ncracker/aws-waf_pipeline.yaml

## aws-waf_pipeline.yaml
id: waf
metric_id: amazon-waf
facets:
  -
    name: Action
    source: log
    path: system.action
    groups:
      - System
  -
    name: Client IP
    source: log
    path: network.client.ip
    groups:
      - Web Access
  -
    name: Request ID
    source: log
    path: http.request_id
    groups:
      - Web Access
  -
    name: Method
    source: log
    path: http.method
    groups:
      - Web Access
  -
    name: URL Path
    source: log
    path: http.url_details.path
    groups:
      - Web Access
  -
    name: S3 Bucket
    source: log
    path: aws.s3.bucket
    groups:
      - AWS
  -
    name: Source Name
    source: log
    path: httpSourceName
    groups:
      - WAF
  -
    name: Web ACL ID
    source: log
    path: webaclId
    groups:
      - WAF
  -
    name: Source Id
    source: log
    path: httpSourceId
    groups:
      - WAF
pipeline:
  type: pipeline
  name: AWS Web Application Firewall
  enabled: true
  filter:
    query: 'source:waf'
  processors:
    -
      type: attribute-remapper
      name: 'Remap the client ip'
      enabled: true
      sources:
        - httpRequest.clientIp
      target: 'network.client.ip'
      preserveSource: false
      overrideOnConflict: false
    -
      type: attribute-remapper
      name: 'Remap httpRequest.uri'
      enabled: true
      sources:
        - httpRequest.uri
      target: 'http.url_details.path'
      preserveSource: false
      overrideOnConflict: false
    -
      type: attribute-remapper
      name: 'Remap httpRequest.httpMethod'
      enabled: true
      sources:
        - httpRequest.httpMethod
      target: 'http.method'
      preserveSource: false
      overrideOnConflict: false
    -
      type: attribute-remapper
      name: 'Remap httpRequest.requestId'
      enabled: true
      sources:
        - httpRequest.requestId
      target: 'http.request_id'
      preserveSource: false
      overrideOnConflict: false
    -
      type: attribute-remapper
      name: 'Remap action'
      enabled: true
      sources:
        - action
      target: 'system.action'
      preserveSource: false
      overrideOnConflict: false
	id: waf
	metric_id: amazon-waf
	facets:
	-
	name: Action
	source: log
	path: system.action
	groups:
	- System
	-
	name: Client IP
	source: log
	path: network.client.ip
	groups:
	- Web Access
	-
	name: Request ID
	source: log
	path: http.request_id
	groups:
	- Web Access
	-
	name: Method
	source: log
	path: http.method
	groups:
	- Web Access
	-
	name: URL Path
	source: log
	path: http.url_details.path
	groups:
	- Web Access
	-
	name: S3 Bucket
	source: log
	path: aws.s3.bucket
	groups:
	- AWS
	-
	name: Source Name
	source: log
	path: httpSourceName
	groups:
	- WAF
	-
	name: Web ACL ID
	source: log
	path: webaclId
	groups:
	- WAF
	-
	name: Source Id
	source: log
	path: httpSourceId
	groups:
	- WAF
	pipeline:
	type: pipeline
	name: AWS Web Application Firewall
	enabled: true
	filter:
	query: 'source:waf'
	processors:
	-
	type: attribute-remapper
	name: 'Remap the client ip'
	enabled: true
	sources:
	- httpRequest.clientIp
	target: 'network.client.ip'
	preserveSource: false
	overrideOnConflict: false
	-
	type: attribute-remapper
	name: 'Remap httpRequest.uri'
	enabled: true
	sources:
	- httpRequest.uri
	target: 'http.url_details.path'
	preserveSource: false
	overrideOnConflict: false
	-
	type: attribute-remapper
	name: 'Remap httpRequest.httpMethod'
	enabled: true
	sources:
	- httpRequest.httpMethod
	target: 'http.method'
	preserveSource: false
	overrideOnConflict: false
	-
	type: attribute-remapper
	name: 'Remap httpRequest.requestId'
	enabled: true
	sources:
	- httpRequest.requestId
	target: 'http.request_id'
	preserveSource: false
	overrideOnConflict: false
	-
	type: attribute-remapper
	name: 'Remap action'
	enabled: true
	sources:
	- action
	target: 'system.action'
	preserveSource: false
	overrideOnConflict: false