mirror of https://gitlab.com/curben/blog
28 lines
1.3 KiB
Markdown
28 lines
1.3 KiB
Markdown
---
|
|
title: Excessive AWS WAF Blocked Events
|
|
layout: page
|
|
date: 2025-07-27
|
|
---
|
|
|
|
Description: Track source IP with >=100 blocked events for the past hour.
|
|
Caveats: Requires custom patch to [Splunk_TA_aws](https://gitlab.com/curben/splunk-scripts/-/tree/main/Splunk_TA_aws) and [Splunk_SA_CIM](https://gitlab.com/curben/splunk-scripts/-/tree/main/Splunk_SA_CIM)
|
|
SPL:
|
|
|
|
```spl
|
|
| tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Web WHERE index="aws" source="aws:firehose:waf" Web.action="block" BY Web.src, Web.url_domain, _time span=1s
|
|
| rename "Web.*" as "*"
|
|
| eval Time=strftime(_time,"%Y-%m-%d %H:%M:%S %z")
|
|
| stats earliest(Time) AS first_occur, sum(count) AS event_count BY src, url_domain
|
|
| where event_count>=100
|
|
```sample 20 events from each IP```
|
|
| join type=inner max=20 src
|
|
[| tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Web WHERE index="aws" source="aws:firehose:waf" Web.action="block" NOT Web.uri_path IN ("/", "/favicon.ico") BY Web.src, Web.uri_path
|
|
| rename "Web.*" as "*"
|
|
| table uri_path, src]
|
|
| mvcombine uri_path
|
|
| rename uri_path AS sample_20_paths, url_domain AS Domain, src AS source_ip
|
|
| iplocation source_ip
|
|
| sort -event_count
|
|
| table first_occur, Domain, source_ip, Country, sample_20_paths, event_count
|
|
```
|