Waf Charm

Blog

Follow us

WafCharm

WafCharm features explained: use cases of the WAF log search feature

Table of Contents

  1. 1. Introduction
  2. 2. What is the WAF log search feature?
  3. 3. Check request details by rule name
  4. 4. Check request details by rule label
  5. 5. Check request details by country code
  6. 6. Conclusion

1. Introduction

WafCharm offers a feature that allows you to search WAF logs from the WafCharm Console by integrating your WAF logs. In this blog post, we will introduce some common use cases for searching specific WAF logs using the WAF log search feature.

2. What is the WAF log search feature?

The WAF log search feature is a useful tool when you want to view the details of a specific request. Since it is not designed for displaying aggregate data or overall trends, such as the total number of detections or general activity patterns, it is intended to be used when you need to focus on individual requests.

For more information about this feature, please refer to the help page below.
Features available by enabling WAF log integration | About the WAF log search feature

To use the WAF log search feature, you need to enable the new WAF log integration method.

If you are using an Advanced Rule policy, please refer to How to configure WAF log integration (new method) for AWS WAF v2 Advanced.

If you are using a Legacy Rule policy, you can set it up following the instructions in How to configure access logs/WAF log integration for AWS WAF v2 Legacy.

As noted in the help pages above, if you are subscribed under the old plan, you will need to contact WafCharm Support with the WAF log destination details for each WAF Config in order to enable the new method.

Please note that there is a limit on the number of WAF logs that can be viewed per WafCharm account. If a WAF log you are trying to find falls outside the searchable range, it may not appear in the search results. For example, if you can view recent WAF logs but certain older logs do not appear in the results, your account may have exceeded this limit. The specific limit varies depending on your subscription plan, so please refer to the help page above for more details.

3. Check request details by rule name

Among the features available in WafCharm when you enable WAF log integration is the WAF log alert (detection notification) feature.

This feature sends an email notification containing partial information from the WAF logs whenever a record with a Count or Block action is found. Each notification includes the rule name that matched the request. If you’d like to view more details about a request mentioned in a detection notification, you can search for it using that rule name.

For example, if you have a rule named [Rule_Name] and a request matches that rule, you can enter [Rule_Name] in the [Search text] field to display the WAF logs that were matched by that rule.

This approach assumes that the rule name can be identified in advance. It is therefore useful when you have information from a detection notification email, or when you’ve added custom rules yourself.

If the rule name cannot be identified, the next method, using labels, may be more suitable.

4. Check request details by rule label

AWS WAF includes a mechanism that assigns labels to requests that match specific rules. In WafCharm, when using the Advanced Rule policy, both Bot rules and regular expression rules make use of this labeling mechanism to attach labels to requests that match those rules.

By searching with the value of this label, you can easily check what kinds of requests were detected, such as when reviewing false positives while using Count mode.

For example, if a false positive occurs in a WafCharm regular expression rule, you can enter a label such as :wafcharm:regex:{regular expression rule name} in the [Search text] field to display requests that matched that regular expression rule.

If you want to search across all regular expression rules instead of a specific one, you can simply use :wafcharm:regex: as the search keyword.

When checking detection results in Count mode, you can review the details as shown below:

  • The detected rule name appears in the list of matched rules.
  • The label section includes a label containing :wafcharm:regex:{regular expression rule name}.

In the WafCharm Console, detailed WAF log information is displayed as Raw data. By reviewing the contents, you can determine whether a request was legitimate. If it was a normal request, you can consider it a false positive.

In such cases, you can review the detection rule and adjust its conditions to exclude this request, or other similar requests, from being matched in the future.

5. Check request details by country code

You can also search for requests sent from a specific country by specifying a country code, such as [US], in the [Search text] field. If you notice an increase in requests from a particular country, you can search using its country code and review the corresponding WAF logs to identify the characteristics of those requests.

If you have rules that use a geo match rule statement, the requests inspected by those rules are labeled with both the country and region in the format <ISO country code>-<ISO region code>.

When such labels are applied, you can also search by combining the country code and region code.

6. Conclusion

In this blog post, we introduced several use cases of the WAF log search feature.

By specifying a rule name or label value in the [Search text] field, you can search for WAF logs that match specific conditions. In addition to the examples mentioned above, you can also search by method, URI, IP address, or host value.

We hope you’ll enable the new WAF log integration method and make use of this feature to investigate request details more effectively.

Back to list

Popular Post