feat(threat-hunting): Excessive AWS WAF Blocked Events

source/threat-hunting/index.md

@@ -654,6 +654,30 @@ index="proxy" url IN ("*/ests/2.1/content/*", "*/shared/1.0/content/*", "*/offic
 | dedup visited_link, user
 ```
 
+## Excessive AWS WAF Blocked Events
+
+Description: Track source IP with >=100 blocked events for the past hour.
+Caveats: Requires custom patch to [Splunk_TA_aws](https://gitlab.com/curben/splunk-scripts/-/tree/main/Splunk_TA_aws) and [Splunk_SA_CIM](https://gitlab.com/curben/splunk-scripts/-/tree/main/Splunk_SA_CIM)
+SPL:
+
+```spl
+| tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Web WHERE index="aws" source="aws:firehose:waf" Web.action="block" BY Web.src, Web.url_domain, _time span=1s
+| rename "Web.*" as "*"
+| eval Time=strftime(_time,"%Y-%m-%d %H:%M:%S %z")
+| stats earliest(Time) AS first_occur, sum(count) AS event_count BY src, url_domain
+| where event_count>=100
+```sample 20 events from each IP```
+| join type=inner max=20 src
+  [| tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Web WHERE index="aws" source="aws:firehose:waf" Web.action="block" NOT Web.uri_path IN ("/", "/favicon.ico") BY Web.src, Web.uri_path
+  | rename "Web.*" as "*"
+  | table uri_path, src]
+| mvcombine uri_path
+| rename uri_path AS sample_20_paths, url_domain AS Domain, src AS source_ip
+| iplocation source_ip
+| sort -event_count
+| table first_occur, Domain, source_ip, Country, sample_20_paths, event_count
+```
+
 ## Excessive Account Lockout
 
 Description: Track regular accounts that have been locked out >=10 for the past hour.