I am curious if anybody is ingesting AWS WAF logs into InsightIDR? If so; how are you ingesting them and how successful has it been?

Hi @banderson ,

anecdotally we’ve had some customers successfully configure a Custom Log event source for AWS WAF logs. Using the S3 bucket collection method.

Using this method the collector can read new events being written to the bucket, and ingest the logs in their native JSON format. Once configured you can leverage Dashboards and Custom Alerts to help visualize and monitor these events.


These logs would go under Raw logs, and hence would any detection rules be applied in this case? Is there a way we can configure to apply all network sensor rules to this custom log event source?

@bimodh_jo_mathew all Raw Logs have no pre-built detections associated with them.

And to your second question, unfortunately the only method to generate our Network Sensor rules is deploy our Network Sensor