Overview

The article details how to ingest Alert Logic WSM logs into the Hunters XDR platform.

Supported data types

  • Alert Logic WSM Deny Logs: The WAF appliance's deny logs, versions 4 and 5.

Prerequisites

Ship the Deny Logs from every appliance to an AWS S3 bucket using Alert Logic's built-in export feature.  Then, configure the bucket according to this guide.

Note: The log format of the exported Deny Logs changes between different versions of the Alert Logic appliance. In particular, Alert Logic WSM v5 introduced the usage of ndjson format, while older versions still export the logs in json format.

Therefore, it is advised to ship the different formats to different S3 prefixes (e.g. v4 and v5 prefixes) for easier ingestion.

Creating a Data Flow

After you have configured an S3 bucket to be accessible by Hunters and started exporting your logs, share the bucket credentials with Hunters support team which will set up the ingestion to the Hunters platform.

Example Logs

V4

[{"Action":"block","AttackClass":"Access violation","CountryCode":"UK","Host":"1.2.3.4","ID":"f5cfk4s6-3551-113c-9ds8-02f049fc5af5","Method":"GET","Path":"/","ProxyID":0,"RawRequest":"GET / HTTP/1.1\nHost: 2.2.2.2\nUser-Agent: Mozilla/5.0 (Windows NT 6.1;en-US) AppleWebKit/537.30.30 (KHTML, live Gecko) Chrome/52.0.3003.83 Safari/537.32\nAccept-Encoding: gzip, deflate\nAccept: */*\nConnection: keep-alive\n","ResponseCode":404,"Risk":"Low","SourceIP":"9.8.7.6","Time":1634340312,"Violation":"Path denied","Properties":[[{"Type":"SUB_VIOLATION","Value":"Path denied"}]
CODE

V5

{"Action":"block","AttackClass":"Other","CountryCode":"AR","Host":"2.2.2.2","ID":"217d8922-3197-1f1c-bch0-0234vgk3658d","Method":"POST","Path":"/","RawRequest":"POST / HTTP/1.1\nHost: 5.6.7.8\nContent-Length: 20\nAccept-Encoding: gzip, deflate\nAccept: */*\nUser-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4040.123 Safari/537.36\nConnection: keep-alive\nContent-Type: application/x-www-form-urlencoded","ResponseCode":404,"Risk":"None","SourceIP":"1.2.3.4","Time":1612920985,"Violation":"Generic invalid hostname","Properties":[[{"Type":"SUB_VIOLATION","Value":"Generic invalid hostname"}],[{"Type":"USER_AGENT","Value":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.120 Safari/537.36"}]]}
CODE