Visualize AWS WAF logs having an Amazon CloudWatch dashboard
<a href="https://aws.amazon.com/waf/" target="_blank" rel="noopener"> AWS WAF </a> is really a web program firewall service that can help you protect your apps from common exploits which could influence your application’s availability as well as your security posture. Probably the most useful methods to detect and react to malicious web exercise would be to collect and evaluate <a href="https://docs.aws.amazon.com/waf/latest/developerguide/logging.html" target="_blank" rel="noopener"> AWS WAF logs </a> . It is possible to perform this task easily by delivering your AWS WAF logs to <a href="https://aws.amazon.com/about-aws/whats-new/2021/12/awf-waf-cloudwatch-log-s3-bucket/" target="_blank" rel="noopener"> Amazon CloudWatch Logs </a> and visualizing them via an <a href="https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Dashboards.html" target="_blank" rel="noopener"> Amazon CloudWatch dashboard </a> .
<pre> <code> <p>In this website post, I’ll demonstrate how exactly to use <a href="https://aws.amazon.com/cloudwatch/" focus on="_blank" rel="noopener">Amazon CloudWatch</the> to keep track of and analyze AWS WAF action using the choices in <a href="https://docs.aws.amazon.com/waf/latest/developerguide/monitoring-cloudwatch.html" focus on="_blank" rel="noopener">CloudWatch metrics</the>, <a href="https://docs.aws.amazon.com/AmazonCloudWatch/latest/supervising/ContributorInsights.html" focus on="_blank" rel="noopener">Contributor Insights</the>, and <a href="https://docs.aws.amazon.com/AmazonCloudWatch/current/logs/AnalyzingLogData.html" focus on="_blank" rel="noopener">Logs Insights</the>. I’ll also stroll you through how exactly to deploy this answer is likely to AWS account through the use of an <a href="https://aws.amazon.com/cloudformation/" focus on="_blank" rel="noopener">AWS CloudFormation</the> template.</p>
<h2>Prerequisites</h2>
<p>This website post builds on the concepts introduced in your blog post <a href=”https://aws.amazon.com/blogs/mt/analyzing-aws-waf-logs-in-amazon-cloudwatch-logs/” focus on=”_blank” rel=”noopener”>Analyzing AWS WAF Logs within Amazon CloudWatch Logs</a>. There we introduced how exactly to create AWS WAF logging to Amazon CloudWatch logs natively, and discussed the essential options that are offered for analyzing and visualizing the info provided in the logs.</p>
<p>The only real AWS services you need to turn on because of this solution are Amazon AWS and CloudWatch WAF. The answer assumes that you’ve earlier setup AWS WAF log shipping to Amazon CloudWatch Logs. For those who have not completed so, follow the directions for <a href=”https://docs.aws.amazon.com/waf/recent/developerguide/logging-cw-logs.html” focus on=”_blank” rel=”noopener”>AWS WAF logging places – CloudWatch Logs</the>.</p>
<p>You will have to supply the following parameters for the CloudFormation template:</p>
<ul>
<li>CloudWatch log team title for the AWS WAF logs</li>
<li>The AWS Area for the logs</li>
<li>The name of the AWS WAF web access control listing (web ACL)</li>
</ul>
<h2>Option overview</h2>
<p>The architecture of the answer is outlined in Body 1. The perfect solution is takes benefit of the native integration accessible between AWS CloudWatch and WAF, which simplifies the set up and management of the solution.</p>
<div id=”attachment_28163″ course=”wp-caption aligncenter”>
<img aria-describedby=”caption-attachment-28163″ course=”size-full wp-picture-28163″ src=”https://www.infracom.com.sg/wp-content/uploads/2023/01/img1.png” alt=”Amount 1: Solution architecture” width=”600″>
<p id=”caption-attachment-28163″ course=”wp-caption-text”>Figure 1: Alternative architecture</p>
</div>
<p>In the perfect solution is, the logs are delivered to CloudWatch (once you allow log delivery). From there, they’re prepared to be ingested by all of the different service choices that CloudWatch offers, like the types that we’ll used in this remedy: CloudWatch Logs Insights and Contributor Insights.</p>
<h2>Deploy the option</h2>
<p>Pick the using <strong>Start stack</strong> button to start the CloudFormation stack in your accounts.</p>
<p align=”middle”><a href=”https://gaming console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/brand-new?stackName=WAFCWDashboard&templateURL=https://awsiammedia.s3.amazonaws.com/public/sample/1292-analyze-and-visualize-WAF-logs-Cloudwatch/WAFCWBlogDashboard-Final.yaml” focus on=”_blank” rel=”noopener noreferrer”><img loading=”lazy” course=”aligncenter size-full wp-image-10149″ src=”https://d2908q01vomqb2.cloudfront.internet/22d200f8670dbdb3e253a90eee5098477c95c23d/2019/06/05/launch-stack-key.png” alt=”Launch Stack” width=”190″ height=”36″></the></p>
<p>You’ll be redirected to the CloudFormation service within the AWS People East (N. Virginia) Area, that is the default Area to deploy this alternative, although this may vary based on where your online ACL is located. The Region could be changed by you as preferred. The template shall spin up multiple cloud assets, such as the right after:</p>
<ul>
<li>CloudWatch Logs Insights queries</li>
<li>CloudWatch Contributor Insights visuals</li>
<li>CloudWatch dashboard</li>
</ul>
<p>The answer is quickly deployed back and is preparing to use in significantly less than 30 minutes. The perfect solution is may be used by you once the status of the stack changes to CREATE_COMPLETE.</p>
<p>As a gauge to control costs, you may also choose whether to generate the Contributor Insights guidelines and enable them automagically. To learn more on costs, start to see the <a href=”https://aws.amazon.com/websites/security/visualize-aws-waf-logs-with-an-amazon-cloudwatch-dashboard/#cost_factors”><strong>Cost factors</strong></a> section in this article later.</p>
<h2>Explore and validate the dashboard</h2>
<p>Once the CloudFormation stack is full, the < could be chosen by you;strong>Result</strong> tab inside the CloudFormation system and pick the dashboard link then. This will take one to the CloudWatch services in the AWS Administration Console. The dashboard period range presents information going back hour of activity automagically, week and can rise to one, but remember that Contributor Insights includes a maximum time selection of 24 hours. You may also select a various dashboard refresh interval from 10 seconds around a quarter-hour.</p>
<p>The dashboard supplies the following information from CloudWatch.</p>
<table width=”90%” align=”center”>
<tbody>
<tr>
<td width=”50%”><strong>Rule title</strong></td>
<td width=”50%”><strong>Explanation</strong></td>
</tr>
<tr>
<td width=”50%”>WAF_best_terminating_guidelines</td>
<td width=”50%”>This rule shows the very best rules where in fact the requests are increasingly being terminated by AWS WAF. This assists you understand the root cause of blocked requests.</td>
</tr>
<tr>
<td width=”50%”>WAF_best_ips</td>
<td width=”50%”>This rule shows the very best source IPs for requests. This assists you realize if the visitors and exercise that you see will be spread across several IPs or concentrated in a little band of IPs.</td>
</tr>
<tr>
<td width=”50%”>WAF_top_nations</td>
<td width=”50%”>This rule shows the primary source countries for the IPs in the requests. This assists you visualize where in fact the traffic can be originating.</td>
</tr>
<tr>
<td width=”50%”>WAF_top_consumer_brokers</td>
<td width=”50%”>This rule shows the primary user agents which are being used to create the requests. This can assist you to isolate problematic gadgets or identify potential fake positives.</td>
</tr>
<tr>
<td width=”50%”>WAF_best_uri</td>
<td width=”50%”>This rule shows the primary URIs in the requests which are being evaluated. This assists you determine if one particular path may be the target of action.</td>
</tr>
<tr>
<td width=”50%”>WAF_best_http</td>
<td width=”50%”>The HTTP is showed by this rule methods useful for the requests examined by AWS WAF. This assists the pattern is understood by you of behavior of the traffic.</td>
</tr>
<tr>
<td width=”50%”>WAF_best_referrer_hosts</td>
<td width=”50%”>This rule shows the primary referrer that requests are increasingly being sent. This assists you identify suspicious or incorrect origins of requests in line with the known application flow.</td>
</tr>
<tr>
<td width=”50%”>WAF_top_price_guidelines</td>
<td width=”50%”>This rule shows the primary rate rules being put on traffic. It can help understand volumetric activity determined by AWS WAF.</td>
</tr>
<tr>
<td width=”50%”>WAF_best_labels</td>
<td width=”50%”>This rule shows the very best labels within logs. This assists you visualize the primary rules that are complementing on the requests evaluated by AWS WAF.</td>
</tr>
</tbody>
</table>
<p>The dashboard also supplies the following information from the default CloudWatch metrics sent by AWS WAF.</p>
<table width=”100%”>
<tbody>
<tr>
<td width=”50%”><strong>Rule title</strong></td>
<td width=”50%”><strong>Explanation</strong></td>
</tr>
<tr>
<td width=”50%”>AllowedvsBlockedRequests</td>
<td width=”50%”>This metric shows the real amount of all blocked and allowed requests. This can help you realize the true amount of requests that AWS WAF is actively blocking.</td>
</tr>
<tr>
<td width=”50%”>Bot Requests vs non-Bot requests</td>
<td width=”50%”>This visual shows the amount of requests defined as bots versus non-bots (if you’re using AWS WAF Bot Control).</td>
</tr>
<tr>
<td width=”50%”>All Requests</td>
<td width=”50%”>This metric shows the amount of all requests, separated by bot and non-bot origin. This assists all requests are understood by you that AWS WAF is evaluating.</td>
</tr>
<tr>
<td width=”50%”>CountedRequests</td>
<td width=”50%”>This metric shows the real amount of all counted requests. This assists the requests are comprehended by you which are matching a rule however, not being blocked, and aid your choice of a configuration modification during the testing stage.</td>
</tr>
<tr>
<td width=”50%”>CaptchaRequests</td>
<td width=”50%”>This metric shows requests that feel the CAPTCHA rule.</td>
</tr>
</tbody>
</table>
<p>Shape 2 shows a good example of the way the CloudWatch dashboard shows the info within this solution. It is possible to rearrange and customize sun and rain within the dashboard as required.</p>
<div id=”attachment_28170″ course=”wp-caption aligncenter”>
<a href=”https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3electronic253a90eee5098477c95c23d/2023/01/10/img2.png” rel=”noopener” focus on=”_blank”><img aria-describedby=”caption-attachment-28170″ course=”size-full wp-picture-28170″ src=”https://www.infracom.com.sg/wp-content/uploads/2023/01/img2.png” alt=”Determine 2: Instance dashboard” width=”769″><p id=”caption-attachment-28170″ course=”wp-caption-text”>Figure 2: Illustration dashboard</p></a>
</div>
<p>It is possible to review each one of the guidelines and queries deployed with this particular solution. You can even customize these baseline queries and guidelines to provide more descriptive information or even to add custom made queries and guidelines to the answer code. To find out more on how best to build make use of and queries CloudWatch Logs and Contributor Insights, start to see the <a href=”https://docs.aws.amazon.com/cloudwatch/index.html” focus on=”_blank” rel=”noopener”>CloudWatch documentation</the>.</p>
<h2>Utilize the dashboard for overseeing</h2>
<p>After you’ve create the dashboard, it is possible to monitor the experience of the sites which are safeguarded by AWS WAF. If suspicious exercise is reported, the visuals may be used by one to understand the visitors in more detail, and drive incident reaction actions as required.</p>
<p>Let’s consider a good example of how to make use of your new dashboard and its own data to operate a vehicle security operations decisions. Guess that an internet site is had simply by you that sells custom clothes at a bargain cost. It includes a sign-up connect to receive presents, and you’re getting reviews of unusual action by the application form team. By considering the metrics for the net ACL that protects the website, you can discover the primary country for source visitors and the contributing URIs, as shown in Body 3. You may also see that the majority of the activity has been detected by rules which you have in location, therefore the rules could be set by one to block traffic, or if they’re blocking already, you can monitor the experience just.</p>
<div id=”attachment_28172″ course=”wp-caption aligncenter”>
<a href=”https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3electronic253a90eee5098477c95c23d/2023/01/10/img3_0.png” rel=”noopener” focus on=”_blank”><img aria-describedby=”caption-attachment-28172″ course=”size-full wp-picture-28172″ src=”https://www.infracom.com.sg/wp-content/uploads/2023/01/img3_0.png” alt=”Figure 3: Metrics in website activity” width=”760″><p id=”caption-attachment-28172″ course=”wp-caption-text”>Figure 3: Metrics on website exercise</p></a>
</div>
<p>You may use the same visuals to choose whether an AWS WAF principle with high activity could be changed to autoblock suspicious website traffic without affecting valid consumer traffic. By considering the top terminating guidelines and cross-referencing details, such as for example source IPs, user brokers, top URIs, along with other request identifiers, it is possible to understand the traffic pattern and activity of different endpoints and applications. From here, it is possible to investigate by using particular queries with CloudWatch Logs Insights further.</p>
<h2>Protection and operational administration with CloudWatch Logs Insights</h2>
<p>You may use <a href=”https://docs.aws.amazon.com/AmazonCloudWatch/best and newest/logs/AnalyzingLogData.html” focus on=”_blank” rel=”noopener”>CloudWatch Logs Insights</the> to interactively lookup and analyze log information in Amazon CloudWatch Logs making use of advanced queries to successfully investigate operational problems and safety incidents.</p>
<h3>Examine the bot reported as the false good</h3>
<p>You may use CloudWatch Logs Insights to recognize requests which have specific labels to comprehend where in fact the traffic is from based on source Ip along with other essential event information. A simple example is certainly investigating requests flagged as possible fake positives.</p>
<p>Suppose you’ve got a reported false good request that has been flagged as the non-web browser by <a href=”https://aws.amazon.com/waf/features/bot-control/” target=”_blank” rel=”noopener”>AWS WAF Bot Handle</a>. It is possible to run the non-browser consumer agent query that has been created by the offered template on CloudWatch Logs Insights, as demonstrated in the next example, and verify the foundation IPs for the very best hits because of this rule team. Or you can choose a specific demand that is flagged as a fake positive, to be able to review the facts and make changes as required.</p>
<div course=”hide-language”>
<pre><code class=”lang-text”><span>areas</period> <period>@timestamp</period>, httpRequest.clientIp
| filtration system @information like “awswaf:maintained:aws:botcontrol:signal:non_browser_user_realtor”
| parse @information “” labels “:[ ]” as Labels
| stats count () as requestCount by httpRequest.clientIP
| screen @timestamp ,httpRequest.clientIp, httpRequest.uri,Labels
| type requestCount desc
| restriction 10
<pre> <code> The non-browser user real estate agent query also gives you confirm whether this demand has other guideline hits which were in count setting and had been non-terminating; you can certainly do this by examining labels. If you can find multiple guidelines matching the requests, which can be an indicator of suspicious action.</p>
<p>In case a CAPTCHA is had by you problem configured on the endpoint, you can try CAPTCHA responses also. The CaptchaTokenqueryDefinition query supplied in a variation can be used by this answer of the preceding format, and can screen the main IPs that bad tokens are increasingly being sent. A good example query is proven following, together with the query outcomes in Figure 4. When you have signals from non-browser consumer CAPTCHA and brokers tokens missing, that is clearly a strong indicator of suspicious exercise then.</p>
<div course=”hide-language”>
<pre><code class=”lang-text”><span>areas</period> <period>@timestamp</period>, httpRequest.clientIp
| filtration system captchaResponse.failureReason = “TOKEN_MISSING”
| stats count (*) as requestCount by httpRequest.clientIp, httpRequest.country
| kind requestCount desc
| restrict 10
This provided information can offer an indication of the primary source of activity. You may use other visuals then, like top user brokers or top referrers, to supply a lot more context to the provided info and inform further activities, such as for example adding new guidelines to the AWS WAF construction.
It is possible to adapt the queries offered in the sample treatment for other use cases utilizing the areas provided in the still left-hands pane of CloudWatch Logs Insights.
Cost factors
Configuring AWS WAF to deliver logs to Amazon CloudWatch logs doesn’t have yet another cost. The price incurred is for the usage of the CloudWatch solutions and features, such as for example log retention and storage space, Contributor Insights rules allowed, Logs Insights queries operate, matched log occasions, and CloudWatch dashboards. For comprehensive info on the pricing of the features, start to see the CloudWatch Logs pricing details . You can even obtain an estimate of possible costs utilizing the AWS prices calculator for CloudWatch .
One method to help offset the expense of CloudWatch functions and services would be to restrict the usage of the dashboard and enforce a log retention plan for AWS WAF that means it is cost effective. If the queries are employed by you and checking only as-needed, this can help keep your charges down also. By limiting the working of queries and the matched log activities for the Contributor Insights guidelines, you can enable the guidelines only when they’re needed by you. AWS WAF also supplies the substitute for filter the logs which are delivered when logging is allowed. For more information, find AWS WAF log filtering .
Conclusion
In this article, you learned how exactly to use a pre-constructed CloudWatch dashboard to keep track of AWS WAF activity through the use of metrics and Contributor Insights guidelines. The dashboard will help you identify visitors activity and patterns, and you can utilize the sample Logs Insights queries to discover the log info in greater detail and examine fake positives and suspicious action, for principle tuning.
To learn more on AWS WAF and the functions mentioned in this article, start to see the AWS WAF documentation .
Should you have feedback concerning this post, submit remarks in the Comments area below. In case you have questions concerning this post, start a brand new thread on AWS WAF re:Write-up .
Want more AWS Safety news? Stick to us on Twitter .
<pre> <code> <!-- '"` -->
</code> </pre>
You must be logged in to post a comment.