Hi QRadar Community,
First – A big THANK YOU to Max Lewis from our Technical Sales team for sharing these dashboards with me!
A few weeks ago we released a new integration with the AWS Web Application Firewall (WAF). Please see (here) for my blog post on that integration. The Amazon AWS WAF allows users to monitor web requests to their web application and gives them the control to block or allow requests based on the users’ conditions such as the IP addresses and/or countries that the requests originate from. The AWS WAF protects web applications from common web exploits to avoid disruptions to availability, compromised security, and excessive resource consumption.
Today I’m here to share some example Pulse dashboards for visualizing your AWS WAF data using QRadar’s Pulse App which have been designed by my teammate, Max Lewis. As a reminder, Pulse is QRadar’s App for data visualization. For a fantastic tutorial on using Pulse, check out Jose Bravo’s videos here and here. Official IBM documentation on using Pulse can be found here.
Please see the dashboard image below for the sample visualizations of several metrics about AWS WAF activity including:
- The number of AWS WAF “denies” by source country
- The number of AWS WAF “blocks”
- AWS WAF activity geographically,
- The HTTP methods detected by the WAF
- The top user agent detected by the AWS WAF
- The top URL paths detected by the AWS WAF
These charts are based on AQL queries which can be found in the chart below. Details for using queries to create Pulse dashboards can be found in the documentation linked above!
What dashboards have you created using Pulse?
Let me know!
Thanks,
Wendy
Chart
|
Query
|
AWS WAF Denies by Source Country
|
SELECT sourcegeographiclocation as 'Source Country', COUNT(*) as 'Event Count' FROM events WHERE LOGSOURCETYPENAME(devicetype) = 'Amazon AWS WAF' GROUP BY "Source Country" ORDER BY "Event Count" DESC LIMIT 5 LAST 12 hours
|
Number of WAF Blocks
|
SELECT WAF_Action AS 'WAF Action', SUM("eventCount") AS 'Event Count (Sum)', COUNT(*) AS 'Count' from events WHERE LOGSOURCETYPENAME(devicetype) = 'Amazon AWS WAF' GROUP BY "WAF Action" order by "Event Count (Sum)" last 12 hours
|
WAF Map
|
SELECT sourceip as 'sourceIP', GEO::LOOKUP(sourceip, 'geo_json') AS 'geoSource', destinationip as 'destinationIP', magnitude as 'magnitude' , GEO::LOOKUP(destinationip, 'geo_json') as 'geoDest' FROM events where LOGSOURCETYPENAME(devicetype) = 'Amazon AWS WAF' group by sourceip last 12 hours
|
HTTP Methods Detected by WAF
|
SELECT "HTTP Method" , SUM("eventCount") AS 'Event Count' from events where LOGSOURCETYPENAME(devicetype) = 'Amazon AWS WAF' and "HTTP Method" is not null GROUP BY "HTTP Method" order by "Event Count" desc LIMIT 10 last 12 hours
|
Top User Agents Detected by WAF
|
SELECT "User Agent" , SUM("eventCount") AS 'Event Count' from events where LOGSOURCETYPENAME(devicetype) = 'Amazon AWS WAF' and "User Agent" is not null GROUP BY "User Agent" order by "Event Count" desc LIMIT 10 last 12 hours
|
Top URL Paths Detected by WAF
|
SELECT "URL Path" , SUM("eventCount") AS 'Event Count' from events where LOGSOURCETYPENAME(devicetype) = 'Amazon AWS WAF' and "URL Path" != '/' and "URL Path" is not null GROUP BY "URL Path" order by "Event Count" desc LIMIT 5 last 12 hours
|