AWS Web Application Firewall (WAF)

Version: AWS LogForwarder v1.0.10 or later.

AWS Web Application Firewall (WAF) facilitates monitoring web requests forwarded to the Amazon CloudFront distributions or other resources like the Elastic Load Balancer or the API Gateway. It allows or blocks requests based on specific conditions, such as the IP addresses in the form of allowlists or blocklists, regular expressions, and more.

Netsurion's Open XDR platform monitors events from AWS WAF by parsing the AWS CloudTrail logs triggered from the Amazon EventBridge. Netsurion's Open XDR platform dashboards and reports track the overall actions performed related to the AWS WAF service to keep you informed about its activities. It triggers alerts whenever an action critical to the service is carried out.

For a new instance, integrate the AWS instance to Netsurion's Open XDR platform using the Netsurion integrator lambda function, which will in turn deliver logs to Netsurion from AWS. For an already-integrated AWS instance, make sure to update to AWS LogForwarder v1.0.1 or later.

Some of the Data Source Integrations available in Netsurion are listed below.


Type Name Description
Security AWS WAF - Configuration override detected This alert is triggered whenever an exception(s) or update(s) is made to the WebACLs related to WAF detections.
Security AWS WAF - Potential SSL downgrade This alert is triggered whenever an obsolete or vulnerable version of SSL/TLS makes the API calls.
Security AWS WAF - Rule manipulation This alert is triggered whenever a WebACL configuration is deleted or maliciously modified.


Type Name Description
Security AWS WAF - Activity overview This report contains information related to all console activities concerning the AWS WAF service.
Security AWS WAF - Traffic details This report contains information about malicious attacks detected by the AWS WAF service.


The configuration details are consistent with Netsurion version 9.3 or later, and AWS LogForwarder v1.0.10 or later.

Download Integration Guide and How-to Guide for more information and to configuration instructions.