Monitor AWS WAF Activity With Datadog | Datadog

Monitor AWS WAF activity with Datadog

Author Mallory Mooney

Published: June 4, 2024

In Part 2 of this series, we looked at Amazon’s built-in monitoring services for AWS WAF activity and audit logs. In this post, we’ll demonstrate how Datadog complements your WAF’s existing protection and extends its capabilities to not only offer protection at the perimeter but also to the APIs and services within your network. To accomplish this, Datadog offers a turnkey AWS WAF integration that allows you to automatically discover and monitor web ACLs, in addition to monitoring web ACL metrics and logs. You can review this information in Datadog Application Security Management (ASM), which leverages Datadog tracing libraries and the Agent to provide insight into which services your web ACLs are protecting. ASM Threat Management takes this visibility a step further by using built-in threat intelligence and a distributed, in-app WAF to automatically identify and stop malicious activity. We’ll also look at how this extends the capabilities of your existing AWS WAF in more detail.

Enable Datadog’s AWS WAF integration

Datadog provides a built-in integration for AWS WAF, which enables you to collect the metrics and logs we discussed in Part 1 of this series. To get started, you will need to first set up Datadog’s Amazon Web Services integration if you haven’t already. The steps in this section walk you through the process of enabling both metric and log collection for all AWS services, including AWS WAF. For metrics, you can configure Datadog to automatically collect data via CloudWatch API polling and Kinesis Firehose streams. Datadog recommends using CloudWatch for collecting the most up-to-date metric data.

You have two options for sending AWS WAF logs, depending on which type you’d like to monitor. Audit logs leverage Kinesis Firehose destinations, while web ACL activity logs use a Forwarder Lambda function. You can check out our documentation for more information about configuring those options.

Once configured, make sure that you enable metric and log collection for AWS WAF by navigating to the AWS integration tile and toggling on each option. For metrics, search for AWS WAF under the “Metric Collection” tab and toggle the options for either WAF Classic or WAFV2.

Enable Datadog's AWS WAF integration

For AWS WAF logs, you can toggle the “Web Application Firewall Logs” option under the “Log Collection” tab. These configurations allow Datadog to automatically collect and provide deeper insights into AWS WAF data. Next, we’ll look at how you can visualize all of this data in one place.

Visualize AWS WAF metrics and logs

Once you configure Datadog’s AWS WAF integration, you can easily visualize service metrics by creating a custom dashboard. The sample dashboard below includes some of the key metrics and logs that we described in Part 1 of this series, such as the total number of allowed and blocked requests and the top sources of network traffic, as well as a stream of web ACL audit logs. It also includes a breakdown of categorized bot activity, which includes whether the activity was verified by AWS WAF.

AWS WAF dashboard

Having a reference point like a dashboard can help you monitor activity at a high level and detect unusual traffic patterns. For example, you can use the anomalies algorithm on the aws.wafv2.blocked_requests metric to discover any changes that deviate from historical trends. The following screenshot shows that the total number of blocked requests that Datadog expected for the selected time period ranged between 14 and 17.

AWS WAF blocked anamolies graph

Apart from highlighting significant spikes, such as the two seen above, anomaly detection can help you monitor trends in WAF activity over a period of time. For example, if the anomaly boundaries increase significantly, you may need to determine if the associated rule is blocking too many requests and needs to be updated.

In addition to monitoring metrics, Datadog enables you to track AWS WAF logs via Datadog Log Management, which provides a cost-effective solution for collecting, storing, and querying logs. Your activity and audit logs serve as the starting point for troubleshooting issues with configured WAF and web ACLs, but AWS WAF can generate a high volume of them at any given time. This makes it more difficult to query the logs you need during a time-sensitive investigation.

Datadog Observability Pipelines solves this problem by enabling you to extract key metrics from AWS WAF logs before they leave your environment. Extracting metrics from your logs separates the most immediately helpful information from complex log data. Log-based metrics still contain the most pertinent information from your logs, allowing you to troubleshoot effectively, analyze historical trends, and control log volume. Once you extract metrics, you can drop the logs entirely, or retain them with Datadog Flex Logs or the long-term storage solution of your choice. Datadog Flex Logs decouples the cost of log storage from the costs of querying, enabling you to keep AWS WAF logs for the relative long term while still being able to instantly query them without incurring the typical costs of indexing. This capability is invaluable for conducting in-depth investigations.

For example, your audit logs capture important information about changes to both WAF and web ACL settings. The following audit log shows that a user attempted to list available web ACLs but did not have the appropriate permissions.

AWS WAF log

These logs also include information about which AWS user attempted the action, and you can review them in context with other activity across your AWS environment by pivoting to Cloud SIEM Investigator. In the following screenshot, you can see that a single user failed to execute list or describe API calls for components of multiple different types of resources, including web ACLs.

AWS WAF Datadog Cloud SIEM indentity

These scenarios could indicate a threat actor bypassed a WAF and is testing the level of access their user and applied role have in your environment. Cloud SIEM also includes built-in detection rules for AWS WAF, enabling you to instantly know about key activity and audit scenarios, such as when a web ACL rule blocked traffic or when a specific web ACL was modified or deleted.

Next, we’ll look at how Datadog Application Security Management can help you detect and stop malicious activity like this before it passes through the boundaries of your environment.

Monitor web ACL activity in Datadog ASM

In addition to monitoring AWS WAF metrics and logs, you need the ability to view each of the requests that your web ACLs allow or block. Not having that visibility makes it more difficult to act on an issue that your metric or log data surfaces. Datadog ASM provides that necessary context by integrating with AWS WAF. This means that ASM will automatically discover when a web ACL is present in your environment and is managing traffic to your instrumented services. If a web ACL blocks a specific IP address, for example, you will be able to view this information, including relevant WAF metrics and logs, directly in ASM.

Datadog ASM signal for AWS WAF

In the preceding signal, the UserAgent_BadBots_HEADER WAF rule automatically blocked requests from a single IP address, which Datadog ASM’s built-in Threat Intelligence flagged as a scanner. You can review WAF logs and the flagged IP to determine if any further action is required. With this complete context, you have the ability to improve your WAF’s protection capabilities and secure more than just your environment’s perimeter. We’ll look at the importance of extending your WAF’s reach, and how Datadog accomplishes this, next.

Extend your firewall protection with Datadog ASM

Perimeter firewalls like AWS WAF serve as a first line of defense for your environment. They monitor incoming traffic for potentially malicious activity and stop identified threats before they reach your applications and APIs. However, due to the challenges of maintaining these types of WAFs and the gaps in coverage they can leave, it’s important to extend your firewall protection to other layers besides the network’s perimeter. This enables you to build a comprehensive defense-in-depth strategy for your applications.

With the rapidly evolving boundaries of a dynamic cloud environment, scaling perimeter firewalls can be difficult. In these environments, perimeter firewalls require constant tuning to ensure that they only block malicious traffic and do not cause latency—or worse—false positives. As mentioned in Part 1, this process typically requires continually testing how precisely web ACL rules respond to traffic. But in many cases, web ACL configurations are owned by a single team, which can create knowledge gaps for other teams in how to maintain them and interpret their logs.

Apart from the challenges in maintaining perimeter firewalls, simple misconfigurations, which are more common in large-scale environments, can give threat actors easy access. Additionally, application or resource vulnerabilities can grant threat actors direct access to an environment, regardless of the state of its perimeter firewall. That’s why building protection that continually monitors and responds to traffic from the perimeter down to individual services, APIs, and resources is crucial for mitigating gaps in security coverage. This approach allows you to build protection controls that can appropriately respond to a wider range of threats.

In addition to the visibility that Datadog ASM brings to your existing WAFs, it also offers distributed protection capabilities with enhanced application context and business logic. Through Datadog’s tracing libraries, ASM provides granular visibility into application services and APIs. This means that if a threat actor bypasses your WAF and takes advantage of an application vulnerability, ASM will automatically flag the source IP, which you can decide to forward to AWS WAF to block. This context enables you to keep AWS WAF up to date on malicious activity that it may have otherwise overlooked.

Datadog blueprint for AWS WAF

Start monitoring AWS WAF today

In this post, we looked at how Datadog enables you to monitor your AWS WAF metrics and logs. We also discussed how Datadog ASM’s integration with AWS WAF brings complete context to monitoring and preventing malicious activity. To learn more, you can check out our documentation for AWS WAF and Datadog ASM. If you don’t already have a Datadog account, you can sign up for a .