AWS Web Application Firewall V2 (Via Cloudwatch)

AWS WAFv2 (Web Application Firewall Version 2) is a managed AWS service that protects web applications and Application Programming Interfaces (APIs) by monitoring HTTP and HTTPS requests to them and controlling access based on conditions such as forbidding certain paths, IP addresses, URI strings, payload sizes, headers, country of origin, and more. Users can take advantage of built-in CAPTCHA challenges, Bot Control, AWS Managed Rules (AMRs), and custom rules to protect web apps and APIs built-on and in-line of Amazon CloudFront, Amazon API Gateway REST APIs, Amazon ELBv2 Application Load Balancers, AWS AppSync GraphQL APIs, Amazon Cognito User Pools, AWS AppRunner Services, and AWS Verified Access instances.

Query integrations with Amazon CloudWatch Logs (for AWS WAFv2) to surface details about:

  • IP Addresses (httpRequest.clientIp)
  • Resource IDs (the protected resource httpSourceId which is typically an ARN and webaclId which is always an ARN despite the name)

This allows analysts to quickly search for the full and partial GUIDs and ARNs of protected resources and WAF WAFv2 Web ACLs, the IP Address of a connecting Client, or the User Agent if it’s available.

The following Entities, Events and Objects are supported by Query for those data points. For more information about this terminology, refer to the Normalization and the Query Data Model (QDM) section of the docs or check out our QDM Schema website.


  • IP Address (mapped to httpRequest.clientIp in the WAF Log)
  • Resource ID (mapped to httpSourceId and webaclId)


  • HTTP Activity
  • Objects
  • src_endpoint
  • http_request
  • url
  • cloud

For example, the analyst could obtain the following context:

  • Searching for a suspected source IP address of malicious traffic, you would get any event activity recorded by the WAF for a malicious IP address.
  • Searching by an internal AWS resource, you would get any WAF activity that is targeting that internal AWS resource.

To integrate AWS WAF, see integration documentation here. The integration