I am curious if anybody is ingesting AWS WAF logs into InsightIDR? If so; how are you ingesting them and how successful has it been?
Hi @banderson ,
anecdotally we’ve had some customers successfully configure a Custom Log event source for AWS WAF logs. Using the S3 bucket collection method.
Using this method the collector can read new events being written to the bucket, and ingest the logs in their native JSON format. Once configured you can leverage Dashboards and Custom Alerts to help visualize and monitor these events.
David
These logs would go under Raw logs, and hence would any detection rules be applied in this case? Is there a way we can configure to apply all network sensor rules to this custom log event source?
@bimodh_jo_mathew all Raw Logs have no pre-built detections associated with them.
And to your second question, unfortunately the only method to generate our Network Sensor rules is deploy our Network Sensor
David
Hello team,
Assuming we need the logs to flow through CloudWatch before landing in Rapid7, what options do we have? I am aware of WAF - CloudWatch - Kinesis Firehose - S3 - Rapid
But in the case, the logs are not parsed properly by Rapid7