Monitoring and Incident Response

2 min read Web Security Fundamentals

Monitoring and Incident Response

Effective WAF operation requires continuous monitoring and well-defined incident response procedures. Real-time visibility into WAF activity helps identify attacks, tune rules, and respond to security incidents promptly.

Implement comprehensive monitoring dashboards:

# WAF metrics collection script
import json
import boto3
from datetime import datetime, timedelta

def collect_waf_metrics():
    cloudwatch = boto3.client('cloudwatch')
    waf = boto3.client('wafv2')
    
    # Get blocked request metrics
    blocked_requests = cloudwatch.get_metric_statistics(
        Namespace='AWS/WAFV2',
        MetricName='BlockedRequests',
        Dimensions=[
            {'Name': 'WebACL', 'Value': 'production-waf'},
            {'Name': 'Region', 'Value': 'us-east-1'}
        ],
        StartTime=datetime.now() - timedelta(hours=1),
        EndTime=datetime.now(),
        Period=300,
        Statistics=['Sum']
    )
    
    # Get sampled requests for analysis
    sampled_requests = waf.get_sampled_requests(
        WebAclArn='arn:aws:wafv2:us-east-1:123456789012:regional/webacl/production-waf',
        RuleMetricName='SQLiRule',
        Scope='REGIONAL',
        TimeWindow={
            'StartTime': datetime.now() - timedelta(minutes=15),
            'EndTime': datetime.now()
        },
        MaxItems=100
    )
    
    return {
        'blocked_requests': blocked_requests,
        'sampled_requests': sampled_requests
    }

Create automated response playbooks:

# Incident Response Playbook
name: WAF Security Incident Response
trigger: High severity WAF alert

steps:
  - name: Initial Assessment
    actions:
      - Analyze attack pattern and source
      - Determine attack severity and potential impact
      - Check if attack is ongoing
      
  - name: Immediate Response
    actions:
      - Block attacking IP addresses
      - Increase WAF sensitivity temporarily
      - Enable additional logging
      
  - name: Investigation
    actions:
      - Review detailed WAF logs
      - Check application logs for compromise indicators
      - Analyze attack techniques used
      
  - name: Remediation
    actions:
      - Update WAF rules to prevent similar attacks
      - Patch any identified vulnerabilities
      - Document lessons learned