Amazon AWS WAF sample event messages

Use these sample event messages to verify a successful integration with IBM QRadar.

Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

Amazon AWS WAF sample messages when you use the Amazon AWS S3 REST API protocol

Sample 1: The following sample event message shows that Amazon AWS WAF allowed access the underlying resource.

{"timestamp":1613576332142,"formatVersion":1,"webaclId":"webaclId","terminatingRuleId":"First_Rule","terminatingRuleType":"REGULAR","action":"ALLOW","terminatingRuleMatchDetails":[],"httpSourceName":"APIGW","httpSourceId":"11111111111111:1111111111:First_API_Gateway","ruleGroupList":[],"rateBasedRuleList":[],"nonTerminatingMatchingRules":[],"requestHeadersInserted":null,"responseCodeSent":null,"httpRequest":{"clientIp":"10.2.173.13","country":"country","headers":[{"name":"accept","value":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"},{"name":"accept-encoding","value":"gzip, deflate, br"},{"name":"accept-language","value":"en-US,en;q=0.9"},{"name":"cache-control","value":"max-age=0"},{"name":"Host","value":"1111111111.execute-api.region.amazonaws.com"},{"name":"sec-fetch-dest","value":"document"},{"name":"sec-fetch-mode","value":"navigate"},{"name":"sec-fetch-site","value":"none"},{"name":"sec-fetch-user","value":"?1"},{"name":"upgrade-insecure-requests","value":"1"},{"name":"user-agent","value":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36"},{"name":"X-Amzn-Trace-Id","value":"Root=1-111111aaaaa1111111"},{"name":"X-Forwarded-For","value":"10.2.173.13"},{"name":"X-Forwarded-Port","value":"443"},{"name":"X-Forwarded-Proto","value":"https"},{"name":"Content-Length","value":"0"},{"name":"Connection","value":"Keep-Alive"}],"uri":"/First_API_Gateway/pets","args":"","httpVersion":"HTTP/1.1","httpMethod":"GET","requestId":"111111aaaa1aaa1"}}
Table 1. Highlighted fields in the Amazon AWS WAF sample event
QRadar field name Highlighted values in the event payload
Event ID ALLOW
Event Category For this DSM, the value in QRadar is always AmazonAWSWAF.
Timestamp 1613576332142
Src IP 10.2.173.13

Sample 2: The following sample event message shows that Amazon AWS WAF blocked traffic to the underlying resource.

{"timestamp":16135764421213,"formatVersion":1,"webaclId":"webaclId","terminatingRuleId":"First_Rule","terminatingRuleType":"REGULAR","action":"BLOCK","terminatingRuleMatchDetails":[],"httpSourceName":"APIGW","httpSourceId":"11111111111111:1111111111:First_API_Gateway","ruleGroupList":[],"rateBasedRuleList":[],"nonTerminatingMatchingRules":[],"requestHeadersInserted":null,"responseCodeSent":null,"httpRequest":{"clientIp":"10.2.173.14","country":"country","headers":[{"name":"accept","value":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"},{"name":"accept-encoding","value":"gzip, deflate, br"},{"name":"accept-language","value":"en-US,en;q=0.9"},{"name":"cache-control","value":"max-age=0"},{"name":"Host","value":"1111111111.execute-api.region.amazonaws.com"},{"name":"sec-fetch-dest","value":"document"},{"name":"sec-fetch-mode","value":"navigate"},{"name":"sec-fetch-site","value":"none"},{"name":"sec-fetch-user","value":"?1"},{"name":"upgrade-insecure-requests","value":"1"},{"name":"user-agent","value":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36"},{"name":"X-Amzn-Trace-Id","value":"Root=1-111111aaaaa1111111"},{"name":"X-Forwarded-For","value":"10.2.173.13"},{"name":"X-Forwarded-Port","value":"443"},{"name":"X-Forwarded-Proto","value":"https"},{"name":"Content-Length","value":"0"},{"name":"Connection","value":"Keep-Alive"}],"uri":"/First_API_Gateway/pets","args":"","httpVersion":"HTTP/1.1","httpMethod":"GET","requestId":"111111aaaa1aaa1"}}
Table 2. Highlighted values in the Amazon AWS WAF sample event
QRadar field name Highlighted values in the event payload
Event ID BLOCK
Event Category For this DSM, the value in QRadar is always AmazonAWSWAF.
Timestamp 16135764421213
Src IP 10.2.173.14