Overview

The article details how to ingest ThreatX WAF logs into Hunters.

ThreatX WAF is a Cloud Native WAF product that delivers protection across apps and APIs. It separates the enterprise network from the Internet blocks Web requests from outside that targets the Customers' internal Web Servers.

Hunters Supports the Integration of ThreatX to the data lake. Moreover, the data source is used in the Hunters Pipeline for detection and investigation related to HTTP requests to relevant appliances in the organization's network.

Supported Data Types

  • ThreatX WAF alerts - Events containing information about the actions taken against web requests.

Sending Data to Hunters

The logs should be stored in the bucket in nd-json format. Each event should have a timestamp field under the 'timestamp' key, in the format %Y-%m-%dT%H:%M:%SZ.

Creating a Data Flow

After you have configured an S3 bucket to be accessible by Hunters and started exporting your logs, share the bucket credentials with Hunters support team which will set up the ingestion to the Hunters platform.

Example Logs

{"version":1,"severity":6,"facility":1,"priority":10,"subscription_id":"threatx/","enterprise_id":null,"app_name":"ThreatX","hostname":"syslog.threatx.io","pid":null,"msg_id":"6248eebd26dbd94725969ba0","message":"hostname.domain.com/","msg_type":"BlockEvent","timestamp":"2022-04-03T00:47:50Z","user_agent":"Mozilla/5.0 (X11; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0","ip":"1.1.1.1","dst_host":"dsthost.domain.com","uri":"/","args":"","request_id":"ef1f78cb131f3cd6b2d8f31e41e15234","random_id":null,"tls_fingerprint":"772,4866-4867-4865-49196-49200-159-52393-52392-52394-49195-49199-158-49188-49192-107-49187-49191-103-49162-49172-57-49161-49171-51-157-156-61-60-53-47-255,0-11-10-35-22-23-13-43-45-51-21,29-23-1035-25-24,:22a60409ea97c1ec0f5fd1f7d897d045","cookie":null,"js_fingerprint":null}
{"version":1,"severity":6,"facility":1,"priority":14,"subscription_id":"threatx/","enterprise_id":null,"app_name":"ThreatX","hostname":"syslog.threatx.io","pid":null,"msg_id":"6248eebd26dbd94725969b9f","message":"hostname.domain.com/","msg_type":"MatchEvent","timestamp":"2022-04-03T00:47:50Z","request_id":"ef1f78cb131f3cd6b2d8f31e41e15234","user_agent":"Mozilla/5.0 (X11; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0","matches":[{"id":900003,"description":"Block all traffic to hostname.domain.com, hostname.domain.com","classification":"Misc","state":"Recon","contrib_score":100,"risk":0,"blocking":true,"beta":false}],"ip":"1.1.1.1","dst_host":"hostname.domain.com","uri":"/","args":"","status_code":0,"ssl":true,"risk":0,"request_method":"GET","content_type":null,"content_length":0,"response_length":null,"upstream_response_time":null,"postblock_event":false,"random_id":0,"tls_fingerprint":"772,4866-4867-4865-49196-49200-159-52393-52392-52394-49195-49199-158-49188-49192-107-49187-49191-103-49162-49172-57-49161-49171-51-157-156-61-60-53-47-255,0-11-10-35-22-23-13-43-45-51-21,29-23-1035-25-24,:22a60409ea97c1ec0f5fd1f7d897d045","cookie":null,"js_fingerprint":0}
CODE