curben
/
blog
mirror of https://gitlab.com/curben/blog
1
0
Fork 0
Code Issues Releases Wiki Activity

feat(threat-hunting): Excessive AWS WAF Blocked Events

This commit is contained in:
Ming Di Leom 2025-06-30 08:52:58 +00:00
parent 1bde8ee4c6
commit 1df78c65c5
No known key found for this signature in database
GPG Key ID: 32D3E28E96A695E8
1 changed files with 24 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
source/threat-hunting/index.md
View File

@ -654,6 +654,30 @@ index="proxy" url IN ("*/ests/2.1/content/*", "*/shared/1.0/content/*", "*/offic
| dedup visited_link, user
```
## Excessive AWS WAF Blocked Events
Description: Track source IP with >=100 blocked events for the past hour.
Caveats: Requires custom patch to [Splunk_TA_aws](https://gitlab.com/curben/splunk-scripts/-/tree/main/Splunk_TA_aws) and [Splunk_SA_CIM](https://gitlab.com/curben/splunk-scripts/-/tree/main/Splunk_SA_CIM)
SPL:
```spl
| tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Web WHERE index="aws" source="aws:firehose:waf" Web.action="block" BY Web.src, Web.url_domain, _time span=1s
| rename "Web.*" as "*"
| eval Time=strftime(_time,"%Y-%m-%d %H:%M:%S %z")
| stats earliest(Time) AS first_occur, sum(count) AS event_count BY src, url_domain
| where event_count>=100
```sample 20 events from each IP```
| join type=inner max=20 src
[| tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Web WHERE index="aws" source="aws:firehose:waf" Web.action="block" NOT Web.uri_path IN ("/", "/favicon.ico") BY Web.src, Web.uri_path
| rename "Web.*" as "*"
| table uri_path, src]
| mvcombine uri_path
| rename uri_path AS sample_20_paths, url_domain AS Domain, src AS source_ip
| iplocation source_ip
| sort -event_count
| table first_occur, Domain, source_ip, Country, sample_20_paths, event_count
```
## Excessive Account Lockout
Description: Track regular accounts that have been locked out >=10 for the past hour.