From 1df78c65c5704a310df407d345b5be22f77cbf10 Mon Sep 17 00:00:00 2001
From: Ming Di Leom <2809763-curben@users.noreply.gitlab.com>
Date: Mon, 30 Jun 2025 08:52:58 +0000
Subject: [PATCH] feat(threat-hunting): Excessive AWS WAF Blocked Events

---
 source/threat-hunting/index.md | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/source/threat-hunting/index.md b/source/threat-hunting/index.md
index f9745c1..26e70f1 100644
--- a/source/threat-hunting/index.md
+++ b/source/threat-hunting/index.md
@@ -654,6 +654,30 @@ index="proxy" url IN ("*/ests/2.1/content/*", "*/shared/1.0/content/*", "*/offic
 | dedup visited_link, user
 ```
 
+## Excessive AWS WAF Blocked Events
+
+Description: Track source IP with >=100 blocked events for the past hour.
+Caveats: Requires custom patch to [Splunk_TA_aws](https://gitlab.com/curben/splunk-scripts/-/tree/main/Splunk_TA_aws) and [Splunk_SA_CIM](https://gitlab.com/curben/splunk-scripts/-/tree/main/Splunk_SA_CIM)
+SPL:
+
+```spl
+| tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Web WHERE index="aws" source="aws:firehose:waf" Web.action="block" BY Web.src, Web.url_domain, _time span=1s
+| rename "Web.*" as "*"
+| eval Time=strftime(_time,"%Y-%m-%d %H:%M:%S %z")
+| stats earliest(Time) AS first_occur, sum(count) AS event_count BY src, url_domain
+| where event_count>=100
+```sample 20 events from each IP```
+| join type=inner max=20 src
+  [| tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Web WHERE index="aws" source="aws:firehose:waf" Web.action="block" NOT Web.uri_path IN ("/", "/favicon.ico") BY Web.src, Web.uri_path
+  | rename "Web.*" as "*"
+  | table uri_path, src]
+| mvcombine uri_path
+| rename uri_path AS sample_20_paths, url_domain AS Domain, src AS source_ip
+| iplocation source_ip
+| sort -event_count
+| table first_occur, Domain, source_ip, Country, sample_20_paths, event_count
+```
+
 ## Excessive Account Lockout
 
 Description: Track regular accounts that have been locked out >=10 for the past hour.