AWS WAF
Connecting AWS WAF logs to your Panther Console
Overview
Panther supports ingesting Amazon Web Services (AWS) Web Application Firewall (WAF) logs via AWS S3.
How to onboard AWS WAF logs to Panther
To pull WAF logs into Panther, you will need to set up an S3 bucket in the Panther Console to stream data from your AWS account.
In the lefthand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search "AWS" to see the list of available log sources.
Select AWS WAF Web ACL.
Select AWS S3 bucket for your source to begin setup. Follow Panther’s documentation for configuring S3 for Data Transport.
Panther-built detections
See Panther's prewritten AWS rules in the panther-analysis Github repository.
Supported AWS WAF logs
AWS.WAFWebACL
WAFWebACL logs represent web access control list (ACL) traffic information. For more details, see AWS's documentation on logging web ACL traffic.
schema: AWS.WAFWebACL
parser:
native:
name: AWS.WAFWebACL
description: WAF web ACL traffic information logs.
referenceURL: https://docs.aws.amazon.com/waf/latest/developerguide/logging.html
fields:
- name: action
required: true
description: 'The action applied by WAF. Possible values for a terminating rule: ALLOW and BLOCK. COUNT is not a valid value for a terminating rule.'
type: string
- name: formatVersion
description: The format version for the log.
type: smallint
- name: httpRequest
required: true
description: The metadata about the request.
type: object
fields:
- name: args
description: The HTTP Request query string.
type: string
- name: clientIp
description: The IP address of the client sending the request.
type: string
indicators:
- ip
- name: country
description: The source country of the request. If AWS WAF is unable to determine the country of origin, it sets this field to -.
type: string
- name: headers
description: The list of headers.
type: array
element:
type: object
fields:
- name: name
description: The header name.
type: string
- name: value
description: The header value.
type: string
- name: httpMethod
description: The HTTP method in the request.
type: string
- name: httpVersion
description: The HTTP version, e.g. HTTP/2.0.
type: string
- name: requestId
description: The ID of the request, which is generated by the underlying host service. For Application Load Balancer, this is the trace ID. For all others, this is the request ID.
type: string
indicators:
- trace_id
- name: uri
description: The URI of the request.
type: string
- name: httpSourceId
required: true
description: The source ID. This field shows the ID of the associated resource.
type: string
- name: httpSourceName
description: 'The source of the request. Possible values: CF for Amazon CloudFront, APIGW for Amazon API Gateway, ALB for Application Load Balancer, and APPSYNC for AWS AppSync.'
type: string
- name: nonTerminatingMatchingRules
description: The list of non-terminating rules in the rule group that match the request. These are always COUNT rules (non-terminating rules that match).
type: array
element:
type: object
fields:
- name: ruleId
description: The Rule ID.
type: string
- name: action
description: The configured rule action. For non-terminating rules the value is always COUNT.
type: string
- name: ruleMatchDetails
description: Detailed information about the rule that matched the request. This field is only populated for SQL injection and cross-site scripting (XSS) match rule statements.
type: array
element:
type: object
fields:
- name: conditionType
description: The vulnerability type, either SQL_INJECTION or XSS
type: string
- name: location
description: The request parameter type that provided the match. Can be ALL_QUERY_ARGS, HEADER etc.
type: string
- name: matchedData
description: The list of strings that provides the match, e.g. ["10", "AND", "1"]
type: array
element:
type: string
- name: rateBasedRuleList
description: The list of rate-based rules that acted on the request.
type: array
element:
type: object
fields:
- name: limitKey
description: 'The field that AWS WAF uses to determine if requests are likely arriving from a single source and thus subject to rate monitoring. Possible value: IP.'
type: string
- name: limitValue
description: The IP address used by a rate-based rule to aggregate requests for rate limiting. If a request contains an IP address that isn't valid, the limitvalue is INVALID.
type: string
- name: maxRateAllowed
description: The maximum number of requests, which have an identical value in the field that is specified by limitKey, allowed in a five-minute period. If the number of requests exceeds the maxRateAllowed and the other predicates specified in the rule are also met, AWS WAF triggers the action that is specified for this rule.
type: bigint
- name: rateBasedRuleId
description: The ID of the rate-based rule that acted on the request. If this has terminated the request, the ID for rateBasedRuleId is the same as the ID for terminatingRuleId.
type: string
- name: rateBasedRuleName
description: The name of the rate-based rule that acted on the request.
type: string
- name: ruleGroupList
description: The list of rule groups that acted on this request. In the preceding code example, there is only one.
type: array
element:
type: object
fields:
- name: excludedRules
description: The list of rules in the rule group that you have excluded. The action for these rules is set to COUNT.
type: array
element:
type: object
fields:
- name: exclusionType
description: A type that indicates that the excluded rule has the action COUNT (most likely value is EXCLUDED_AS_COUNT).
type: string
- name: ruleId
description: The ID of the rule within the rule group that is excluded.
type: string
- name: nonTerminatingMatchingRules
description: The list of non-terminating rules in the rule group that match the request. These are always COUNT rules (non-terminating rules that match).
type: array
element:
type: object
fields:
- name: ruleId
description: The Rule ID.
type: string
- name: action
description: The configured rule action. For non-terminating rules the value is always COUNT.
type: string
- name: ruleMatchDetails
description: Detailed information about the rule that matched the request. This field is only populated for SQL injection and cross-site scripting (XSS) match rule statements.
type: array
element:
type: object
fields:
- name: conditionType
description: The vulnerability type, either SQL_INJECTION or XSS
type: string
- name: location
description: The request parameter type that provided the match. Can be ALL_QUERY_ARGS, HEADER etc.
type: string
- name: matchedData
description: The list of strings that provides the match, e.g. ["10", "AND", "1"]
type: array
element:
type: string
- name: ruleGroupId
description: The ID of the rule group. If the rule blocked the request, the ID for ruleGroupID is the same as the ID for terminatingRuleId.
type: string
- name: terminatingRule
description: The rule within the rule group that terminated the request. If this is a non-null value, it also contains a ruleid and action. In this case, the action is always BLOCK.
type: object
fields:
- name: ruleId
description: The Rule ID.
type: string
- name: action
description: The configured rule action. For non-terminating rules the value is always COUNT.
type: string
- name: ruleMatchDetails
description: Detailed information about the rule that matched the request. This field is only populated for SQL injection and cross-site scripting (XSS) match rule statements.
type: array
element:
type: object
fields:
- name: conditionType
description: The vulnerability type, either SQL_INJECTION or XSS
type: string
- name: location
description: The request parameter type that provided the match. Can be ALL_QUERY_ARGS, HEADER etc.
type: string
- name: matchedData
description: The list of strings that provides the match, e.g. ["10", "AND", "1"]
type: array
element:
type: string
- name: terminatingRuleId
description: The ID of the rule that terminated the request. If nothing terminates the request, the value is Default_Action.
type: string
- name: terminatingRuleMatchDetails
description: Detailed information about the terminating rule that matched the request. A terminating rule has an action that ends the inspection process against a web request. Possible actions for a terminating rule are ALLOW and BLOCK. This is only populated for SQL injection and cross-site scripting (XSS) match rule statements. As with all rule statements that inspect for more than one thing, AWS WAF applies the action on the first match and stops inspecting the web request. A web request with a terminating action could contain other threats, in addition to the one reported in the log.
type: array
element:
type: object
fields:
- name: conditionType
description: The vulnerability type, either SQL_INJECTION or XSS
type: string
- name: location
description: The request parameter type that provided the match. Can be ALL_QUERY_ARGS, HEADER etc.
type: string
- name: matchedData
description: The list of strings that provides the match, e.g. ["10", "AND", "1"]
type: array
element:
type: string
- name: terminatingRuleType
description: 'The type of rule that terminated the request. Possible values: RATE_BASED, REGULAR, GROUP, and MANAGED_RULE_GROUP.'
type: string
- name: timestamp
required: true
description: The timestamp in milliseconds.
type: timestamp
timeFormat: unix_ms
isEventTime: true
- name: webaclId
required: true
description: The GUID of the web ACL.
type: stringLast updated