Web Application Firewall (WAF) Logs

networkPerimeter SecuritySIEM / Log AggregatorNetwork Capture

Location

WAF console or logs (AWS WAF, Azure WAF, Cloudflare, Akamai, Imperva, F5 ASM, ModSecurity)

Description

Web Application Firewall logs recording HTTP request inspection results including blocked and monitored requests, matched attack signatures (SQLi, XSS, RCE, LFI), request headers, payloads, GeoIP data, and bot classification.

Forensic Value

WAF logs capture the actual attack payloads used in web application exploitation attempts, including SQL injection queries, XSS payloads, command injection strings, and path traversal sequences. Blocked request logs reveal attack techniques the adversary attempted unsuccessfully. JA3/JA3S TLS fingerprints in WAF logs identify specific attacker tools and C2 frameworks. Bot classification distinguishes automated scanning from targeted manual exploitation. Rate limiting and GeoIP logs provide additional attacker profiling data.

Tools Required

WAF Admin ConsoleSIEM (Splunk, Elastic)ModSecurity Audit Logjqgrep

Used in Procedures

Collect and Analyze Web Server Logs for Web App Compromise

collect

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical