*This entry was originally written in Japanese in the past based on AWS WAF Classic.

Overview

We’re going to take a look at details of the requests that matched the rules on AWS WAF.
In AWS WAF, you can see the sampled matched requests in the management console. This log is updated 15 minutes after the request has matched and will only be available for 3 hours from the current time.

Checking the rule to block test.txt

To see the matching state, we will apply a rule (“test_text_rule01”) that blocks a request that contains the string “text.txt”. When you access “http://example.com/test.txt” on your browser with this rule applied, the following page will be shown. Change example.com depending on your environment.

Because the request matched the defined rule, it has been blocked.

Let’s check the log. The log will be displayed on the AWS WAF console after 15 minutes from when the request is blocked.

Follow the steps below to see the sampled log from the Web ACL we’ve applied the rule (“test_text_rule01”) to.

1. Click [ WAF & Shield ]

2. Click the Web ACL (“RULE_TEST”) to you’ve applied the rule.
If you are using CloudFront, set the filter to “Global (CloudFront)”. If you are using ALB, select the appropriate region.

3. You can see the sampled matched requests in a graph.

4. Select the rule and click [ Get new sample ].
* The time is displayed in UTC.

5. Search results for the log filtered to a certain rule will be displayed.

6. Click the triangle icon [ ▶︎ ] to see the details of the request.

Above is the flow of rule matching to checking the matched log.
If a rule does not function as intended and causes false positives, you can collect information on the sampled logs to analyze what caused the false positives.