
ThreatX WAF Alerts
Table name: threatx_waf_alerts
One of the key features of ThreatX is its alerting mechanism, which generates detailed logs whenever a security threat or anomaly is detected. These WAF alert logs are crucial for real-time threat detection, incident response, and maintaining the security posture of web applications.
ThreatX Audit Logs
Table name: threatx_audit_logs
ThreatX audit logs are a comprehensive record of events, actions, and changes within the ThreatX Web Application Firewall (WAF) and threat protection platform. These logs are pivotal for security, compliance, and operational transparency, offering insights into the configuration and operation of the ThreatX service. By meticulously tracking interactions and modifications, ThreatX audit logs help organizations maintain a secure and compliant web application environment.
Send data to Hunters
Hunters supports the ingestion of ThreatX logs via an intermediary AWS S3 bucket.
To connect ThreatX logs:
Export your logs from ThreatX to an AWS S3 bucket.
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
The logs should be stored in the bucket in nd-json format. Each event should have a timestamp field under the timestamp key, in the format %Y-%m-%dT%H:%M:%SZ.
{"version":1,"severity":6,"facility":1,"priority":10,"subscription_id":"threatx/","enterprise_id":null,"app_name":"ThreatX","hostname":"syslog.threatx.io","pid":null,"msg_id":"6248eebd26dbd94725969ba0","message":"hostname.domain.com/","msg_type":"BlockEvent","timestamp":"2022-04-03T00:47:50Z","user_agent":"Mozilla/5.0 (X11; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0","ip":"1.1.1.1","dst_host":"dsthost.domain.com","uri":"/","args":"","request_id":"ef1f78cb131f3cd6b2d8f31e41e15234","random_id":null,"tls_fingerprint":"772,4866-4867-4865-49196-49200-159-52393-52392-52394-49195-49199-158-49188-49192-107-49187-49191-103-49162-49172-57-49161-49171-51-157-156-61-60-53-47-255,0-11-10-35-22-23-13-43-45-51-21,29-23-1035-25-24,:22a60409ea97c1ec0f5fd1f7d897d045","cookie":null,"js_fingerprint":null}
{"version":1,"severity":6,"facility":1,"priority":14,"subscription_id":"threatx/","enterprise_id":null,"app_name":"ThreatX","hostname":"syslog.threatx.io","pid":null,"msg_id":"6248eebd26dbd94725969b9f","message":"hostname.domain.com/","msg_type":"MatchEvent","timestamp":"2022-04-03T00:47:50Z","request_id":"ef1f78cb131f3cd6b2d8f31e41e15234","user_agent":"Mozilla/5.0 (X11; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0","matches":[{"id":900003,"description":"Block all traffic to hostname.domain.com, hostname.domain.com","classification":"Misc","state":"Recon","contrib_score":100,"risk":0,"blocking":true,"beta":false}],"ip":"1.1.1.1","dst_host":"hostname.domain.com","uri":"/","args":"","status_code":0,"ssl":true,"risk":0,"request_method":"GET","content_type":null,"content_length":0,"response_length":null,"upstream_response_time":null,"postblock_event":false,"random_id":0,"tls_fingerprint":"772,4866-4867-4865-49196-49200-159-52393-52392-52394-49195-49199-158-49188-49192-107-49187-49191-103-49162-49172-57-49161-49171-51-157-156-61-60-53-47-255,0-11-10-35-22-23-13-43-45-51-21,29-23-1035-25-24,:22a60409ea97c1ec0f5fd1f7d897d045","cookie":null,"js_fingerprint":0}
{"version": 1, "severity": 6, "facility": 1, "priority": 14, "subscription_id": "subscription id", "enterprise_id": null, "app_name": "ThreatX", "hostname": "host", "pid": null, "msg_id": "123456", "message": "some_actions/block_entity", "msg_type": "AuditEvent", "timestamp": "2023-01-15T00:10:13Z", "user_id": "user", "category": "some_actions", "user_email": "support@email.com", "action": "block_entity", "description": "Autoblock by author1. Entity Codename: 12345", "entity": {"codename": "12345", "hash": 12345, "ip_address": "1.2.3.4"}, "old_value": null, "new_value": null}