IBM Security QRadar

 View Only

#BeyondTheDSMGuide Visualizing Your AWS WAF Data in QRadar Using QRadar’s Pulse Dashboards

By Wendy Willner posted Tue April 13, 2021 05:32 PM

  

Hi QRadar Community,

First – A big THANK YOU to Max Lewis from our Technical Sales team for sharing these dashboards with me!

A few weeks ago we released a new integration with the AWS Web Application Firewall (WAF).  Please see (here) for my blog post on that integration. The Amazon AWS WAF allows users to monitor web requests to their web application and gives them the control to block or allow requests based on the users’ conditions such as the IP addresses and/or countries that the requests originate from. The AWS WAF protects web applications from common web exploits to avoid disruptions to availability, compromised security, and excessive resource consumption.

Today I’m here to share some example Pulse dashboards for visualizing your AWS WAF data using QRadar’s Pulse App which have been designed by my teammate, Max Lewis.   As a reminder, Pulse is QRadar’s App for data visualization. For a fantastic tutorial on using Pulse, check out Jose Bravo’s videos here and here. Official IBM documentation on using Pulse can be found here.

 Please see the dashboard image below for the sample visualizations of several metrics about AWS WAF activity including:

  1. The number of AWS WAF “denies” by source country
  2. The number of AWS WAF “blocks”
  3. AWS WAF activity geographically,
  4. The HTTP methods detected by the WAF
  5. The top user agent detected by the AWS WAF
  6. The top URL paths detected by the AWS WAF








These charts are based on AQL queries which can be found in the chart below.  Details for using queries to create Pulse dashboards can be found in the documentation linked above!

What dashboards have you created using Pulse?

Let me know!

Thanks,

 

Wendy



Chart

Query

AWS WAF Denies by Source Country

SELECT sourcegeographiclocation as 'Source Country', COUNT(*) as 'Event Count' FROM events WHERE LOGSOURCETYPENAME(devicetype) = 'Amazon AWS WAF' GROUP BY "Source Country" ORDER BY "Event Count" DESC LIMIT 5 LAST 12 hours

Number of WAF Blocks

SELECT WAF_Action AS 'WAF Action', SUM("eventCount") AS 'Event Count (Sum)', COUNT(*) AS 'Count' from events WHERE LOGSOURCETYPENAME(devicetype) = 'Amazon AWS WAF' GROUP BY "WAF Action" order by "Event Count (Sum)" last 12 hours

WAF Map

SELECT sourceip as 'sourceIP', GEO::LOOKUP(sourceip, 'geo_json') AS 'geoSource', destinationip as 'destinationIP', magnitude as 'magnitude' , GEO::LOOKUP(destinationip, 'geo_json') as 'geoDest' FROM events where LOGSOURCETYPENAME(devicetype) = 'Amazon AWS WAF' group by sourceip last 12 hours

HTTP Methods Detected by WAF

SELECT "HTTP Method" , SUM("eventCount") AS 'Event Count' from events where LOGSOURCETYPENAME(devicetype) = 'Amazon AWS WAF' and "HTTP Method" is not null GROUP BY "HTTP Method" order by "Event Count" desc LIMIT 10 last 12 hours

Top User Agents Detected by WAF

SELECT "User Agent" , SUM("eventCount") AS 'Event Count' from events where LOGSOURCETYPENAME(devicetype) = 'Amazon AWS WAF' and "User Agent" is not null GROUP BY "User Agent" order by "Event Count" desc LIMIT 10 last 12 hours

Top URL Paths Detected by WAF

SELECT "URL Path" , SUM("eventCount") AS 'Event Count' from events where LOGSOURCETYPENAME(devicetype) = 'Amazon AWS WAF' and "URL Path" != '/' and "URL Path" is not null GROUP BY "URL Path" order by "Event Count" desc LIMIT 5 last 12 hours

0 comments
41 views

Permalink