Editar

Compartilhar via


AWSWAF

AWS WAF logs, collected in AWS S3 buckets, to Microsoft Sentinel. AWS WAF logs are detailed records of traffic that web access control lists (ACLs) analyze, which are essential for maintaining the security and performance of web applications.

Table attributes

Attribute Value
Resource types -
Categories Security
Solutions SecurityInsights
Basic log No
Ingestion-time transformation No
Sample Queries -

Columns

Column Type Description
Action string The terminating action taken by AWS WAF (ALLOW, BLOCK, CAPTCHA, or Challenge).
Args string The query string parameters of the request.
_BilledSize real The record size in bytes
CaptchaResponse dynamic Status of the CAPTCHA action for the request.
ChallengeResponse dynamic Status of the security challenge for the request.
ClientIp string IP address of the client making the request.
Country string Country of origin for the request.
ExcludedRules dynamic Rules excluded from evaluation in the rule group.
FormatVersion string Version of the AWS WAF log format.
Headers dynamic Headers included in the HTTP request.
HttpMethod string The HTTP method (GET, POST, etc.) of the request.
HttpRequest dynamic Metadata about the HTTP request.
HttpSourceId string ID of the associated resource (e.g., CloudFront distribution, Load Balancer).
HttpSourceName string Source of the request (e.g., CF, APIGW, ALB).
HttpVersion string HTTP version used in the request.
_IsBillable string Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account
Ja3Fingerprint string JA3 fingerprint of the TLS Client Hello.
Labels dynamic Labels applied to the request by rules.
NonTerminatingMatchingRules dynamic List of rules that matched but didn't terminate the request.
OversizeFields dynamic Fields in the request that exceeded AWS WAF inspection limits.
RateBasedRuleList dynamic List of rate-based rules applied to the request.
RequestHeadersInserted dynamic Headers inserted for custom request handling.
RequestId string Request ID for the network request.
ResponseCodeSent int HTTP response code sent to the client.
RuleGroupId string ID of the rule group that matched.
RuleGroupList dynamic List of rule groups that acted on the request.
SourceSystem string The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics
TenantId string The Log Analytics workspace ID
TerminatingRule dynamic The rule that terminated the request. If this is present, it contains action, ruleId, ruleMatchDetails, and any additional information provided for each rule varies according factors such as the rule configuration, rule match type, and details of the match.
TerminatingRuleId string ID of the network rule that matched.
TerminatingRuleMatchDetails dynamic Details of the rule that terminated the request.
TerminatingRuleType string Type of rule that terminated the request.
TimeGenerated datetime Timestamp when the log was processed.
Type string The name of the table
Uri string The URI of the request.
WebAclId string The GUID of the web ACL applied to the request.