[FEATURE] WAF log type support #573
Labels
Comments
This was referenced Sep 26, 2023
riysaxen-amzn
pushed a commit
to riysaxen-amzn/security-analytics
that referenced
this issue
Feb 20, 2024
…s page. (opensearch-project#572) * Add a details button to open the findings flyout from the correlations page. opensearch-project#564 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * Add a details button to open the findings flyout from the correlations page. opensearch-project#564 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [FEATURE] Add a details button to open the findings flyout from the correlations page. opensearch-project#564 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * fix tests Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * code review Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * code review Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [BUG] Wrong field mappings for the cloud trail logs opensearch-project#573 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * code review Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> --------- Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com>
riysaxen-amzn
pushed a commit
to riysaxen-amzn/security-analytics
that referenced
this issue
Feb 20, 2024
* Wrong field mappings for the cloud trail logs opensearch-project#573 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [BUG] Wrong field mappings for the cloud trail logs opensearch-project#573 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [BUG] Wrong field mappings for the cloud trail logs opensearch-project#573 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * code review Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * code review Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> --------- Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem?
This issue discusses the addition of
waflog group support in Security Analytics plugin. This role will correspond to Web Application Firewall (WAF) use-cases. The role of WAF (Web Application Firewall) is to monitor and filter HTTP traffic between a web application and internet. It is tasked to prevent common security attacks such as cross-site scripting (XSS), SQL Injection (SQi), etc. This new log type is for users that require monitoring for WAF use case out of the box from Security Plugin.What solution would you like?
Presently, SA plugin supports
networklog group which has a sub-section firewall which is a group of network firewall related rules. Network firewall provides control over network based traffic based on IP addresses, ports, and protocols, whereas WAF narrows control over HTTP traffic tailored more towards behavior of web applications.Sigma rules doesn’t has out of the box support for WAF rules explicitly. There are some rules inside proxy_generic and webserver_generic category which upon initial search seems can be filtered for WAF category. So the aim of this discussion is to identify the rules scattered across different categories that fit WAF criteria.
The intent of this discussion is not to dive deep into the role of the WAFs, but to make sure that the important rules that span WAF attacks relevant to SIEM can be identified from existing SIGMA repo.
Major Sigma rules to be added across categories:
What alternatives have you considered?
Sigma rules are not exhaustive for all WAF use-cases and these can be further improved by introducing more use-cases like rules related to AWS WAF, etc
Do you have any additional context?
Suggestions are welcome from users for more use-cases.
The text was updated successfully, but these errors were encountered: