Hello,
We are collecting AWS Waf logs and im trying to setup an alert to get triggered if an ip address is blocked more than 25k times within 3hours. I know that the count can be used in the Trigger’s section but i cant seem to figure out how to query the count of different ips being blocked as the foundation. Any ideas?
This is what i have so far. The ip address field is data.aws.httpRequest.clientIP
{
"size": 0,
"query": {
"bool": {
"must": [
{
"match": {
"data.aws.action": {
"query": "BLOCK",
"operator": "OR",
"prefix_length": 0,
"max_expansions": 50,
"fuzzy_transpositions": true,
"lenient": false,
"zero_terms_query": "NONE",
"auto_generate_synonyms_phrase_query": true,
"boost": 1
}
}
}
],
"filter": [
{
"range": {
"@timestamp": {
"from": "{{period_end}}||-3h",
"to": "{{period_end}}",
"include_lower": true,
"include_upper": true,
"format": "epoch_millis",
"boost": 1
}
}
}
],
"adjust_pure_negative": true,
"boost": 1
}
},
"aggregations": {
"by_ip": {
"terms": {
"field": "data.aws.httpRequest.clientIP"
}
}
}
}
Any help would be greatly appreciated!
Tony