Skip to content

Commit

Permalink
[Integrations] Add integration of WAF log (#1685)
Browse files Browse the repository at this point in the history 
* Add integration of WAF log

Co-authored-by: Sean Kao <[email protected]>
Signed-off-by: Ryan Liang <[email protected]>

* Modify the mv creation options

Co-authored-by: Sean Kao <[email protected]>
Signed-off-by: Ryan Liang <[email protected]>

* Correct the checkpoint location placeholder

Co-authored-by: Sean Kao <[email protected]>
Signed-off-by: Ryan Liang <[email protected]>

* Correct the auto refresh config boolean

Co-authored-by: Sean Kao <[email protected]>
Signed-off-by: Ryan Liang <[email protected]>

---------

Signed-off-by: Ryan Liang <[email protected]>
Co-authored-by: Sean Kao <[email protected]>
  • Loading branch information
@RyanL1997 @seankao-az
RyanL1997 and seankao-az authored Apr 15, 2024
1 parent 61255b7 commit acc9c8e
Show file tree
Hide file tree
Showing 3 changed files with 187 additions and 2 deletions.
28 changes: 28 additions & 0 deletions server/adaptors/integrations/__data__/repository/aws_waf/assets/create_mv-1.0.0.sql
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
CREATE MATERIALIZED VIEW {table_name}_mview AS
SELECT
CAST(FROM_UNIXTIME(`timestamp`/ 1000) AS TIMESTAMP) AS `@timestamp`,
formatVersion AS `aws.waf.formatVersion`,
webaclId AS `aws.waf.webaclId`,
terminatingRuleId AS `aws.waf.terminatingRuleId`,
terminatingRuleType AS `aws.waf.terminatingRuleType`,
action AS `aws.waf.action`,
httpSourceName AS `aws.waf.httpSourceName`,
httpSourceId AS `aws.waf.httpSourceId`,
ruleGroupList AS `aws.waf.ruleGroupList`,
rateBasedRuleList AS `aws.waf.rateBasedRuleList`,
nonTerminatingMatchingRules AS `aws.waf.nonTerminatingMatchingRules`,
requestHeadersInserted AS `aws.waf.requestHeadersInserted`,
responseCodeSent AS `aws.waf.responseCodeSent`,
httpRequest AS `aws.waf.httpRequest`,
labels AS `aws.waf.labels`,
captchaResponse AS `aws.waf.captchaResponse`,
challengeResponse AS `aws.waf.challengeResponse`,
ja3Fingerprint AS `aws.waf.ja3Fingerprint`
FROM
{table_name}
WITH (
auto_refresh = true,
checkpoint_location = '{s3_checkpoint_location}',
watermark_delay = '1 Minute',
extra_options = '{ "{table_name}": { "maxFilesPerTrigger": "10" }}'
);
128 changes: 128 additions & 0 deletions server/adaptors/integrations/__data__/repository/aws_waf/assets/create_table-1.0.0.sql
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,128 @@
CREATE EXTERNAL TABLE {table_name} (
`timestamp` bigint,
`formatVersion` int,
`webaclId` string,
`terminatingRuleId` string,
`terminatingRuleType` string,
`action` string,
`terminatingRuleMatchDetails` array <
struct <
conditionType: string,
sensitivityLevel: string,
location: string,
matchedData: array < string >
>
>,
`httpSourceName` string,
`httpSourceId` string,
`ruleGroupList` array <
struct <
ruleGroupId: string,
terminatingRule: struct <
ruleId: string,
action: string,
ruleMatchDetails: array <
struct <
conditionType: string,
sensitivityLevel: string,
location: string,
matchedData: array < string >
>
>
>,
nonTerminatingMatchingRules: array <
struct <
ruleId: string,
action: string,
overriddenAction: string,
ruleMatchDetails: array <
struct <
conditionType: string,
sensitivityLevel: string,
location: string,
matchedData: array < string >
>
>,
challengeResponse: struct <
responseCode: string,
solveTimestamp: string
>,
captchaResponse: struct <
responseCode: string,
solveTimestamp: string
>
>
>,
excludedRules: string
>
>,
`rateBasedRuleList` array <
struct <
rateBasedRuleId: string,
limitKey: string,
maxRateAllowed: int
>
>,
`nonTerminatingMatchingRules` array <
struct <
ruleId: string,
action: string,
ruleMatchDetails: array <
struct <
conditionType: string,
sensitivityLevel: string,
location: string,
matchedData: array < string >
>
>,
challengeResponse: struct <
responseCode: string,
solveTimestamp: string
>,
captchaResponse: struct <
responseCode: string,
solveTimestamp: string
>
>
>,
`requestHeadersInserted` array <
struct <
name: string,
value: string
>
>,
`responseCodeSent` string,
`httpRequest` struct <
clientIp: string,
country: string,
headers: array <
struct <
name: string,
value: string
>
>,
uri: string,
args: string,
httpVersion: string,
httpMethod: string,
requestId: string
>,
`labels` array <
struct <
name: string
>
>,
`captchaResponse` struct <
responseCode: string,
solveTimestamp: string,
failureReason: string
>,
`challengeResponse` struct <
responseCode: string,
solveTimestamp: string,
failureReason: string
>,
`ja3Fingerprint` string
)
USING json
LOCATION '{s3_bucket_location}'
33 changes: 31 additions & 2 deletions server/adaptors/integrations/__data__/repository/aws_waf/aws_waf-1.0.0.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,23 @@
"description": "Analyze AWS WAF web ACL traffic.",
"license": "Apache-2.0",
"type": "logs_waf",
"labels": ["Observability", "Logs", "AWS", "Cloud"],
"labels": ["Observability", "Logs", "AWS", "Cloud", "Flint S3"],
"author": "OpenSearch",
"sourceUrl": "https://github.com/opensearch-project/dashboards-observability/tree/main/server/adaptors/integrations/__data__/repository/aws_waf/info",
"workflows": [
{
"name": "queries",
"label": "Queries (recommended)",
"description": "Tables and pre-written queries for quickly getting insights on your data.",
"enabled_by_default": true
},
{
"name": "dashboards",
"label": "Dashboards & Visualizations",
"description": "Dashboards and indices that enable you to easily visualize important metrics.",
"enabled_by_default": false
}
],
"statics": {
"logo": {
"annotation": "AWS WAF Logo",
Expand Down Expand Up @@ -43,7 +57,22 @@
"name": "aws_waf",
"version": "1.0.0",
"extension": "ndjson",
"type": "savedObjectBundle"
"type": "savedObjectBundle",
"workflows": ["dashboards"]
},
{
"name": "create_table",
"version": "1.0.0",
"extension": "sql",
"type": "query"
},
{
"name": "create_mv",
"version": "1.0.0",
"extension": "sql",
"type": "query",
"workflows": ["dashboards"]

}
],
"sampleData": {
Expand Down

0 comments on commit acc9c8e

Please sign in to comment.