Web Application Firewall (WAF) Logs
Location
WAF console or logs (AWS WAF, Azure WAF, Cloudflare, Akamai, Imperva, F5 ASM, ModSecurity)Description
Web Application Firewall logs recording HTTP request inspection results including blocked and monitored requests, matched attack signatures (SQLi, XSS, RCE, LFI), request headers, payloads, GeoIP data, and bot classification.
Forensic Value
WAF logs capture the actual attack payloads used in web application exploitation attempts, including SQL injection queries, XSS payloads, command injection strings, and path traversal sequences. Blocked request logs reveal attack techniques the adversary attempted unsuccessfully. JA3/JA3S TLS fingerprints in WAF logs identify specific attacker tools and C2 frameworks. Bot classification distinguishes automated scanning from targeted manual exploitation. Rate limiting and GeoIP logs provide additional attacker profiling data.
Tools Required
Collection Commands
ModSecurity
cat /var/log/modsec_audit.log | grep -A 20 "^--[a-f0-9]*-H--" | grep -B 5 -A 15 "id \"9" > modsec_critical_alerts.txt
AWS CLI
aws wafv2 get-sampled-requests --web-acl-arn <arn> --rule-metric-name <rule> --scope REGIONAL --time-window StartTime=2024-01-01T00:00:00Z,EndTime=2024-01-31T23:59:59Z --max-items 500 > waf_samples.json
Splunk
index=waf earliest=-7d action=blocked | stats count by rule_id, src_ip, attack_type | sort -count | head 50