/* Reference: https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html */ // #region PREPARSE /************************************************************ ****** Parse timestamp and log headers ****** Extract message field for parsing ****** Parse structured data ************************************************************/ parseJson(prefix="Vendor.", excludeEmpty="true", handleNull="discard") | parseTimestamp(field=Vendor.timestamp, format="milliseconds") // #endregion // #region METADATA /************************************************************ ****** Static Metadata Definitions ************************************************************/ | Parser.version := "1.1.2" | Vendor := "aws" | event.module := "waf" | ecs.version := "8.17.0" | Cps.version := "1.0.0" // #endregion // #region NORMALIZATION /************************************************************ ****** Parse unstructured data (i.e. message field) ****** Normalize fields to data model ************************************************************/ | array:append(array="event.category[]", values=["web"]) | array:append(array="event.type[]", values=["access"]) | event.action := Vendor.action | event.kind := "event" | event.action match { "ALLOW" => array:append(array="event.type[]", values=["allowed"]); "BLOCK" => array:append(array="event.type[]", values=["denied"]); * => *; } // *** source fields | source.ip := Vendor.httpRequest.clientIp | source.geo.country_iso_code := Vendor.httpRequest.country // *** http fields | http.request.id := Vendor.httpRequest.requestId | http.request.method := Vendor.httpRequest.httpMethod | Vendor.httpRequest.httpVersion = /^(?\S+)\/(?\S+)/ // *** network fields | network.protocol := lower(network.protocol) | case { network.protocol = "http" | network.transport := "tcp"; *} // *** url fields | url.query := Vendor.httpRequest.args | url.path := Vendor.httpRequest.uri // *** rule fields | rule.id := Vendor.terminatingRuleId | rule.ruleset := Vendor.terminatingRuleType // #endregion