AWS WAF

Connecting AWS WAF logs to your Panther Console

Overview

Panther supports ingesting Amazon Web Services (AWS) Web Application Firewall (WAF) logs via AWS S3.

How to onboard AWS WAF logs to Panther

To pull WAF logs into Panther, you will need to set up an S3 bucket in the Panther Console to stream data from your AWS account.

  1. In the lefthand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Search "AWS" to see the list of available log sources.

  4. Select AWS WAF Web ACL.

  5. Select AWS S3 bucket for your source to begin setup. Follow Panther’s documentation for configuring S3 for Data Transport.

Panther-built detections

See Panther's prewritten AWS rules in the panther-analysis Github repository.

Supported AWS WAF logs

AWS.WAFWebACL

WAFWebACL logs represent web access control list (ACL) traffic information. For more details, see AWS's documentation on logging web ACL traffic.

schema: AWS.WAFWebACL
parser:
  native:
    name: AWS.WAFWebACL
description: WAF web ACL traffic information logs.
referenceURL: https://docs.aws.amazon.com/waf/latest/developerguide/logging.html
fields:
  - name: action
    required: true
    description: 'The action applied by WAF. Possible values for a terminating rule: ALLOW and BLOCK. COUNT is not a valid value for a terminating rule.'
    type: string
  - name: formatVersion
    description: The format version for the log.
    type: smallint
  - name: httpRequest
    required: true
    description: The metadata about the request.
    type: object
    fields:
      - name: args
        description: The HTTP Request query string.
        type: string
      - name: clientIp
        description: The IP address of the client sending the request.
        type: string
        indicators:
          - ip
      - name: country
        description: The source country of the request. If AWS WAF is unable to determine the country of origin, it sets this field to -.
        type: string
      - name: headers
        description: The list of headers.
        type: array
        element:
          type: object
          fields:
            - name: name
              description: The header name.
              type: string
            - name: value
              description: The header value.
              type: string
      - name: httpMethod
        description: The HTTP method in the request.
        type: string
      - name: httpVersion
        description: The HTTP version, e.g. HTTP/2.0.
        type: string
      - name: requestId
        description: The ID of the request, which is generated by the underlying host service. For Application Load Balancer, this is the trace ID. For all others, this is the request ID.
        type: string
        indicators:
          - trace_id
      - name: uri
        description: The URI of the request.
        type: string
  - name: httpSourceId
    required: true
    description: The source ID. This field shows the ID of the associated resource.
    type: string
  - name: httpSourceName
    description: 'The source of the request. Possible values: CF for Amazon CloudFront, APIGW for Amazon API Gateway, ALB for Application Load Balancer, and APPSYNC for AWS AppSync.'
    type: string
  - name: nonTerminatingMatchingRules
    description: The list of non-terminating rules in the rule group that match the request. These are always COUNT rules (non-terminating rules that match).
    type: array
    element:
      type: object
      fields:
        - name: ruleId
          description: The Rule ID.
          type: string
        - name: action
          description: The configured rule action. For non-terminating rules the value is always COUNT.
          type: string
        - name: ruleMatchDetails
          description: Detailed information about the rule that matched the request. This field is only populated for SQL injection and cross-site scripting (XSS) match rule statements.
          type: array
          element:
            type: object
            fields:
              - name: conditionType
                description: The vulnerability type, either SQL_INJECTION or XSS
                type: string
              - name: location
                description: The request parameter type that provided the match. Can be ALL_QUERY_ARGS, HEADER etc.
                type: string
              - name: matchedData
                description: The list of strings that provides the match, e.g. ["10", "AND", "1"]
                type: array
                element:
                  type: string
  - name: rateBasedRuleList
    description: The list of rate-based rules that acted on the request.
    type: array
    element:
      type: object
      fields:
        - name: limitKey
          description: 'The field that AWS WAF uses to determine if requests are likely arriving from a single source and thus subject to rate monitoring. Possible value: IP.'
          type: string
        - name: limitValue
          description: The IP address used by a rate-based rule to aggregate requests for rate limiting. If a request contains an IP address that isn't valid, the limitvalue is INVALID.
          type: string
        - name: maxRateAllowed
          description: The maximum number of requests, which have an identical value in the field that is specified by limitKey, allowed in a five-minute period. If the number of requests exceeds the maxRateAllowed and the other predicates specified in the rule are also met, AWS WAF triggers the action that is specified for this rule.
          type: bigint
        - name: rateBasedRuleId
          description: The ID of the rate-based rule that acted on the request. If this has terminated the request, the ID for rateBasedRuleId is the same as the ID for terminatingRuleId.
          type: string
        - name: rateBasedRuleName
          description: The name of the rate-based rule that acted on the request.
          type: string
  - name: ruleGroupList
    description: The list of rule groups that acted on this request. In the preceding code example, there is only one.
    type: array
    element:
      type: object
      fields:
        - name: excludedRules
          description: The list of rules in the rule group that you have excluded. The action for these rules is set to COUNT.
          type: array
          element:
            type: object
            fields:
              - name: exclusionType
                description: A type that indicates that the excluded rule has the action COUNT (most likely value is EXCLUDED_AS_COUNT).
                type: string
              - name: ruleId
                description: The ID of the rule within the rule group that is excluded.
                type: string
        - name: nonTerminatingMatchingRules
          description: The list of non-terminating rules in the rule group that match the request. These are always COUNT rules (non-terminating rules that match).
          type: array
          element:
            type: object
            fields:
              - name: ruleId
                description: The Rule ID.
                type: string
              - name: action
                description: The configured rule action. For non-terminating rules the value is always COUNT.
                type: string
              - name: ruleMatchDetails
                description: Detailed information about the rule that matched the request. This field is only populated for SQL injection and cross-site scripting (XSS) match rule statements.
                type: array
                element:
                  type: object
                  fields:
                    - name: conditionType
                      description: The vulnerability type, either SQL_INJECTION or XSS
                      type: string
                    - name: location
                      description: The request parameter type that provided the match. Can be ALL_QUERY_ARGS, HEADER etc.
                      type: string
                    - name: matchedData
                      description: The list of strings that provides the match, e.g. ["10", "AND", "1"]
                      type: array
                      element:
                        type: string
        - name: ruleGroupId
          description: The ID of the rule group. If the rule blocked the request, the ID for ruleGroupID is the same as the ID for terminatingRuleId.
          type: string
        - name: terminatingRule
          description: The rule within the rule group that terminated the request. If this is a non-null value, it also contains a ruleid and action. In this case, the action is always BLOCK.
          type: object
          fields:
            - name: ruleId
              description: The Rule ID.
              type: string
            - name: action
              description: The configured rule action. For non-terminating rules the value is always COUNT.
              type: string
            - name: ruleMatchDetails
              description: Detailed information about the rule that matched the request. This field is only populated for SQL injection and cross-site scripting (XSS) match rule statements.
              type: array
              element:
                type: object
                fields:
                  - name: conditionType
                    description: The vulnerability type, either SQL_INJECTION or XSS
                    type: string
                  - name: location
                    description: The request parameter type that provided the match. Can be ALL_QUERY_ARGS, HEADER etc.
                    type: string
                  - name: matchedData
                    description: The list of strings that provides the match, e.g. ["10", "AND", "1"]
                    type: array
                    element:
                      type: string
  - name: terminatingRuleId
    description: The ID of the rule that terminated the request. If nothing terminates the request, the value is Default_Action.
    type: string
  - name: terminatingRuleMatchDetails
    description: Detailed information about the terminating rule that matched the request. A terminating rule has an action that ends the inspection process against a web request. Possible actions for a terminating rule are ALLOW and BLOCK. This is only populated for SQL injection and cross-site scripting (XSS) match rule statements. As with all rule statements that inspect for more than one thing, AWS WAF applies the action on the first match and stops inspecting the web request. A web request with a terminating action could contain other threats, in addition to the one reported in the log.
    type: array
    element:
      type: object
      fields:
        - name: conditionType
          description: The vulnerability type, either SQL_INJECTION or XSS
          type: string
        - name: location
          description: The request parameter type that provided the match. Can be ALL_QUERY_ARGS, HEADER etc.
          type: string
        - name: matchedData
          description: The list of strings that provides the match, e.g. ["10", "AND", "1"]
          type: array
          element:
            type: string
  - name: terminatingRuleType
    description: 'The type of rule that terminated the request. Possible values: RATE_BASED, REGULAR, GROUP, and MANAGED_RULE_GROUP.'
    type: string
  - name: timestamp
    required: true
    description: The timestamp in milliseconds.
    type: timestamp
    timeFormat: unix_ms
    isEventTime: true
  - name: webaclId
    required: true
    description: The GUID of the web ACL.
    type: string

Last updated

#1924: [don't merge until ~Oct] Notion Logs (Beta)

Change request updated