IBM Security QRadar

 View Only

#BeyondTheDSMGuide QRadar Integration with AWS Web Application Firewall (WAF)

By Wendy Willner posted Wed March 17, 2021 03:00 PM

  

Hi QRadar Community,

#BeyondTheDSMGuide QRadar Integration with AWS Web Application Firewall (WAF)

By: Amir Rached and Wendy Willner


Just stopping by to let you all know about our NEW QRadar Integration – AWS WAF!

We’ve recently expanded the scope of our AWS integrations to include the Amazon Web Services Web Application Firewall (WAF).

The Amazon AWS WAF allows users to monitor web requests to their web application and gives them the control to block or allow requests based on the users’ conditions such as the IP addresses and/or countries that the requests originate from. The AWS WAF protects web applications from common web exploits to avoid disruptions to availability, compromised security, and excessive resource consumption.

 

Our integration support “AWS WAF” and “AWS WAF Classic”. This integration leverages a brand new parser and our S3 Rest API Protocol. Our integration is initiated when the WAF receives a web request trying to access the resource that the WAF ACL is protecting. The request is then forwarded to an Amazon Kinesis Data Firehose Delivery Stream Instance which has been specified under the  “Logging and Metrics” tab within the ACL.

(As shown in the pictures below).







This Amazon Kinesis Data Firehose Delivery Stream Instance delivers the request to an S3 bucket. The bucket publishes a notification to SQS indicating that data has been added to the S3 bucket and where it is stored within the bucket. QRadar pulls the S3 notification from an SQS queue.  The notification contains information about where that data is. QRadar leverages our QRadar S3 Rest API Protocol and the notification information provided by SQS to pull the data from the S3 bucket into QRadar for analysis. The S3 notification message that QRadar pulled from the SQS, which indicated where the data was located, is then removed from the queue.





In conclusion, you can use the below diagram to better understand how our integration works.



Configuration instructions can be found here:

https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_dsm_guide_Amazon_AWS_WAF_overview.html




Thanks for reading!

As always – Please reach out with questions

1 comment
24 views

Permalink

Comments

Peter Szczepankiewicz
Mon March 22, 2021 11:45 AM

Wendy!   Great news here.  Thank you for the post and the simple drawing.  Very clear.
tks,
s14