Amazon AWS WAF sample event messages
Use these sample event messages to verify a successful integration with IBM QRadar.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage return or line feed characters.
Amazon AWS WAF sample messages when you use the Amazon AWS S3 REST API protocol
Sample 1: The following sample event message shows that Amazon AWS WAF allowed access the underlying resource.
{"timestamp":1613576332142,"formatVersion":1,"webaclId":"webaclId","terminatingRuleId":"First_Rule","terminatingRuleType":"REGULAR","action":"ALLOW","terminatingRuleMatchDetails":[],"httpSourceName":"APIGW","httpSourceId":"11111111111111:1111111111:First_API_Gateway","ruleGroupList":[],"rateBasedRuleList":[],"nonTerminatingMatchingRules":[],"requestHeadersInserted":null,"responseCodeSent":null,"httpRequest":{"clientIp":"10.2.173.13","country":"country","headers":[{"name":"accept","value":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"},{"name":"accept-encoding","value":"gzip, deflate, br"},{"name":"accept-language","value":"en-US,en;q=0.9"},{"name":"cache-control","value":"max-age=0"},{"name":"Host","value":"1111111111.execute-api.region.amazonaws.com"},{"name":"sec-fetch-dest","value":"document"},{"name":"sec-fetch-mode","value":"navigate"},{"name":"sec-fetch-site","value":"none"},{"name":"sec-fetch-user","value":"?1"},{"name":"upgrade-insecure-requests","value":"1"},{"name":"user-agent","value":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36"},{"name":"X-Amzn-Trace-Id","value":"Root=1-111111aaaaa1111111"},{"name":"X-Forwarded-For","value":"10.2.173.13"},{"name":"X-Forwarded-Port","value":"443"},{"name":"X-Forwarded-Proto","value":"https"},{"name":"Content-Length","value":"0"},{"name":"Connection","value":"Keep-Alive"}],"uri":"/First_API_Gateway/pets","args":"","httpVersion":"HTTP/1.1","httpMethod":"GET","requestId":"111111aaaa1aaa1"}}
QRadar field name | Highlighted values in the event payload |
---|---|
Event ID | ALLOW |
Event Category | For this DSM, the value in QRadar is always AmazonAWSWAF. |
Timestamp | 1613576332142 |
Src IP | 10.2.173.13 |
Sample 2: The following sample event message shows that Amazon AWS WAF blocked traffic to the underlying resource.
{"timestamp":16135764421213,"formatVersion":1,"webaclId":"webaclId","terminatingRuleId":"First_Rule","terminatingRuleType":"REGULAR","action":"BLOCK","terminatingRuleMatchDetails":[],"httpSourceName":"APIGW","httpSourceId":"11111111111111:1111111111:First_API_Gateway","ruleGroupList":[],"rateBasedRuleList":[],"nonTerminatingMatchingRules":[],"requestHeadersInserted":null,"responseCodeSent":null,"httpRequest":{"clientIp":"10.2.173.14","country":"country","headers":[{"name":"accept","value":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"},{"name":"accept-encoding","value":"gzip, deflate, br"},{"name":"accept-language","value":"en-US,en;q=0.9"},{"name":"cache-control","value":"max-age=0"},{"name":"Host","value":"1111111111.execute-api.region.amazonaws.com"},{"name":"sec-fetch-dest","value":"document"},{"name":"sec-fetch-mode","value":"navigate"},{"name":"sec-fetch-site","value":"none"},{"name":"sec-fetch-user","value":"?1"},{"name":"upgrade-insecure-requests","value":"1"},{"name":"user-agent","value":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36"},{"name":"X-Amzn-Trace-Id","value":"Root=1-111111aaaaa1111111"},{"name":"X-Forwarded-For","value":"10.2.173.13"},{"name":"X-Forwarded-Port","value":"443"},{"name":"X-Forwarded-Proto","value":"https"},{"name":"Content-Length","value":"0"},{"name":"Connection","value":"Keep-Alive"}],"uri":"/First_API_Gateway/pets","args":"","httpVersion":"HTTP/1.1","httpMethod":"GET","requestId":"111111aaaa1aaa1"}}
QRadar field name | Highlighted values in the event payload |
---|---|
Event ID | BLOCK |
Event Category | For this DSM, the value in QRadar is always AmazonAWSWAF. |
Timestamp | 16135764421213 |
Src IP | 10.2.173.14 |