AWS WAF Logs

  • Updated on Jan 21, 2025
  • Published on Nov 6, 2023
Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

Overview

Table name: aws_waf

AWS WAF is a web application firewall that helps protect web applications from attacks by allowing you to configure rules that allow, block, or monitor (count) web requests based on conditions that you define.

Send data to Hunters

To connect AWS WAF logs:

  1. Follow this guide by AWS to export the logs to an S3 bucket.

  2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in JSON format.

{"timestamp":1652785041199,"formatVersion":1,"webaclId":"arn:aws:wafv2:eu-central-1:778114978010:regional/webacl/ext-atlassian-stack/81d6909f-eb2b-4edc-855a-10f384403752","terminatingRuleId":"Default_Action","terminatingRuleType":"REGULAR","action":"ALLOW","terminatingRuleMatchDetails":[],"httpSourceName":"ALB","httpSourceId":"778114978010-app/aws-alb-support/246f4c77436a235e","ruleGroupList":[{"ruleGroupId":"AWS#AWSManagedRulesAmazonIpReputationList","terminatingRule":null,"nonTerminatingMatchingRules":[],"excludedRules":null},{"ruleGroupId":"AWS#AWSManagedRulesCommonRuleSet","terminatingRule":null,"nonTerminatingMatchingRules":[],"excludedRules":null},{"ruleGroupId":"AWS#AWSManagedRulesKnownBadInputsRuleSet","terminatingRule":null,"nonTerminatingMatchingRules":[],"excludedRules":null},{"ruleGroupId":"AWS#AWSManagedRulesSQLiRuleSet","terminatingRule":null,"nonTerminatingMatchingRules":[],"excludedRules":null},{"ruleGroupId":"AWS#AWSManagedRulesLinuxRuleSet","terminatingRule":null,"nonTerminatingMatchingRules":[],"excludedRules":null}],"rateBasedRuleList":[],"nonTerminatingMatchingRules":[],"requestHeadersInserted":null,"responseCodeSent":null,"httpRequest":{"clientIp":"10.127.128.84","country":"DE","headers":[{"name":"host","value":"support.solarisbank.de"},{"name":"content-length","value":"455"},{"name":"sec-ch-ua","value":"\" Not A;Brand\";v=\"99\", \"Chromium\";v=\"101\", \"Google Chrome\";v=\"101\""},{"name":"accept","value":"application/json, text/javascript, */*; q=0.01"},{"name":"content-type","value":"application/json"},{"name":"x-requested-with","value":"XMLHttpRequest"},{"name":"sec-ch-ua-mobile","value":"?0"},{"name":"user-agent","value":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Safari/537.36"},{"name":"sec-ch-ua-platform","value":"\"macOS\""},{"name":"origin","value":"https://support.solarisbank.de"},{"name":"sec-fetch-site","value":"same-origin"},{"name":"sec-fetch-mode","value":"cors"},{"name":"sec-fetch-dest","value":"empty"},{"name":"referer","value":"https://support.solarisbank.de/secure/RapidBoard.jspa?rapidView=144"},{"name":"accept-encoding","value":"gzip, deflate, br"},{"name":"accept-language","value":"en-GB,en-US;q=0.9,en;q=0.8"},{"name":"cookie","value":"mp_abe3945ad0ddaadc3d987393d8d7c2ce_mixpanel=%7B%22distinct_id%22%3A%20%221801927e4f5feb-02d016f0774cd5-35736a03-13c680-1801927e4f61038%22%2C%22%24initial_referrer%22%3A%20%22%24direct%22%2C%22%24initial_referring_domain%22%3A%20%22%24direct%22%7D; JSESSIONID=91E22873D9993090B7F310AEB7A0B415; atlassian.xsrf.token=BEQR-OU72-9SUK-TSW6_925a4be3a4233f9a03c378bb96c8d0dda468517a_lin; slack.inapp.links.first.clicked.Maxime.Stephan=false; AWSALB=+NjYhHtt5j9GUrEKLkz1byZei2kt5tcq+vEaZ7NSr32qIAt+KBLDUpg9L+o9TiX/BUcQix+ADr6c39uI7E6SWVgUqNGaaPrv/NUeUuN1OlacAoEG/YRO1OfMLDH8; AWSALBCORS=+NjYhHtt5j9GUrEKLkz1byZei2kt5tcq+vEaZ7NSr32qIAt+KBLDUpg9L+o9TiX/BUcQix+ADr6c39uI7E6SWVgUqNGaaPrv/NUeUuN1OlacAoEG/YRO1OfMLDH8"}],"uri":"/rest/analytics/1.0/publish/bulk","args":"","httpVersion":"HTTP/2.0","httpMethod":"POST","requestId":"1-62837f91-2699fc195d52096a1dcee2b2"}}