Configure AWS WAF for Arctic Wolf monitoring
You can configure Amazon Web Services (AWS)® Web Application Firewall (WAF)® for Arctic Wolf® monitoring.
WAF logs contain detailed information about the traffic that your web access control list (ACL) analyzes. This information includes the web request timestamp, source, destination, and the action for the matching rule. Arctic Wolf analyzes web ACL logs that result in Block requests to prioritize analyses for high risk web requests.
Note: By default, Arctic Wolf does not alert on WAF events until you indicate that you are ready to receive alerts. As a result, you can make frequent changes to your WAF rules without receiving alerts. When you have configured a stable ruleset, contact your Concierge Security® Team (CST) to enable alerts.
These resources are required:
- An AWS WAF subscription
- An active web ACL
These actions are required:
- If you would like to use, or are currently using, Amazon Kinesis Data Firehose or Amazon CloudWatch as the WAF log destination, contact your CST for more instruction.
- Complete these steps with the same account that you use to manage the web ACL:
Configure web ACL logging
Enable web ACL logging
Tip: For information from Amazon about web ACL logging, see https://docs.aws.amazon.com/waf/latest/developerguide/logging.html.