Mappings: AWS WAF Block Logs
| Input | Value |
|---|---|
| Vendor | AWS |
| Product | WAF |
| Log Format | JSON |
| Event ID Regex Pattern | BLOCK |
| Output | Value |
|---|---|
| Vendor | Amazon AWS |
| Product | Web Application Firewall (WAF) |
| Record Type | NetworkHTTP |
| Cloud SIEM Schema Field | Original Record Key | Notes |
|---|---|---|
| action | action | |
| cloud_provider | None | The static text AWS is populated in this schema field. |
| cloud_service | None | The static text Web Application Firewall is populated in this schema field. |
| dstDevice_hostname | httpRequest.headers.host | |
| dstDevice_ip | httpRequest.headers.host | |
| http_hostname | httpRequest.headers.host | |
| http_method | httpRequest.httpMethod | |
| http_referer | httpRequest.headers.referer | |
| http_url | http_url | |
| http_userAgent | httpRequest.headers.user-agent | |
| normalizedAction | None | The static text deny is populated in this schema field. |
| srcDevice_ip | httpRequest.clientIp | |
| success | None | The static text false is populated in this schema field. |