AWS Web Application Firewall (WAF)

Version: AWS LogForwarder v1.0.10 or later.

AWS Web Application Firewall (WAF) facilitates monitoring web requests forwarded to the Amazon CloudFront distributions or other resources like the Elastic Load Balancer or the API Gateway. It allows or blocks requests based on specific conditions, such as the IP addresses in the form of allowlists or blocklists, regular expressions, and more.

Netsurion Open XDR monitors events from AWS WAF by parsing the AWS CloudTrail logs triggered from the Amazon EventBridge. Netsurion Open XDR dashboards and reports track the overall actions performed related to the AWS WAF service to keep you informed about its activities. It triggers alerts whenever an action critical to the service is carried out.

For a new instance, integrate the AWS instance to Netsurion Open XDR using the Netsurion integrator lambda function, which will in turn deliver logs to Netsurion Open XDR from AWS. For an already-integrated AWS instance, make sure to update to AWS LogForwarder v1.0.1 or later.

The following are the key Data Source Integration available in Netsurion Open XDR.


Type Name Description
Security AWS WAF – Configuration override detected This alert is triggered whenever an exception(s) or update(s) is made to the WebACLs related to WAF detections.
Security AWS WAF – Potential SSL downgrade This alert is triggered whenever an obsolete or vulnerable version of SSL/TLS makes the API calls.
Security AWS WAF – Rule manipulation This alert is triggered whenever a WebACL configuration is deleted or maliciously modified.


Type Name Description
Security AWS WAF – Activity overview This report contains information related to all console activities concerning the AWS WAF service.
Security AWS WAF – Traffic details This report contains information about malicious attacks detected by the AWS WAF service.


The configuration details are consistent with Netsurion Open XDR 9.3 or later, and AWS LogForwarder v1.0.10 or later.

Download Integration Guide and How-to Guide for configuration instructions and more information.