AWS WAF

Connecting AWS WAF logs to your Panther Console

Overview

Panther supports ingesting Amazon Web Services (AWS) Web Application Firewall (WAF) logs via AWS S3.

How to onboard AWS WAF logs to Panther

To pull WAF logs into Panther, you will need to set up an S3 bucket in the Panther Console to stream data from your AWS account.

In the lefthand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search "AWS" to see the list of available log sources.
Select AWS WAF Web ACL.
Select AWS S3 bucket for your source to begin setup. Follow Panther’s documentation for configuring S3 for Data Transport.

Panther-built detections

See Panther's prewritten AWS rules in the panther-analysis Github repository.

Supported AWS WAF logs

AWS.WAFWebACL

WAFWebACL logs represent web access control list (ACL) traffic information. For more details, see AWS's documentation on logging web ACL traffic.

schema: AWS.WAFWebACL
parser:
  native:
    name: AWS.WAFWebACL
description: WAF web ACL traffic information logs.
referenceURL: https://docs.aws.amazon.com/waf/latest/developerguide/logging.html
fields:
  - name: action
    required: true
    description: 'The action applied by WAF. Possible values for a terminating rule: ALLOW and BLOCK. COUNT is not a valid value for a terminating rule.'
    type: string
  - name: formatVersion
    description: The format version for the log.
    type: smallint
  - name: httpRequest
    required: true
    description: The metadata about the request.
    type: object
    fields:
      - name: args
        description: The HTTP Request query string.
        type: string
      - name: clientIp
        description: The IP address of the client sending the request.
        type: string
        indicators:
          - ip
      - name: country
        description: The source country of the request. If AWS WAF is unable to determine the country of origin, it sets this field to -.
        type: string
      - name: headers
        description: The list of headers.
        type: array
        element:
          type: object
          fields:
            - name: name
              description: The header name.
              type: string
            - name: value
              description: The header value.
              type: string
      - name: httpMethod
        description: The HTTP method in the request.
        type: string
      - name: httpVersion
        description: The HTTP version, e.g. HTTP/2.0.
        type: string
      - name: requestId
        description: The ID of the request, which is generated by the underlying host service. For Application Load Balancer, this is the trace ID. For all others, this is the request ID.
        type: string
        indicators:
          - trace_id
      - name: uri
        description: The URI of the request.
        type: string
  - name: httpSourceId
    required: true
    description: The source ID. This field shows the ID of the associated resource.
    type: string
  - name: httpSourceName
    description: 'The source of the request. Possible values: CF for Amazon CloudFront, APIGW for Amazon API Gateway, ALB for Application Load Balancer, and APPSYNC for AWS AppSync.'
    type: string
  - name: nonTerminatingMatchingRules
    description: The list of non-terminating rules in the rule group that match the request. These are always COUNT rules (non-terminating rules that match).
    type: array
    element:
      type: object
      fields:
        - name: ruleId
          description: The Rule ID.
          type: string
        - name: action
          description: The configured rule action. For non-terminating rules the value is always COUNT.
          type: string
        - name: ruleMatchDetails
          description: Detailed information about the rule that matched the request. This field is only populated for SQL injection and cross-site scripting (XSS) match rule statements.
          type: array
          element:
            type: object
            fields:
              - name: conditionType
                description: The vulnerability type, either SQL_INJECTION or XSS
                type: string
              - name: location
                description: The request parameter type that provided the match. Can be ALL_QUERY_ARGS, HEADER etc.
                type: string
              - name: matchedData
                description: The list of strings that provides the match, e.g. ["10", "AND", "1"]
                type: array
                element:
                  type: string
  - name: rateBasedRuleList
    description: The list of rate-based rules that acted on the request.
    type: array
    element:
      type: object
      fields:
        - name: limitKey
          description: 'The field that AWS WAF uses to determine if requests are likely arriving from a single source and thus subject to rate monitoring. Possible value: IP.'
          type: string
        - name: limitValue
          description: The IP address used by a rate-based rule to aggregate requests for rate limiting. If a request contains an IP address that isn't valid, the limitvalue is INVALID.
          type: string
        - name: maxRateAllowed
          description: The maximum number of requests, which have an identical value in the field that is specified by limitKey, allowed in a five-minute period. If the number of requests exceeds the maxRateAllowed and the other predicates specified in the rule are also met, AWS WAF triggers the action that is specified for this rule.
          type: bigint
        - name: rateBasedRuleId
          description: The ID of the rate-based rule that acted on the request. If this has terminated the request, the ID for rateBasedRuleId is the same as the ID for terminatingRuleId.
          type: string
        - name: rateBasedRuleName
          description: The name of the rate-based rule that acted on the request.
          type: string
  - name: ruleGroupList
    description: The list of rule groups that acted on this request. In the preceding code example, there is only one.
    type: array
    element:
      type: object
      fields:
        - name: excludedRules
          description: The list of rules in the rule group that you have excluded. The action for these rules is set to COUNT.
          type: array
          element:
            type: object
            fields:
              - name: exclusionType
                description: A type that indicates that the excluded rule has the action COUNT (most likely value is EXCLUDED_AS_COUNT).
                type: string
              - name: ruleId
                description: The ID of the rule within the rule group that is excluded.
                type: string
        - name: nonTerminatingMatchingRules
          description: The list of non-terminating rules in the rule group that match the request. These are always COUNT rules (non-terminating rules that match).
          type: array
          element:
            type: object
            fields:
              - name: ruleId
                description: The Rule ID.
                type: string
              - name: action
                description: The configured rule action. For non-terminating rules the value is always COUNT.
                type: string
              - name: ruleMatchDetails
                description: Detailed information about the rule that matched the request. This field is only populated for SQL injection and cross-site scripting (XSS) match rule statements.
                type: array
                element:
                  type: object
                  fields:
                    - name: conditionType
                      description: The vulnerability type, either SQL_INJECTION or XSS
                      type: string
                    - name: location
                      description: The request parameter type that provided the match. Can be ALL_QUERY_ARGS, HEADER etc.
                      type: string
                    - name: matchedData
                      description: The list of strings that provides the match, e.g. ["10", "AND", "1"]
                      type: array
                      element:
                        type: string
        - name: ruleGroupId
          description: The ID of the rule group. If the rule blocked the request, the ID for ruleGroupID is the same as the ID for terminatingRuleId.
          type: string
        - name: terminatingRule
          description: The rule within the rule group that terminated the request. If this is a non-null value, it also contains a ruleid and action. In this case, the action is always BLOCK.
          type: object
          fields:
            - name: ruleId
              description: The Rule ID.
              type: string
            - name: action
              description: The configured rule action. For non-terminating rules the value is always COUNT.
              type: string
            - name: ruleMatchDetails
              description: Detailed information about the rule that matched the request. This field is only populated for SQL injection and cross-site scripting (XSS) match rule statements.
              type: array
              element:
                type: object
                fields:
                  - name: conditionType
                    description: The vulnerability type, either SQL_INJECTION or XSS
                    type: string
                  - name: location
                    description: The request parameter type that provided the match. Can be ALL_QUERY_ARGS, HEADER etc.
                    type: string
                  - name: matchedData
                    description: The list of strings that provides the match, e.g. ["10", "AND", "1"]
                    type: array
                    element:
                      type: string
  - name: terminatingRuleId
    description: The ID of the rule that terminated the request. If nothing terminates the request, the value is Default_Action.
    type: string
  - name: terminatingRuleMatchDetails
    description: Detailed information about the terminating rule that matched the request. A terminating rule has an action that ends the inspection process against a web request. Possible actions for a terminating rule are ALLOW and BLOCK. This is only populated for SQL injection and cross-site scripting (XSS) match rule statements. As with all rule statements that inspect for more than one thing, AWS WAF applies the action on the first match and stops inspecting the web request. A web request with a terminating action could contain other threats, in addition to the one reported in the log.
    type: array
    element:
      type: object
      fields:
        - name: conditionType
          description: The vulnerability type, either SQL_INJECTION or XSS
          type: string
        - name: location
          description: The request parameter type that provided the match. Can be ALL_QUERY_ARGS, HEADER etc.
          type: string
        - name: matchedData
          description: The list of strings that provides the match, e.g. ["10", "AND", "1"]
          type: array
          element:
            type: string
  - name: terminatingRuleType
    description: 'The type of rule that terminated the request. Possible values: RATE_BASED, REGULAR, GROUP, and MANAGED_RULE_GROUP.'
    type: string
  - name: timestamp
    required: true
    description: The timestamp in milliseconds.
    type: timestamp
    timeFormat: unix_ms
    isEventTime: true
  - name: webaclId
    required: true
    description: The GUID of the web ACL.
    type: string

PreviousAWS VPC NextAxonius Logs (Beta)

Last updated 2 years ago

Was this helpful?

schema: AWS.WAFWebACL parser: native: name: AWS.WAFWebACL description: WAF web ACL traffic information logs. referenceURL: https://docs.aws.amazon.com/waf/latest/developerguide/logging.html fields: - name: action required: true description: 'The action applied by WAF. Possible values for a terminating rule: ALLOW and BLOCK. COUNT is not a valid value for a terminating rule.' type: string - name: formatVersion description: The format version for the log. type: smallint - name: httpRequest required: true description: The metadata about the request. type: object fields: - name: args description: The HTTP Request query string. type: string - name: clientIp description: The IP address of the client sending the request. type: string indicators: - ip - name: country description: The source country of the request. If AWS WAF is unable to determine the country of origin, it sets this field to -. type: string - name: headers description: The list of headers. type: array element: type: object fields: - name: name description: The header name. type: string - name: value description: The header value. type: string - name: httpMethod description: The HTTP method in the request. type: string - name: httpVersion description: The HTTP version, e.g. HTTP/2.0. type: string - name: requestId description: The ID of the request, which is generated by the underlying host service. For Application Load Balancer, this is the trace ID. For all others, this is the request ID. type: string indicators: - trace_id - name: uri description: The URI of the request. type: string - name: httpSourceId required: true description: The source ID. This field shows the ID of the associated resource. type: string - name: httpSourceName description: 'The source of the request. Possible values: CF for Amazon CloudFront, APIGW for Amazon API Gateway, ALB for Application Load Balancer, and APPSYNC for AWS AppSync.' type: string - name: nonTerminatingMatchingRules description: The list of non-terminating rules in the rule group that match the request. These are always COUNT rules (non-terminating rules that match). type: array element: type: object fields: - name: ruleId description: The Rule ID. type: string - name: action description: The configured rule action. For non-terminating rules the value is always COUNT. type: string - name: ruleMatchDetails description: Detailed information about the rule that matched the request. This field is only populated for SQL injection and cross-site scripting (XSS) match rule statements. type: array element: type: object fields: - name: conditionType description: The vulnerability type, either SQL_INJECTION or XSS type: string - name: location description: The request parameter type that provided the match. Can be ALL_QUERY_ARGS, HEADER etc. type: string - name: matchedData description: The list of strings that provides the match, e.g. ["10", "AND", "1"] type: array element: type: string - name: rateBasedRuleList description: The list of rate-based rules that acted on the request. type: array element: type: object fields: - name: limitKey description: 'The field that AWS WAF uses to determine if requests are likely arriving from a single source and thus subject to rate monitoring. Possible value: IP.' type: string - name: limitValue description: The IP address used by a rate-based rule to aggregate requests for rate limiting. If a request contains an IP address that isn't valid, the limitvalue is INVALID. type: string - name: maxRateAllowed description: The maximum number of requests, which have an identical value in the field that is specified by limitKey, allowed in a five-minute period. If the number of requests exceeds the maxRateAllowed and the other predicates specified in the rule are also met, AWS WAF triggers the action that is specified for this rule. type: bigint - name: rateBasedRuleId description: The ID of the rate-based rule that acted on the request. If this has terminated the request, the ID for rateBasedRuleId is the same as the ID for terminatingRuleId. type: string - name: rateBasedRuleName description: The name of the rate-based rule that acted on the request. type: string - name: ruleGroupList description: The list of rule groups that acted on this request. In the preceding code example, there is only one. type: array element: type: object fields: - name: excludedRules description: The list of rules in the rule group that you have excluded. The action for these rules is set to COUNT. type: array element: type: object fields: - name: exclusionType description: A type that indicates that the excluded rule has the action COUNT (most likely value is EXCLUDED_AS_COUNT). type: string - name: ruleId description: The ID of the rule within the rule group that is excluded. type: string - name: nonTerminatingMatchingRules description: The list of non-terminating rules in the rule group that match the request. These are always COUNT rules (non-terminating rules that match). type: array element: type: object fields: - name: ruleId description: The Rule ID. type: string - name: action description: The configured rule action. For non-terminating rules the value is always COUNT. type: string - name: ruleMatchDetails description: Detailed information about the rule that matched the request. This field is only populated for SQL injection and cross-site scripting (XSS) match rule statements. type: array element: type: object fields: - name: conditionType description: The vulnerability type, either SQL_INJECTION or XSS type: string - name: location description: The request parameter type that provided the match. Can be ALL_QUERY_ARGS, HEADER etc. type: string - name: matchedData description: The list of strings that provides the match, e.g. ["10", "AND", "1"] type: array element: type: string - name: ruleGroupId description: The ID of the rule group. If the rule blocked the request, the ID for ruleGroupID is the same as the ID for terminatingRuleId. type: string - name: terminatingRule description: The rule within the rule group that terminated the request. If this is a non-null value, it also contains a ruleid and action. In this case, the action is always BLOCK. type: object fields: - name: ruleId description: The Rule ID. type: string - name: action description: The configured rule action. For non-terminating rules the value is always COUNT. type: string - name: ruleMatchDetails description: Detailed information about the rule that matched the request. This field is only populated for SQL injection and cross-site scripting (XSS) match rule statements. type: array element: type: object fields: - name: conditionType description: The vulnerability type, either SQL_INJECTION or XSS type: string - name: location description: The request parameter type that provided the match. Can be ALL_QUERY_ARGS, HEADER etc. type: string - name: matchedData description: The list of strings that provides the match, e.g. ["10", "AND", "1"] type: array element: type: string - name: terminatingRuleId description: The ID of the rule that terminated the request. If nothing terminates the request, the value is Default_Action. type: string - name: terminatingRuleMatchDetails description: Detailed information about the terminating rule that matched the request. A terminating rule has an action that ends the inspection process against a web request. Possible actions for a terminating rule are ALLOW and BLOCK. This is only populated for SQL injection and cross-site scripting (XSS) match rule statements. As with all rule statements that inspect for more than one thing, AWS WAF applies the action on the first match and stops inspecting the web request. A web request with a terminating action could contain other threats, in addition to the one reported in the log. type: array element: type: object fields: - name: conditionType description: The vulnerability type, either SQL_INJECTION or XSS type: string - name: location description: The request parameter type that provided the match. Can be ALL_QUERY_ARGS, HEADER etc. type: string - name: matchedData description: The list of strings that provides the match, e.g. ["10", "AND", "1"] type: array element: type: string - name: terminatingRuleType description: 'The type of rule that terminated the request. Possible values: RATE_BASED, REGULAR, GROUP, and MANAGED_RULE_GROUP.' type: string - name: timestamp required: true description: The timestamp in milliseconds. type: timestamp timeFormat: unix_ms isEventTime: true - name: webaclId required: true description: The GUID of the web ACL. type: string