![]() Search Head: Add-on Always Required (Knowledge Objects) LOOKUP-aws_waf_rule_lookup = aws_waf_rule_lookup "vendor_rule" OUTPUTNEW rule INSTALLATION AND CONFIGURATION $SPLUNK_HOME/etc/apps/TA-aws_waf/local/nf ![]() $SPLUNK_HOME/etc/apps/TA-aws_waf/lookups/aws_waf_rule_lookup.csv If you want to map ruleGroupId to a human readable rule name, you can use a lookup table (utilizing an automatic lookup) to do so.If you want to save on license at the cost of operational awareness, you can trim out default allowed WAF events.I'd still recommend using HEC over S3/SQS because it's more efficient and scales better. As long as you have it in the exact same format, there's no reason this add-on wouldn't work. Theoretically you could have WAF stream to Firehose and have Firehose write to an S3 bucket or SQS in JSON format and use the AWS Add-on to pull from there.This was only tested using AWS Kinesis Firehose sending to Splunk using HEC (best practice). This add-on requires the data be in the JSON format from Kinesis Firehose. ![]() You could also use a source based stanza if needed. If you need to use another sourcetype, copy default/nf into local/nf and change the sourcetype stanza. This add-on assumes you are using the sourcetype "aws:waf".+Built around JSON format from AWS Kinesis Firehose +Built for Splunk Enterprise 6.x.x and higher This add-on also provides a concise guide for how to get your AWS WAF logs into Splunk using AWS Kinesis Firehose (see README for more details). This is done by making the logs CIM compliant, adding tagging for Enterprise Security data models, and other knowledge objects to make searching and visualizing this data easy. ![]() The purpose of this add-on is to provide value to your AWS Web Application Firewall (WAF) logs. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |