Skip to main content

 

Splunk Lantern

Web application firewall data

 

Web application firewalls (WAFs) operate on layer 7 of the OSI model, and their primary focus is on securing HTTP/HTTPS traffic, preventing web application-specific attacks such as SQL injection, cross-site scripting (XSS), and OWASP Top 10 vulnerabilities.

WAF data refers to the information generated, collected, or analyzed by a web application firewall, which is a security solution designed to protect web applications from cyber threats. It is generated by both on-premises solutions (for example, ModSecurity) and cloud-based WAF services (for example, AWS WAF, Azure Application Gateway, Cloudflare, or Akamai). WAF data includes logs, metrics, and insights related to the detection, filtering, and mitigation of malicious traffic targeting web applications. It helps identify and analyze attack patterns for proactive mitigation and it ensures adherence to regulatory frameworks like PCI DSS, GDPR, or HIPAA. WAF data is vital for preventing threats such as SQL injection, cross-site scripting (XSS), distributed denial-of-service (DDoS) attacks, and other application-layer vulnerabilities.

WAF data is accessed through dashboards, REST APIs, or syslog integrations. It can integrate with SIEM (Security Information and Event Management) tools like Splunk Enterprise Security for advanced analysis. WAF data must be securely stored and transmitted, as it contains sensitive information about threats, application traffic, and user activity.

Web application firewall data typically includes:

  • Traffic inspection logs: Logs of incoming and outgoing HTTP/HTTPS requests analyzed by the WAF
  • Attack detection data: Data identifying malicious activities detected by the WAF
  • Rule match logs: Data about WAF rules triggered by incoming traffic
  • IP reputation data: Information about the reputation of IP addresses interacting with the web application
  • Bot traffic data: Data about automated traffic, including good and bad bots
  • DDoS mitigation data: Information about distributed denial-of-service (DDoS) attacks and mitigation actions
  • Geo-blocking data: Data about traffic filtered based on geographic origin
  • Policy enforcement data: Data related to security policies configured in the WAF
  • SSL/TLS data: Data about encrypted traffic and SSL/TLS protocol usage
  • False positive/false negative data: Data about potential misclassifications of traffic by the WAF
  • Session and cookie data: Data about user sessions and cookies inspected by the WAF
  • Performance metrics: Data about the operational performance of the WAF
  • Threat intelligence data: Data sourced from external feeds to enhance WAF protection
  • Compliance and reporting data: Data used for audits and compliance reporting

The Splunk Common Information Model (CIM) add-on contains a Web data model with fields that describe web server and/or proxy server data in a security or operational context.

Before looking at documentation for specific data sources, review the Splunk Docs information on general data ingestion: 

Use cases for the Splunk platform