SourcesSource TypesAWSWAF

AWS WAF Logs

AWS WAF logs provide detailed information about web requests that are analyzed by your web ACL. These logs capture information such as request details, rule matches, actions taken, and geographic data. They help administrators monitor web traffic, analyze security threats, and troubleshoot web application issues.

configure

Ingest Methods

Setup the ingestion of this source using one of the following guides.

If using an AWS S3 bucket use the following SNS topic ARN to send your bucket notifications.

arn:aws:sns:<REGION>:253602268883:runreveal_aws_waf

Setup

For detailed setup instructions, see the AWS WAF documentation to configure WAF logging to your S3 bucket.

Best Practices for Bucket Configuration

Single Bucket Approach

  • Recommended for most use cases: Use one S3 bucket per source type
  • Benefits: Simpler management, easier to track costs, centralized logging
  • Use case: Single AWS account or organization with moderate log volume
  • Important: RunReveal requires buckets to be unique across sources

Single Bucket with Prefixes (Multiple WAF Types)

  • Use when: You have multiple AWS WAF web ACLs and want to consolidate all logs into one bucket
  • Benefits: Centralized storage, easier cost management, single RunReveal source configuration
  • Configuration:
    1. Create one S3 bucket for all AWS WAF logs
    2. Configure each web ACL to use a unique prefix (e.g., waf-logs/webacl-1/, waf-logs/webacl-2/)
    3. Set up one RunReveal source pointing to the bucket
    4. All WAF logs from different web ACLs will be ingested automatically
  • Example bucket structure: 
    my-waf-logs-bucket/
├── waf-logs/webacl-prod/
│   ├── 2024/01/15/10/
│   └── 2024/01/15/11/
├── waf-logs/webacl-staging/
│   ├── 2024/01/15/10/
│   └── 2024/01/15/11/
└── waf-logs/webacl-dev/
    ├── 2024/01/15/10/
    └── 2024/01/15/11/

Datalake Architecture (Advanced)

  • Use when: You want to centralize multiple AWS source types in one bucket
  • Benefits: Single bucket for all AWS logs, organized by prefixes, scalable architecture
  • Configuration: Use the AWS S3 Bucket with Custom SQS method
  • Setup: Create separate SQS queues for each source type and configure S3 event notifications with prefixes
  • Example structure: 
    datalake-bucket/
├── AWSLogs/
│   └── 123456789012/
│       ├── CloudTrail/
│       ├── elasticloadbalancing/
│       └── waf-logs/
└── custom-logs/
    └── waf-logs/

Schema

The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.

Table: aws_waf_logs (63 columns)

ColumnType
workspaceIDString
sourceIDString
sourceTypeString
sourceTTLUInt32
receivedAtDateTime
idString
eventTimeDateTime
eventNameString
eventIDString
srcIPString
srcASCountryCodeString
srcASNumberUInt32
srcASOrganizationString
srcCityString
srcConnectionTypeString
srcISPString
srcLatitudeFloat64
srcLongitudeFloat64
srcUserTypeString
dstIPString
dstASCountryCodeString
dstASNumberUInt32
dstASOrganizationString
dstCityString
dstConnectionTypeString
dstISPString
dstLatitudeFloat64
dstLongitudeFloat64
dstUserTypeString
actorMap(String, String)
tagsMap(String, String)
resourcesArray(String)
ColumnType
serviceNameString
enrichmentsArray(Tuple(data Map(String, String), name String, provider String, type String, value String))
readOnlyBool
rawLogString
formatVersionUInt32
webaclIdString
terminatingRuleIdString
terminatingRuleTypeString
actionString
terminatingRuleMatchDetailsString
httpSourceNameString
httpSourceIdString
ruleGroupListString
rateBasedRuleListString
nonTerminatingMatchingRulesString
requestHeadersInsertedString
responseCodeSentString
requestCountryString
requestURIString
requestArgsString
requestHTTPVersionString
requestHTTPMethodString
requestIDString
requestFragmentString
requestSchemeString
requestHostString
requestHeadersString
requestBodySizeUInt32
requestBodySizeInspectedByWAFUInt32
ja3FingerprintString
ja4FingerprintString
ALBCloudTrail