cloud.aws.waf

Introduction

The tags beginning with cloud.aws.waf identify events generated by the AWS Web Application Firewall (WAF).

Valid tags and data tables

The full tag must have 4 levels. The first 3 are fixed as cloud.aws.waf. The fourth level identifies the events subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service	Tags	Data tables
AWS Web Application Firewall (WAF)	`cloud.aws.waf.logs`	`cloud.aws.waf.logs`

For more information, read more about Devo tags.

How is the data sent to Devo?

Logs generated by AWS WAF service can be sent to AWS CloudWatch Logs, S3, and Kinesis Data Firehose services.

The preferred methods are using the first two services as destinations. In these cases, Devo AWS collector can be used for gathering, properly tagging, and securely forwarding these logs to Devo.

Logs sent to Kinesis Data Firehose can be properly tagged using an AWS Lambda function and forwarded to a Devo HTTP(s) endpoint (as an alternative, a Devo Relay deployed in an EC2 instance can be used for tagging and securely forwarding events using Syslog protocol).

Table structure

These are the fields displayed in this table:

cloud.aws.waf.logs

Field	Type	Field transformation	Source field name	Extra fields
ACCID	`str`
action	`str`
eventdate	`timestamp`
formatVersion	`int4`
hostchain	`str`
hostname	`str`			✓
httpRequest_args	`str`
httpRequest_clientIp	`str`
httpRequest_country	`str`
httpRequest_headers_name_str	`str`	join(httpRequest_headers_name, ',')	httpRequest_headers_name
httpRequest_headers_value_str	`str`	join(httpRequest_headers_value, ',')	httpRequest_headers_value
httpRequest_httpMethod	`str`
httpRequest_httpVersion	`str`
httpRequest_requestId	`str`
httpRequest_uri	`str`
httpSourceId	`str`
httpSourceName	`str`
labels_name_str	`str`	join(labels_name, ',')	labels_name
nonTerminatingMatchingRules_action_str	`str`	join(nonTerminatingMatchingRules_action, ',')	nonTerminatingMatchingRules_action
nonTerminatingMatchingRules_ruleId_str	`str`	join(nonTerminatingMatchingRules_ruleId, ',')	nonTerminatingMatchingRules_ruleId
rateBasedRuleList_limitKey_str	`str`	join(rateBasedRuleList_limitKey, ',')	rateBasedRuleList_limitKey
rateBasedRuleList_maxRateAllowed_str	`str`	stringify(json(rateBasedRuleList_maxRateAllowed))	rateBasedRuleList_maxRateAllowed
rateBasedRuleList_rateBasedRuleId_str	`str`	join(rateBasedRuleList_rateBasedRuleId, ',')	rateBasedRuleList_rateBasedRuleId
rawMessage	`str`
REGION	`str`
requestHeadersInserted_name_str	`str`	join(requestHeadersInserted_name, ',')	requestHeadersInserted_name
requestHeadersInserted_value_str	`str`	join(requestHeadersInserted_value, ',')	requestHeadersInserted_value
responseCodeSent	`int4`
ruleGroupList_excludedRules_str	`str`	join(ruleGroupList_excludedRules, ',')	ruleGroupList_excludedRules
ruleGroupList_nonTerminatingMatchingRules_str	`str`	join(ruleGroupList_nonTerminatingMatchingRules, ',')	ruleGroupList_nonTerminatingMatchingRules
ruleGroupList_ruleGroupId_str	`str`	join(ruleGroupList_ruleGroupId, ',')	ruleGroupList_ruleGroupId
ruleGroupList_terminatingRule_action_str	`str`	join(ruleGroupList_terminatingRule_action, ',')	ruleGroupList_terminatingRule_action
ruleGroupList_terminatingRule_ruleId_str	`str`	join(ruleGroupList_terminatingRule_ruleId, ',')	ruleGroupList_terminatingRule_ruleId
ruleGroupList_terminatingRule_ruleMatchDetails_str	`str`	join(ruleGroupList_terminatingRule_ruleMatchDetails, ',')	ruleGroupList_terminatingRule_ruleMatchDetails
tag	`str`			✓
terminatingRuleId	`str`
terminatingRuleMatchDetails_conditionType_str	`str`	join(terminatingRuleMatchDetails_conditionType, ',')	terminatingRuleMatchDetails_conditionType
terminatingRuleMatchDetails_location_str	`str`	join(terminatingRuleMatchDetails_location, ',')	terminatingRuleMatchDetails_location
terminatingRuleMatchDetails_matchedData_str	`str`	join(terminatingRuleMatchDetails_matchedData, ',')	terminatingRuleMatchDetails_matchedData
terminatingRuleType	`str`
timestamp	`timestamp`
webaclId	`str`