AWS WAF

Scanner supports AWS WAF logs, which contain data about traffic that is analyzed by your web ACL. In order for Scanner to see these logs, you can configure WAF to publish these logs to S3.

Step 1: Publish web ACL traffic logs to S3

You can follow the AWS documentation to configure WAF to write web ACL traffic logs to an S3 bucket. See: Sending web ACL traffic logs to an Amazon Simple Storage Service bucket.

Step 2: Link the S3 bucket to Scanner

If you haven't done so already, link the S3 bucket containing your WAF logs to Scanner using the Linking AWS Accounts guide.

Step 3: Set up an S3 Import Rule in Scanner

  1. Within Scanner, navigate to Settings > S3 Import Rules.

  2. Click Create Rule.

  3. For Rule name, type a name like my_team_name_aws_waf_logs.

  4. For Destination Index, choose the index where you want these logs to be searchable in Scanner.

  5. For Status, set to Active if you want to start indexing the data immediately.

  6. For Source Type, we recommend aws:waf, but you are free to choose any name. However, out-of-the-box detection rules will expect aws:waf.

  7. For AWS Account, choose the account that contains the S3 bucket containing WAF logs.

  8. For S3 Bucket, choose the S3 bucket containing your WAF logs.

  9. For S3 Key Prefix, type the prefix (i.e. directory path) where WAF logs are being written. This is usually just AWSLogs/, but if you configured the flow to write to a different path, enter that path here. We will use Additional Regex to refine the selection further.

  10. Click + Additional Regex, and type: .*/WAFLogs/.*

    1. This will ensure that we only index Parquet files in the directory /WAFLogs/, and skip any files in other directories.

  11. For File type, choose JsonLines with Gzip compression.

  12. For Timestamp extractors, under Column name, type timestamp. This is the Unix timestamp indicating the time of the web ACL traffic analysis event.

  13. Click Preview rule to try it out. Check that the S3 keys you expect are appearing, and check that the log events inside are being parsed properly with the timestamp detected properly.

  14. When you're ready, click Create.

PreviousAWS VPC Transit Gateway FlowNextCloudflare

Last updated