Alert Logic WSM

Overview
The article details how to ingest Alert Logic WSM logs into the Hunters XDR platform.
Supported data types
Alert Logic WSM Deny Logs: The WAF appliance's deny logs, versions 4 and 5.
Prerequisites
Ship the Deny Logs from every appliance to an AWS S3 bucket using Alert Logic's built-in export feature. Then, configure the bucket according to this guide.
Note: The log format of the exported Deny Logs changes between different versions of the Alert Logic appliance. In particular, Alert Logic WSM v5 introduced the usage of ndjson
format, while older versions still export the logs in json
format.
Therefore, it is advised to ship the different formats to different S3 prefixes (e.g. v4
and v5
prefixes) for easier ingestion.

Creating a Data Flow
After you have configured an S3 bucket to be accessible by Hunters and started exporting your logs, share the bucket credentials with Hunters support team which will set up the ingestion to the Hunters platform.
Example Logs
V4
[{"Action":"block","AttackClass":"Access violation","CountryCode":"UK","Host":"1.2.3.4","ID":"f5cfk4s6-3551-113c-9ds8-02f049fc5af5","Method":"GET","Path":"/","ProxyID":0,"RawRequest":"GET / HTTP/1.1\nHost: 2.2.2.2\nUser-Agent: Mozilla/5.0 (Windows NT 6.1;en-US) AppleWebKit/537.30.30 (KHTML, live Gecko) Chrome/52.0.3003.83 Safari/537.32\nAccept-Encoding: gzip, deflate\nAccept: */*\nConnection: keep-alive\n","ResponseCode":404,"Risk":"Low","SourceIP":"9.8.7.6","Time":1634340312,"Violation":"Path denied","Properties":[[{"Type":"SUB_VIOLATION","Value":"Path denied"}]
V5
{"Action":"block","AttackClass":"Other","CountryCode":"AR","Host":"2.2.2.2","ID":"217d8922-3197-1f1c-bch0-0234vgk3658d","Method":"POST","Path":"/","RawRequest":"POST / HTTP/1.1\nHost: 5.6.7.8\nContent-Length: 20\nAccept-Encoding: gzip, deflate\nAccept: */*\nUser-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4040.123 Safari/537.36\nConnection: keep-alive\nContent-Type: application/x-www-form-urlencoded","ResponseCode":404,"Risk":"None","SourceIP":"1.2.3.4","Time":1612920985,"Violation":"Generic invalid hostname","Properties":[[{"Type":"SUB_VIOLATION","Value":"Generic invalid hostname"}],[{"Type":"USER_AGENT","Value":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.120 Safari/537.36"}]]}