Loading...
Back

Features available by enabling WAF log integration

AWS WAF ClassicAWS WAF v2Old PlanNew PlanAdvancedLegacyFeature / Spec.

Overview

By enabling WAF log integration, you can use the four features listed below.

  • Blocked status on the Dashboard page
  • WAF log search feature
  • Monthly report feature
  • WAF log alert (detection notification) feature

Differences in configurations based on AWS WAF version and rule policy

The available WAF log integration method and features vary based on your AWS WAF version and rule policy.

AWS WAF v2 Advanced

WAF log retrieval

Blocked status on the Dashboard page

WAF log search feature

Monthly report feature

WAF log alert (detection notification) feature

The new method

Available

Available

Available

Available

The old method (Lambda method)

Not applicable

Not applicable

Not applicable

Not applicable

AWS WAF v2 Legacy

WAF log retrieval

Blocked status on the Dashboard page

WAF log search feature

Monthly report feature

WAF log alert (detection notification) feature

The new method

Available

Available

Available

Available

The old method (Lambda method)

Not available

Not available

Available

Available

AWS WAF Classic Legacy

WAF log retrieval

Blocked status on the Dashboard page

WAF log search feature

Monthly report feature

WAF log alert (detection notification) feature

The new method

Available

Available

Not available

Not available

The old method (Lambda method)

Not available

Not available

Available

Available

Blocked status on the Dashboard page

Please refer to the About the Dashboard page.

About the WAF log search feature

This is a feature to search the WAF logs WafCharm retrieved if you have WAF log retrieval enabled.

You can access the WAF log search feature by clicking [Log] under the [Analytics] on the left menu.

How to use

The top panel is the search feature, and the [Log List] panel at the bottom shows the search results.

The features listed below are included in the search tool.

  • Target WAF Config: You can specify the target WAF Config.
  • Timestamp (UTC): You can specify the time to search. If you choose [Last 10 minutes], it will search the WAF logs within the last 10 minutes from the current time. If you want to search WAF logs in other time frames, use the [Custom] option to specify the time.
  • WAF Action: You can select the executed action from Allow, Block, CAPTCHA, and Challenge. If you want to search from all actions, select [ALL]. Count action cannot be used to search actions.
  • Search Text: You can enter the strings you want to search. The entered text will be searched against the values in rule name, client IP, country, host, URI, method, and action.

    Example: If you enter "JP" in the [Search Text], WAF logs with “JP” as a value in the Country key will match. If you search with a specific IP address, only WAF logs that contain the searched IP address in the Client IP will be matched.

After you enter the items above and click the [Search] button, the search results will be shown under the [Log List] panel.

About the Log List results

When you click on one of the results, a panel showing the details of the search result will appear on the right side.

  • Request ID: This is a value from the requestId available in the WAF log.
  • Timestamp (UTC): This is a value from the timestamp available in the WAF log.
  • WAF Action: This is a value from the action available in the WAF log.
  • Rule Name: This is a value from the terminatingRuleId available in the WAF log.
  • Client IP: This is a value from the clientIp available in the WAF log.
  • Country: This is a value from the country available in the WAF log.
  • Host: This is a value from the Host header available in the WAF log.
  • URI: This is a value from the uri available in the WAF log.
  • Method: This is the value from the httpMethod available in the WAF log.
  • Raw data: JSON format raw data of the searched WAF log. You can click on the [copy] button on the top right corner to copy the whole data.

Limitations and Notes

  • All values searched and displayed in the WAF log search feature are the values from the WAF logs.
    • Please refer to the Log fields page in the AWS document for more details on the values available in WAF logs.
  • [Action] field in the WAF log search feature is based on the action field in the WAF logs. The action field in the WAF log contains information on the terminating action that AWS WAF applied to the request. The available values are Allow, Block, CAPTCHA, or Challenge.
    • Because the action field does not contain the value Count, counted requests cannot be searched based on the Count action.
  • WafCharm uses WAF logs downloaded from your S3 bucket, so the features will not use the WAF logs saved on the S3 bucket in your AWS environment.
  • It will take 5-10 minutes for WafCharm to download WAF logs using the WAF log retrieval method (the new method). If WAF logs of the day are saved on your S3 bucket, it should not affect WAF log-related features provided by WafCharm.

About the monthly report feature

The monthly report feature aggregates WAF logs transferred based on registered WAF Config and creates a monthly report at the beginning of each month.

The monthly report can be viewed from the [Report] link on the left menu.

The monthly report contains the information below.

  • Attack Type
    • List of attack types.
    • Click on the attack type tag to filter data to aggregate in the pie chart.
  • Pie chart based on attack types
    • Pie chart based on aggregated attack types from the detected or blocked WAF logs.
  • Detected Rule Ranking
    • A top 10 ranking based on the detected rules.
  • Attack Country Ranking
    • A top 10 ranking based on country of origin.
  • Attack IP Ranking
    • A top 10 ranking based on the detected IP addresses.

How to export the monthly report data in Excel format

You can download the data from each report by clicking on the [Download Excel] button in the top right corner.

The Excel sheet will contain all data available on the report. For example, if you download the Excel data from the [Grand Total] report, you can get the data of all web ACLs, and if you download the Excel data from a specific WAF Config's report, you can get the data of that specific WAF Config.

You can also see all the data, such as the numbers, shown as a tooltip when you hovered on the report. You can use the downloaded data to adjust how you visualize the data.

Limitations and Notes

  • The monthly reports are created based on last month's WAF logs.
  • The monthly report feature cannot download past WAF logs or use untransferred WAF logs.
  • The monthly report cannot be recreated after the initial creation is completed.
  • If AWS WAF cannot determine which country the IP address originated from, the monthly report may show a hyphen - instead.
  • Log filtering provided by AWS WAF is not recommended if you wish to use this feature.
    • If you filter WAF logs to only save logs with action: Block
      • Only WAF logs with blocked requests are available, so the monthly report and detection notification operate based on the blocked logs.
    • If you filter WAF logs to only save logs with action: Count
      • The monthly report and the detection notification will not work properly because the Count action for a single rule and rule group are treated differently by AWS WAF in WAF logs.

About the WAF log alert (detection notification) feature

WAF log alert settings are equivalent to the Notification page in the old WafCharm Dashboard.

If you have enabled WAF log integration (new or old method) and WAF log alert, you can receive detection notification emails at the email addresses you have registered.

Notification details

Notification details of the WafCharm Notification

  • Email Title: WafCharm Attack Detected.
  • Email From: WafCharm Notification wafcharm-notification@cscloud.co.jp
  • Email To: WafCharm Notification wafcharm-notification@cscloud.co.jp
  • Email BCC to: Email addresses registered under WAF log alert
Attacks as follows were detected. 
This report includes up to 10 attacks detected in every buffer interval. 
If you need to check more information and attacks, visit your AWS console.

Web ACL Name (Web ACL ID): < your web ACL's name > (< your web ACL ID >)

Matches Rule: wafcharm-blacklist-010090004-07 (<Rule ID>)
Time(UTC): Thu, 01 Apr 2020 20:20:00 GMT
Source IP: XXX.XXX.XXX.XXX
Source Country: JP
URI: /

You may add/delete the email address to receive the detection notifications from the link below (login needed).
<URL to your WAF Config>

Items listed on the notification email

  • Time (UTC): This is a timestamp value from the WAF log converted to UTC format.
  • Source IP: This is a value from the clientIp in the WAF log. The referenced value does not change even if you are using the IP address in the header for Allowlist/Denylist.
  • Source Country: This is a value from the country in the WAF log.
  • Action: This is a value from the action in the WAF log.
  • URI: This is a value from uri in the WAF log.
  • Query String: If the request contains a query string, this is a value from args in the WAF log.

Notification details of the Managed Rules Notification

This feature is only available if you are using WafCharm and CSC's Managed Rules together on AWS WAF Classic.

  • Email Title: CSC Managed Rules Attack Detected.
  • Email From: WafCharm Notification wafcharm-notification@cscloud.co.jp
  • Email To: WafCharm Notification wafcharm-notification@cscloud.co.jp
  • Email BCC to: Email addresses registered under WAF log alert
Attacks as follows were detected.
This report includes up to 10 attacks detected in every buffer interval. 
If you need to check more information and attacks, visit your AWS console.

Web ACL Name (Web ACL ID): < your web ACL's name > (< your web ACL ID >)

Managed Rule: Cyber Security Cloud Managed Rules for AWS WAF -HighSecurity OWASP Set-
Attack Type: suspicious_access
Field Type: url
Matches Rule Name: sample_suspicious_access-url-001
Matches Rule ID:<Rule ID>
Time(UTC): Thu, 1 Apr 2020 20:20:00 GMT
Source IP: XXX.XXX.XXX.XXX
Source Country: JP
URI: /

You may add/delete the email address to receive the detection notifications from the link below (login needed).
<URL to your WAF Config>

Notes

  • Each email (log file) contains details of a maximum of 10 detections.
  • The notification interval depends on the WAF log output interval.
    • For the S3 bucket option, the interval is 5 minutes.
    • For the Amazon Data Firehose option, it depends on the values specified in the buffer interval and buffer size.
  • If you have registered WAF Configs (web ACLs) for different AWS WAF versions (Classic or v2) on WafCharm and wish to use this feature for both WAF Configs, please do not use the same Lambda.
    • The index.mjs used by Lambda is different for AWS WAF Classic and AWS WAF v2. If you use the wrong version, the WAF log transfer will fail.
  • Log filtering provided by AWS WAF is not recommended if you wish to use this feature.
    • If you filter WAF logs to only save logs with action: Block
      • Only WAF logs with blocked requests are available, so the monthly report and detection notification operate based on the blocked logs.
    • If you filter WAF logs to only save logs with action: Count
      • The monthly report and the detection notification will not work properly because the Count action for a single rule and rule group are treated differently by AWS WAF in WAF logs.