Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Quick Start Security for AWS WAF

AWS WAF
AWS WAF icon

Out-of-the-Box Security For AWS WAF Includes:

Dashboards - 1

Gain instantaneous visualization of all your AWS WAF data.

AWS WAF Insights
AWS WAF Insights

Alerts - 11

Stay on top of AWS WAF key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

Potential Cross Site Scripting (XSS) Attack

This alert triggers when the terminating rule mentioned in the logs is related to cross-site scripting (XSS) attacks. Cross-Site Scripting attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. Impact An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. Mitigation Validate the requests intercepted by the WAF. If these seem suspicious, investigate further by examining the source IPs, requested URLs, etc. MITRE Tactic: TA0001 MITRE Technique: T1190

Potential Information Disclosure

This alert triggers when a successful HTTP GET request targets a URL that ends with a set of specific file extensions that can contain information that shouldn't be disclosed directly to the internet. The following file extensions are detected by this alert: Configuration Files: .env, .config, .ini, .conf Backup Files: .bak, .old, .zip Log Files: .log, .txt, .log.txt Source Code Files: .java, .py, .rb Database Dump Files: .sql, .dump Backup Scripts: .sh, .bat, .ps1 Private Keys and Certificates: .pem, .key, .p12, .crt Please Note: This alert may require tuning based on the web application usage (ie if it serves any of the above-mentioned file extensions). File extensions can be added/removed and match conditions can be tuned to a lower/higher rate of occurrence to match the operation of the web application. Impact Information disclosure attacks can have severe consequences for organizations which can result in a data and privacy breach. Mitigation Validate the requests intercepted by the WAF. If these seem suspicious, investigate further by examining the source IPs, requested URLs, etc. MITRE Tactic: TA0001 MITRE Technique: T1190

Potential Brute Force on Login URLs

This alert triggers when a possible brute force attack is performed against a login page. Brute force attacks on login pages involve systematically attempting multiple combinations of usernames and passwords until a successful login is achieved. This technique relies on the assumption that weak or commonly used credentials can be guessed through exhaustive trial and error. Impact The impact varies depending on the success of the attack and the targeted system's sensitivity, such as; Account compromise, Privilege escalation, Data breach, Resource exhaustion, and Weakened security posture. Mitigation Validate the requests intercepted by the WAF. If these seem suspicious, investigate further by examining the source IPs, requested URLs, etc. MITRE Tactic: TA0006 MITRE Technique: T1110

Potential Remote File Inclusion (RFI) Attack

This alert triggers when the terminating rule mentioned in the logs is related to Remote File Inclusion (RFI) attacks. RFI attacks involve exploiting vulnerabilities in web applications to include and execute remote files from an external server. Attackers manipulate input parameters or file inclusion mechanisms to trick the application into loading malicious files hosted on a remote server. Impact Attackers can execute arbitrary code, gain unauthorized access to sensitive data, compromise the entire system, or launch further attacks. RFI attacks can disrupt the targeted application, lead to data breaches, and cause reputation damage to organizations. Mitigation Validate the requests intercepted by the WAF. If these seem suspicious, investigate further by examining the source IPs, requested URLs, etc. MITRE Tactic: TA0001 MITRE Technique: T1190

Potential SQL Injection Attack

This alert triggers when the terminating rule mentioned in the logs is related to SQL Injection attacks. Impact SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. Mitigation Validate the requests intercepted by the WAF. If these seem suspicious, investigate further by examining the source IPs, requested URLs, etc. MITRE Tactic: TA0001 MITRE Technique: T1190

Potential Local File Inclusion (LFI) Attack

This alert triggers when the terminating rule mentioned in the logs is related to a Local File Inclusion (LFI) attack. LFI attacks are a type of web application vulnerability that allows an attacker to include and execute local files on a server. This can occur when the application does not properly validate or sanitize user input, enabling the attacker to manipulate file paths and access sensitive files. Impact LFI attacks can lead to unauthorized disclosure of sensitive information, remote code execution, or compromise of the server's integrity. Mitigation Validate the requests intercepted by the WAF. If these seem suspicious, investigate further by examining the source IPs, requested URLs, etc. MITRE Tactic: TA0001 MITRE Technique: T1190

Potential Code/Command Injection Attack

This alert triggers when the terminating rule mentioned in the logs is related to command injection or code injection attacks. Code Injection is the general term for attack types which consist of injecting code that is then interpreted/executed by the application. This type of attack exploits poor handling of untrusted data. Command injection is an attack in which the goal is the execution of arbitrary commands on the host operating system via a vulnerable application. Impact In Command Injection, the attacker extends the default functionality of the application, which executes system commands, without the necessity of injecting code. In a Code Injection attack, attackers can introduce (or inject) code into a computer program with this type of vulnerability. Mitigation Validate the requests intercepted by the WAF. If these seem suspicious, investigate further by examining the source IPs, requested URLs, etc. MITRE Tactic: TA0001 MITRE Technique: T1190

Potential Remote Code Execution (RCE) Attack

This alert triggers when the terminating rule mentioned in the logs is related to RCE attacks. Impact Threat actors can gain initial access to a network by exploiting the RCE vulnerability present in a web application. Mitigation Validate the requests intercepted by the WAF. If these seem suspicious, investigate further by examining the source IPs, requested URLs, etc. MITRE Tactic: TA0001 MITRE Technique: T1190

High Volume of Bot Requests

This alert triggers for a high volume of bot requests. A bot is an autonomous program on a network that can interact with computer systems or users, imitating or replacing a human user's behavior, and performing repetitive tasks. Bots can be divided into 2 categories: 1. Good bots - bots that are useful to businesses they interact with, e.g. search engine bots like Googlebot, Bingbot, or bots that operate on social media platforms like Facebook Bot. 2. Bad bots - bots that are designed to perform malicious actions, ultimately hurting businesses, e.g. credential stuffing bots, third-party scraping bots, spam bots, etc. Impact Threat actors can send a high volume of bot requests to the web servers to either disrupt the normal operations of a business or to extract confidential information. Mitigation Check the nature of the bot. If the bot is not from the good bots category, investigate it further. MITRE Tactic: TA0042 MITRE Technique: T1583

Potential Common Vulnerability Exploitation Attack

This alert triggers when the terminating rule mentioned in the logs is about common vulnerability exploits. Impact Threat actors can gain initial access to a network by exploiting common vulnerabilities present in a web application. Mitigation Investigate further based on the mentioned CVE in the logs. MITRE Tactic: TA0001 MITRE Technique: T1190

No Logs From AWS WAF

This alert triggers if there are no logs in the last 4 hours for AWS WAF in the customer account. Note- This alert should configured with relevant app & subsystem. Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562

Documentation

Learn more about Coralogix's out-of-the-box integration with AWS WAF in our documentation.

Read More
Schedule Demo