Alert Logic WSM

  • Updated on Jan 27, 2025
  • Published on May 11, 2023
Prev Next

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

Alert Logic WSM Deny Logs

alert_logic_wsm_deny_logs

NDJSON

S3

Overview

imageAlert Logic is a cloud-based security platform that provides threat detection and response services to organizations of all sizes. It is owned and operated by the cybersecurity company Fortinet.

Alert Logic offers a range of security services, including network security, threat detection, vulnerability management, compliance management, and log management. The platform is designed to protect cloud, hybrid, and on-premises environments, providing organizations with comprehensive security coverage regardless of their infrastructure.

Supported data types

Alert Logic WSM Deny Logs

Table name: alert_logic_wsm_deny_logs

The WAF appliances deny logs, versions 4 and 5.

Send data to Hunters

Hunters supports the ingestion of Alert Logic WSM logs via an intermediary AWS S3 bucket. To ship the Deny Logs from every appliance to an AWS S3 bucket, use Alert Logic's built-in export feature.

To connect Alert Logic WSM logs:

  1. Export your logs from Alert Logic WSM to an AWS S3 bucket.

  2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

📘 Note

The log format of the exported Deny Logs changes between different versions of the Alert Logic appliance. In particular, Alert Logic WSM v5 introduced the usage of NDJSON format, while older versions still export the logs in JSON format.

It is advised to ship the different formats to different S3 prefixes (e.g. v4 and v5 prefixes) for easier ingestion.

Expected format

Logs are expected in JSON format.

V4

[{"Action":"block","AttackClass":"Access violation","CountryCode":"UK","Host":"1.2.3.4","ID":"f5cfk4s6-3551-113c-9ds8-02f049fc5af5","Method":"GET","Path":"/","ProxyID":0,"RawRequest":"GET / HTTP/1.1\nHost: 2.2.2.2\nUser-Agent: Mozilla/5.0 (Windows NT 6.1;en-US) AppleWebKit/537.30.30 (KHTML, live Gecko) Chrome/52.0.3003.83 Safari/537.32\nAccept-Encoding: gzip, deflate\nAccept: */*\nConnection: keep-alive\n","ResponseCode":404,"Risk":"Low","SourceIP":"9.8.7.6","Time":1634340312,"Violation":"Path denied","Properties":[[{"Type":"SUB_VIOLATION","Value":"Path denied"}]

V5

{"Action":"block","AttackClass":"Other","CountryCode":"AR","Host":"2.2.2.2","ID":"217d8922-3197-1f1c-bch0-0234vgk3658d","Method":"POST","Path":"/","RawRequest":"POST / HTTP/1.1\nHost: 5.6.7.8\nContent-Length: 20\nAccept-Encoding: gzip, deflate\nAccept: */*\nUser-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4040.123 Safari/537.36\nConnection: keep-alive\nContent-Type: application/x-www-form-urlencoded","ResponseCode":404,"Risk":"None","SourceIP":"1.2.3.4","Time":1612920985,"Violation":"Generic invalid hostname","Properties":[[{"Type":"SUB_VIOLATION","Value":"Generic invalid hostname"}],[{"Type":"USER_AGENT","Value":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.120 Safari/537.36"}]]}