cloud.aws.waf
- Juan Tomás Alonso Nieto (Deactivated)
- Laszlo Frazer
- Former user (Deleted)
Introduction
The tags beginning with cloud.aws.waf identify events generated by the AWS Web Application Firewall (WAF).
Valid tags and data tables
The full tag must have 4 levels. The first 3 are fixed as cloud.aws.waf. The fourth level identifies the events subtype.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
|---|---|---|
AWS Web Application Firewall (WAF) |
|
|
For more information, read more about Devo tags.
How is the data sent to Devo?
Send the logs using an AWS SQS collector.
Table structure
These are the fields displayed in this table:
cloud.aws.waf.logs
Field | Type | Field transformation | Source field name | Extra fields |
|---|---|---|---|---|
eventdate |
|
|
|
|
hostname |
|
|
|
|
ACCID |
|
|
|
|
ACCID_actual |
|
|
|
|
REGION |
|
|
|
|
timestamp |
|
|
|
|
formatVersion |
|
|
|
|
webaclId |
|
|
|
|
terminatingRuleId |
|
|
|
|
terminatingRuleType |
|
|
|
|
action |
|
|
|
|
terminatingRuleMatchDetails_conditionType_str |
|
join(terminatingRuleMatchDetails_conditionType, ',')
| terminatingRuleMatchDetails_conditionType |
|
terminatingRuleMatchDetails_location_str |
|
join(terminatingRuleMatchDetails_location, ',')
| terminatingRuleMatchDetails_location |
|
terminatingRuleMatchDetails_matchedData_str |
|
join(terminatingRuleMatchDetails_matchedData, ',')
| terminatingRuleMatchDetails_matchedData |
|
httpSourceName |
|
|
|
|
httpSourceId |
|
|
|
|
ruleGroupList_ruleGroupId_str |
|
| ruleGroupList_ruleGroupId |
|
ruleGroupList_terminatingRule_ruleId_str |
|
| ruleGroupList_terminatingRule_ruleId |
|
ruleGroupList_terminatingRule_action_str |
|
| ruleGroupList_terminatingRule_action |
|
ruleGroupList_terminatingRule_ruleMatchDetails_str |
|
| ruleGroupList_terminatingRule_ruleMatchDetails |
|
ruleGroupList_nonTerminatingMatchingRules_str |
|
| ruleGroupList_nonTerminatingMatchingRules |
|
ruleGroupList_excludedRules_str |
|
| ruleGroupList_excludedRules |
|
rateBasedRuleList_rateBasedRuleId_str |
|
| rateBasedRuleList_rateBasedRuleId |
|
rateBasedRuleList_limitKey_str |
|
| rateBasedRuleList_limitKey |
|
rateBasedRuleList_maxRateAllowed_str |
|
| rateBasedRuleList_maxRateAllowed |
|
nonTerminatingMatchingRules_action_str |
|
| nonTerminatingMatchingRules_action |
|
nonTerminatingMatchingRules_ruleId_str |
|
| nonTerminatingMatchingRules_ruleId |
|
requestHeadersInserted_name_str |
|
| requestHeadersInserted_name |
|
requestHeadersInserted_value_str |
|
| requestHeadersInserted_value |
|
responseCodeSent |
|
|
|
|
httpRequest_clientIp |
|
|
|
|
httpRequest_country |
|
|
|
|
httpRequest_headers_name_str |
|
| httpRequest_headers_name |
|
httpRequest_headers_value_str |
|
| httpRequest_headers_value |
|
httpRequest_uri |
|
|
|
|
httpRequest_args |
|
|
|
|
httpRequest_httpVersion |
|
|
|
|
httpRequest_httpMethod |
|
|
|
|
httpRequest_requestId |
|
|
|
|
labels_name_str |
|
| labels_name |
|
hostchain |
|
|
| ✓ |
tag |
|
|
| ✓ |
rawMessage |
|
|
| ✓ |