4 최근 기준 20개 로그 확인 fields @timestamp, @message | sort @timestamp desc | limit 20 5 Top 100 IP addresses fields httpRequest.clientIp | stats count(*) as requestCount by httpRequest.clientIp | sort requestCount desc | limit 100 6 Top 100 countries fields httpRequest.country | stats count(*) as requestCount by httpRequest.country | sort requestCount desc | limit 100 7 Visualization 등 메뉴 클릭해보기 8 Top 100 user-agents fields @timestamp, @message | parse @message '{"name":"User-Agent","value":"*"}' as userAgent | stats count(*) as requestCount by userAgent | sort requestCount desc | limit 100 9 Top 100 hosts fields @timestamp, @message | parse @message '{"name":"Host","value":"*"}' as host | stats count(*) as requestCount by host | sort requestCount desc | limit 100 10 Top 100 terminating rules fields terminatingRuleId | stats count(*) as requestCount by terminatingRuleId | sort requestCount desc | limit 100 11 Find patterns that triggered Cross-Site Scripting (XSS) or SQL Injection in either terminatingRule for a custom rule or AWS Managed Rule Group fields @timestamp | parse @message ',"terminatingRuleMatchDetails":[*],' as terminatingRuleMatchData | filter (terminatingRuleMatchData like /XSS/ or terminatingRuleMatchData like /SQL/)| display @timestamp, httpRequest.clientIp, httpRequest.country, terminatingRuleMatchData, httpRequest.requestId | limit 100 12 Entries that are counted by a specific rule in a rule group fields @timestamp | filter (@message like 'excludedRules":[{"exclusionType":"EXCLUDED_AS_COUNT","ruleId":"NoUserAgent_HEADER"}]}' and @message like 'terminatingRuleId":"Default_Action"') | parse @message '"ruleId":*}]}' as ruleMatchDetails | display @timestamp, httpRequest.clientIp, httpRequest.country, ruleMatchDetails, httpRequest.requestId | limit 10 13 Log groups에서 확인하기 https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.html#matching-terms-events 차단 { $.action = "BLOCK" } 혹은, 차단 아닌것 { $.action != "BLOCK" } 14 차단 룰 이름 { $.terminatingRuleId = "AWS-AWSManagedRulesSQLiRuleSet" } 15 차단 AND(조건) 차단 룰이 아닌 것 { ($.action = "BLOCK") && ($.terminatingRuleId != "AWS-AWSManagedRulesSQLiRuleSet") } { ($.action = "BLOCK") && ($.httpRequest.country = "CN") } 16 차단 AND(조건) 요청자가 공인IP가 중국인 경우 { ($.action = "BLOCK") && ($.httpRequest.country = "CN") } 17 차단 OR(조건) 요청자가 공인IP가 중국인 경우 { ($.action = "BLOCK") || ($.httpRequest.country = "CN") } 18 ClientIP 지정 { $.httpRequest.clientIp = "1.34.148.229" } { $.httpRequest.clientIp = "3.7.28.224" } 19 ontributor Insights https://aws.amazon.com/ko/blogs/mt/analyzing-aws-waf-logs-in-amazon-cloudwatch-logs/ 20 상위 10개의 종료 규칙 ID 가져오기 - 링크 { "AggregateOn": "Count", "Contribution": { "Filters": [], "Keys": [ "$.terminatingRuleId" ] }, "LogFormat": "JSON", "LogGroupNames": [ "aws-waf-logs-test" ], "Schema": { "Name": "CloudWatchLogRule", "Version": 1 } } 21 비율 기반 규칙에 의해 차단된 상위 100개 IP 주소 - 링크 { "Schema": { "Name": "CloudWatchLogRule", "Version": 1 }, "AggregateOn": "Count", "Contribution": { "Filters": [ { "In": [ "RATE_BASED" ], "Match": "$.terminatingRuleType" } ], "Keys": [ "$.httpRequest.clientIp" ] }, "LogFormat": "JSON", "LogGroupNames": [ "aws-waf-logs-test" ] } 22 차단된 모든 요청에 대한 상위 10개 IP 주소, URI 조합을 가져옵니다(위에 제공된 예) - 링크 { "Schema": { "Name": "CloudWatchLogRule", "Version": 1 }, "AggregateOn": "Count", "Contribution": { "Filters": [ { "Match": "$.action", "In": [ "BLOCK" ] } ], "Keys": [ "$.httpRequest.clientIp", "$.httpRequest.uri" ] }, "LogFormat": "JSON", "LogGroupNames": [ "aws-waf-logs-test" ] } 23 차단 또는 계산된 규칙 그룹 내 상위 10개 규칙 가져오기 - 링크 { "Schema": { "Name": "CloudWatchLogRule", "Version": 1 }, "AggregateOn": "Count", "Contribution": { "Filters": [], "Keys": [ "$.ruleGroupList[1].terminatingRule.ruleId", "$.ruleGroupList[1].terminatingRule.action" ] }, "LogFormat": "JSON", "LogGroupNames": [ "aws-waf-logs-test" ] } 24 로깅 필터 COUNT 로그만 저장 해보자!! 필터 > Condtion value에서 Count로 변경 Keep in logs Drop from logs