# Building a Real-Time AWS WAF Log Analytics Dashboard with OpenSearch

This blog will walk you through a powerful end-to-end log analytics pipeline using **AWS WAF**, **Kinesis Firehose**, **S3**, **Logstash**, and **OpenSearch Dashboards**. We aim to analyze and visualize traffic patterns, particularly unwanted requests, filtered by WAF on an EC2-hosted NGINX server.

## 🧩 Architecture Overview

Here’s the flow of data across our components:

1. **NGINX** application on an EC2 instance in a **public subnet**.
    
2. A **Load Balancer** is attached to the EC2 instance.
    
3. **AWS WAF** rules are applied to block access from certain sources.
    
4. Logs sent to **Amazon Kinesis Data Firehose**.
    
5. Firehose delivers logs to an **S3 Bucket**.
    
6. **Logstash** reads from S3 and parses logs.
    
7. Logs are indexed into **OpenSearch servers**.
    
8. Visualized through **OpenSearch Dashboards**.
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1747716079426/4bbac428-ec4c-4895-a7a5-3859407d5509.png align="center")

## 🏗️ Step 1: Deploy NGINX on EC2

Spin up an EC2 instance in a **public subnet** and install NGINX:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1747719785591/40c96e75-66af-4176-afec-5402a97bad13.png align="center")

```bash
sudo apt-get update -y
sudo apt-get install nginx -y 
sudo systemctl enable nginx
sudo systemctl start nginx
sudo systemctl status nginx
```

Ensure the EC2 is behind an **Application Load Balancer (ALB)**.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1747720304888/3c878072-752d-45f5-89bf-32e6b43addc6.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1747720350971/8686c47e-8f47-42dd-a086-718b4da36576.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1747720405800/3b62dbcb-206e-401f-8184-26e37ba2db56.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1747720518949/03217a05-8e60-4b6a-9ccd-a6c25b812fd6.png align="center")

## Step 2: Protect with AWS WAF

Attach AWS WAF to your ALB. Create custom rules to filter traffic (e.g., block based on IP, User-Agent, geo, etc.).

Enable **logging** in WAF and configure **Kinesis Data Firehose** as the log destination.

### 🧾 Step-by-Step Instructions

#### **1\. Create an AWS WAF Web ACL**

1. Go to the **AWS WAF & Shield** service in the AWS Console.
    
2. Click **“Create web ACL”**.
    
3. Provide a **name** and **description** (e.g., `nginx-web-acl`).
    
4. Select **Region** (e.g., `us-east-1`) and **Resource type** as **“Regional resources”**.
    
5. Choose **Associated AWS resource type**: select **Application Load Balancer**.
    
6. Choose the ALB that routes traffic to your NGINX EC2 instance.
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1747720959248/a3d81922-8c26-4044-a4dd-2a23b7bb7b09.png align="center")
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1747720996792/e1eba011-1136-4fa1-ab42-ed9c3756a022.png align="center")

#### **2\. Add WAF Rules**

You can use managed rules or define custom ones. Examples:

##### ➤ **Block Local IP Range (Simulate External Access Block)**

To simulate blocking local system traffic, add a custom rule to block a specific IP:

1. Under **“Add rules”**, click **Add my own rules and rule groups**.
    
2. Create a rule:
    
    * Rule name: `BlockLocalIP`
        
    * Type: **IP set**
        
    * Create a new IP set with your **local public IP**.
        
    * Set action to **Block**.
        
3. Add the rule to the Web ACL.
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1747721050318/054f0eb4-aaf2-4dac-9f5e-7cf5e38121dc.png align="center")
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1747721083148/791b8d47-898d-474a-9bde-2ac02b8051a4.png align="center")
    
    #### **3\. Configure Logging to Kinesis Data Firehose**
    
    WAF logs can be sent to **Amazon Kinesis Data Firehose**, which will forward them to **S3**.
    
    1. On the left nav, go to **Logging and metrics** under WAF.
        
    2. Click **“Enable logging”**.
        
    3. Select your **Web ACL**.
        
    4. Choose the **Kinesis Firehose delivery stream** that you created earlier (`waf-logs-stream`).
        
    5. Optionally, add filters or redactions.
        
    6. Save changes.
        
        ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1747721298863/2487cd79-53f9-4175-827f-df64d67d6f7c.png align="center")
        
        ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1747721369014/739ee873-2b61-4425-abce-9b6f364c464b.png align="center")
        
        ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1747721385928/4db69dd4-9c0a-42e3-85d2-9573c27e9008.png align="center")
        
        #### **4\. Verify Logs Are Flowing**
        
        1. Send traffic through your Load Balancer (via browser or `curl`).
            
        2. In the **S3 bucket**, JSON log files arrive via Firehose.
            
            * Each log event will contain request metadata like `clientIp`, `action`, `ruleMatched`, `httpRequest`, etc.
                
        3. These logs will be picked up later by **Logstash** and placed in your pipeline.
            
            ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1747721485057/dfe056b5-6213-4d3c-8e63-9a08200d5f5b.png align="center")
            
            ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1747721518439/1485627a-b37d-4050-9581-5c68db330cb3.png align="center")
            

## **🐳 Step 3: Deploy OpenSearch and Logstash with Docker**

Create a Docker network:

```bash
docker network create opensearch-net
```

🔍 **Run OpenSearch:**

```bash
docker run -d --name opensearch-node1 \
  --network opensearch-net \
  -p 9200:9200 -p 9600:9600 \
  -e "discovery.type=single-node" \
  -e "OPENSEARCH_INITIAL_ADMIN_PASSWORD=Redhat@123" \
  opensearchproject/opensearch:latest
```

📊 **OpenSearch Dashboards:**

```bash
docker run -d --name opensearch-dashboards \
  --network opensearch-net \
  -p 5601:5601 \
  -e OPENSEARCH_HOSTS='["https://opensearch-node1:9200"]' \
  -e OPENSEARCH_USERNAME='admin' \
  -e OPENSEARCH_PASSWORD='Redhat@123' \
  opensearchproject/opensearch-dashboards:latest
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1747721955952/4140b7dc-e061-4550-adf7-6fc197ab2971.png align="center")

## 📥 Step 5: Logstash to Process WAF Logs

Use the official image with the OpenSearch plugin:

```bash
docker run -d --name logstash-01 \
  --network opensearch-net \
  -v /home/neetesh/cloudkeeper-workspace/waf-promethuses-02/logstash-pipeline:/usr/share/logstash/pipeline \
  -v /tmp/logstash-s3:/tmp/logstash-s3 \
  opensearchproject/logstash-oss-with-opensearch-output-plugin:latest
```

### 🔧 Logstash Pipeline Configuration

```bash

input {
  s3 {
    bucket => "poc-s3-bucket-00000001"
    prefix => ""                   # Adjust if you want to limit path
    region => "us-east-1"               # Replace with your bucket’s region
    codec => "json"
    sincedb_path => "/tmp/logstash-s3.sincedb"
    temporary_directory => "/tmp/logstash-s3" 
    access_key_id => "ACCESS_KEY_ID"
    secret_access_key => "SECRET_ACCESS_KEY"
  }
}

filter {
  if "_jsonparsefailure" in [tags] {
    drop { }
  }

  if [action] {
    mutate { add_field => { "action" => "%{[action]}" } }
  }

  if [terminatingRuleId] {
    mutate { add_field => { "terminating_rule" => "%{[terminatingRuleId]}" } }
  }

  if [httpRequest][clientIp] {
    mutate { add_field => { "client_ip" => "%{[httpRequest][clientIp]}" } }
  }

  if [httpRequest][country] {
    mutate { add_field => { "country" => "%{[httpRequest][country]}" } }
  }

  if [httpRequest][httpMethod] {
    mutate { add_field => { "http_method" => "%{[httpRequest][httpMethod]}" } }
  }

  if [httpRequest][uri] {
    mutate { add_field => { "uri" => "%{[httpRequest][uri]}" } }
  }

  if [httpRequest][httpVersion] {
    mutate { add_field => { "http_version" => "%{[httpRequest][httpVersion]}" } }
  }

  if [httpRequest][headers] {
    ruby {
      code => '
        begin
          headers = event.get("[httpRequest][headers]")
          headers.each do |h|
            if h["name"].downcase == "user-agent"
              event.set("user_agent", h["value"])
            elsif h["name"].downcase == "host"
              event.set("host_header", h["value"])
            end
          end
        rescue => e
          event.tag("_header_parse_failure")
        end
      '
    }
  }
}

output {
  opensearch {
    hosts => ["https://opensearch-node1:9200"]
    user => "admin"
    password => "Redhat@123"
    ssl => true
    ssl_certificate_verification => false
    index => "aws-waf-logs-test-%{+YYYY.MM.dd}"
  }
  stdout { codec => rubydebug }
}
```

## 📈 Step 6: Visualize Logs in OpenSearch Dashboards

Navigate to [`http://localhost:5601`](http://localhost:5601) and log in with:

* **Username:** `admin`
    
* **Password:** `Redhat@123`
    

Create an index pattern: `aws-waf-logs-test-*`

You can now create rich visualizations such as:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1747722151075/96aae3c3-23e1-483b-9e21-33e0b119fe61.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1747722189418/8b239835-0fa7-4bd0-a5a4-16d54bba8f0e.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1747722223067/d12caf61-8952-42d8-a93b-792550364465.png align="center")

## 📦 Full OpenSearch Dashboard: JSON Import Snippets

You can now import a ready-made dashboard with rich visualizations into OpenSearch Dashboards using the export JSON you've created.

### 📁 Included Visualizations

Your exported dashboard includes:

| Title | Type | Description |
| --- | --- | --- |
| **WAF Actions** | Pie Chart | Visual breakdown of `ALLOW`, `BLOCK`, `CAPTCHA` actions. |
| **Total HTTP Requests** | Metric | Count of total requests received. |
| **Blocked HTTP Requests** | Metric | Requests specifically marked as `BLOCK`. |
| **HTTP Versions Breakdown** | Pie Chart | Shows HTTP protocol versions like 1.1 vs 2.0. |
| **HTTP Methods** | Pie Chart | GET, POST, etc. |
| **Top Hosts** | Pie Chart | Popular host headers seen in WAF logs. |
| **Top Countries** | Pie Chart | Countries from which requests originated. |
| **Top IP Addresses** | Pie Chart | Most frequent source IPs. |
| **Top User Agents** | Pie Chart | Devices or clients initiating traffic. |
| **Top Web ACLs** | Table | Lists WAF WebACLs that matched requests. |
| **Unique IP Address Count** | Metric | Unique source IPs seen. |
| **Number of Requests per Country** | Bar Chart | Comparative view of traffic volume per country. |

```json
{"attributes":{"buildNum":8430,"defaultIndex":"50aec450-30b5-11f0-9eb5-8f6a0d106a1d"},"id":"3.0.0","migrationVersion":{"config":"7.9.0"},"references":[],"type":"config","updated_at":"2025-05-14T11:19:38.632Z","version":"WzIsMV0="}
{"attributes":{"fields":"[{\"count\":0,\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"@version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"@version\"}}},{\"count\":0,\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_score\",\"type\":\"number\",\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_type\",\"type\":\"string\",\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"action\"}}},{\"count\":0,\"name\":\"captchaResponse.failureReason\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"captchaResponse.failureReason.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"captchaResponse.failureReason\"}}},{\"count\":0,\"name\":\"captchaResponse.responseCode\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client_ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"client_ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"client_ip\"}}},{\"count\":0,\"name\":\"country\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"country.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"country\"}}},{\"count\":0,\"name\":\"event.original\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"event.original.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.original\"}}},{\"count\":0,\"name\":\"formatVersion\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"host.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.name\"}}},{\"count\":0,\"name\":\"host_header\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"host_header.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host_header\"}}},{\"count\":0,\"name\":\"httpRequest.clientIp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"httpRequest.clientIp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"httpRequest.clientIp\"}}},{\"count\":0,\"name\":\"httpRequest.country\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"httpRequest.country.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"httpRequest.country\"}}},{\"count\":0,\"name\":\"httpRequest.headers.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"httpRequest.headers.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"httpRequest.headers.name\"}}},{\"count\":0,\"name\":\"httpRequest.headers.value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"httpRequest.headers.value.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"httpRequest.headers.value\"}}},{\"count\":0,\"name\":\"httpRequest.httpMethod\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"httpRequest.httpMethod.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"httpRequest.httpMethod\"}}},{\"count\":0,\"name\":\"httpRequest.httpVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"httpRequest.httpVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"httpRequest.httpVersion\"}}},{\"count\":0,\"name\":\"httpRequest.uri\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"httpRequest.uri.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"httpRequest.uri\"}}},{\"count\":0,\"name\":\"http_method\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"http_method.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http_method\"}}},{\"count\":0,\"name\":\"http_version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"http_version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http_version\"}}},{\"count\":0,\"name\":\"log.file.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"log.file.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.file.path\"}}},{\"count\":0,\"name\":\"nonTerminatingMatchingRules.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"nonTerminatingMatchingRules.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"nonTerminatingMatchingRules.action\"}}},{\"count\":0,\"name\":\"nonTerminatingMatchingRules.ruleId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"nonTerminatingMatchingRules.ruleId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"nonTerminatingMatchingRules.ruleId\"}}},{\"count\":0,\"name\":\"rateBasedRuleList.customValues.key\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rateBasedRuleList.customValues.key.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rateBasedRuleList.customValues.key\"}}},{\"count\":0,\"name\":\"rateBasedRuleList.customValues.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rateBasedRuleList.customValues.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rateBasedRuleList.customValues.name\"}}},{\"count\":0,\"name\":\"rateBasedRuleList.customValues.value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rateBasedRuleList.customValues.value.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rateBasedRuleList.customValues.value\"}}},{\"count\":0,\"name\":\"rateBasedRuleList.evaluationWindowSec\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rateBasedRuleList.evaluationWindowSec.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rateBasedRuleList.evaluationWindowSec\"}}},{\"count\":0,\"name\":\"rateBasedRuleList.limitKey\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rateBasedRuleList.limitKey.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rateBasedRuleList.limitKey\"}}},{\"count\":0,\"name\":\"rateBasedRuleList.maxRateAllowed\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rateBasedRuleList.rateBasedRuleId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rateBasedRuleList.rateBasedRuleId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rateBasedRuleList.rateBasedRuleId\"}}},{\"count\":0,\"name\":\"rateBasedRuleList.rateBasedRuleName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rateBasedRuleList.rateBasedRuleName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rateBasedRuleList.rateBasedRuleName\"}}},{\"count\":0,\"name\":\"terminatingRuleId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"terminatingRuleId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"terminatingRuleId\"}}},{\"count\":0,\"name\":\"terminatingRuleType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"terminatingRuleType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"terminatingRuleType\"}}},{\"count\":0,\"name\":\"terminating_rule\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"terminating_rule.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"terminating_rule\"}}},{\"count\":0,\"name\":\"timestamp\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"uri\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"uri.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"uri\"}}},{\"count\":0,\"name\":\"user_agent\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"user_agent.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user_agent\"}}},{\"count\":0,\"name\":\"webaclId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"webaclId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"webaclId\"}}}]","timeFieldName":"@timestamp","title":"aws-waf-logs-*"},"id":"50aec450-30b5-11f0-9eb5-8f6a0d106a1d","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2025-05-14T11:19:34.933Z","version":"WzEsMV0="}
{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"WAF Actions (ALLOW vs BLOCK vs CAPTCHA)","uiStateJSON":"{\"vis\":{\"colors\":{\"BLOCK\":\"#ef9988\"}}}","version":1,"visState":"{\"title\":\"WAF Actions (ALLOW vs BLOCK vs CAPTCHA)\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"action.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"row\":true,\"type\":\"pie\"}}"},"id":"99127f00-30b7-11f0-9eb5-8f6a0d106a1d","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"50aec450-30b5-11f0-9eb5-8f6a0d106a1d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2025-05-14T12:15:02.158Z","version":"WzEzLDFd"}
{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Total HTTP Requests","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Total HTTP Requests\",\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Total HTTP Requests\"},\"schema\":\"metric\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}}}"},"id":"63e0d4c0-30b8-11f0-9eb5-8f6a0d106a1d","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"50aec450-30b5-11f0-9eb5-8f6a0d106a1d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2025-05-14T11:41:35.628Z","version":"WzYsMV0="}
{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"key\":\"action.keyword\",\"negate\":false,\"params\":{\"query\":\"BLOCK\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"action.keyword\":\"BLOCK\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Blocked HTTP Requests","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Blocked HTTP Requests\",\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Blocked Requests\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"\",\"language\":\"kuery\"},\"label\":\"\"}]},\"schema\":\"group\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}}}"},"id":"7132d620-30bb-11f0-9eb5-8f6a0d106a1d","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"50aec450-30b5-11f0-9eb5-8f6a0d106a1d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"50aec450-30b5-11f0-9eb5-8f6a0d106a1d","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"type":"visualization","updated_at":"2025-05-14T12:03:30.357Z","version":"WzgsMV0="}
{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"HTTP Versions Breakdown","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"HTTP Versions Breakdown\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"http_version.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}}}"},"id":"7119bbf0-30d3-11f0-9eb5-8f6a0d106a1d","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"50aec450-30b5-11f0-9eb5-8f6a0d106a1d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2025-05-14T14:55:14.223Z","version":"WzE4LDFd"}
{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"HTTP Methods","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"HTTP Methods\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"http_method.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"row\":true}}"},"id":"1f420b20-30d3-11f0-9eb5-8f6a0d106a1d","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"50aec450-30b5-11f0-9eb5-8f6a0d106a1d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2025-05-14T14:53:01.512Z","version":"WzE1LDFd"}
{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Top  Hosts","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Top  Hosts\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"host_header.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}}}"},"id":"49df5b20-30d4-11f0-9eb5-8f6a0d106a1d","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"50aec450-30b5-11f0-9eb5-8f6a0d106a1d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2025-05-14T15:01:22.321Z","version":"WzI3LDFd"}
{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Top Countries ","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Top Countries \",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"country.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}}}"},"id":"0824e100-30d4-11f0-9eb5-8f6a0d106a1d","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"50aec450-30b5-11f0-9eb5-8f6a0d106a1d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2025-05-14T15:05:39.905Z","version":"WzMwLDFd"}
{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Top IP Addresses","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Top IP Addresses\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"client_ip.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}}}"},"id":"e4418fe0-30d3-11f0-9eb5-8f6a0d106a1d","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"50aec450-30b5-11f0-9eb5-8f6a0d106a1d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2025-05-14T15:05:50.998Z","version":"WzMxLDFd"}
{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Top User Agents","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Top User Agents\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"user_agent.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}}}"},"id":"26b45d80-30d4-11f0-9eb5-8f6a0d106a1d","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"50aec450-30b5-11f0-9eb5-8f6a0d106a1d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2025-05-14T15:00:35.246Z","version":"WzI1LDFd"}
{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Top Web ACLs","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Top Web ACLs\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"webaclId.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}"},"id":"c6952af0-30d4-11f0-9eb5-8f6a0d106a1d","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"50aec450-30b5-11f0-9eb5-8f6a0d106a1d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2025-05-14T15:05:19.523Z","version":"WzI5LDFd"}
{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"674ecf5a-ed50-411f-8178-d0c28c2f0acd\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"674ecf5a-ed50-411f-8178-d0c28c2f0acd\",\"version\":\"3.0.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"9a2fb88c-a482-4adc-9ab9-1693caca9e07\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"9a2fb88c-a482-4adc-9ab9-1693caca9e07\",\"version\":\"3.0.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"02404d24-4e9f-4120-bc80-5931a1e8fe7c\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"02404d24-4e9f-4120-bc80-5931a1e8fe7c\",\"version\":\"3.0.0\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"681f6ea4-757a-4fbd-b74d-20698edf01dd\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"681f6ea4-757a-4fbd-b74d-20698edf01dd\",\"version\":\"3.0.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"1c3d4763-f99f-4945-a32f-c6553518f059\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"1c3d4763-f99f-4945-a32f-c6553518f059\",\"version\":\"3.0.0\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"9ce23390-217d-4d1d-a9df-0d9a2d858966\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"9ce23390-217d-4d1d-a9df-0d9a2d858966\",\"version\":\"3.0.0\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"d9b7d60d-e78b-473c-9493-4ed9cdeb824f\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"d9b7d60d-e78b-473c-9493-4ed9cdeb824f\",\"version\":\"3.0.0\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"a7e493f6-23df-4c6d-b95a-d45fe9735d57\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"a7e493f6-23df-4c6d-b95a-d45fe9735d57\",\"version\":\"3.0.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"60758b57-6454-4bd0-a723-091816c4ed24\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"60758b57-6454-4bd0-a723-091816c4ed24\",\"version\":\"3.0.0\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"26cb5b48-4840-4a02-92f5-f783e6053c98\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"26cb5b48-4840-4a02-92f5-f783e6053c98\",\"version\":\"3.0.0\",\"panelRefName\":\"panel_9\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"61169e8e-a911-47dd-8f4f-abab036fa0a7\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"61169e8e-a911-47dd-8f4f-abab036fa0a7\",\"version\":\"3.0.0\",\"panelRefName\":\"panel_10\"}]","timeRestore":false,"title":"WAF-Monitorings","version":1},"id":"7d2643d0-30bc-11f0-9eb5-8f6a0d106a1d","migrationVersion":{"dashboard":"7.9.3"},"references":[{"id":"99127f00-30b7-11f0-9eb5-8f6a0d106a1d","name":"panel_0","type":"visualization"},{"id":"63e0d4c0-30b8-11f0-9eb5-8f6a0d106a1d","name":"panel_1","type":"visualization"},{"id":"7132d620-30bb-11f0-9eb5-8f6a0d106a1d","name":"panel_2","type":"visualization"},{"id":"7119bbf0-30d3-11f0-9eb5-8f6a0d106a1d","name":"panel_3","type":"visualization"},{"id":"1f420b20-30d3-11f0-9eb5-8f6a0d106a1d","name":"panel_4","type":"visualization"},{"id":"49df5b20-30d4-11f0-9eb5-8f6a0d106a1d","name":"panel_5","type":"visualization"},{"id":"0824e100-30d4-11f0-9eb5-8f6a0d106a1d","name":"panel_6","type":"visualization"},{"id":"e4418fe0-30d3-11f0-9eb5-8f6a0d106a1d","name":"panel_7","type":"visualization"},{"id":"26b45d80-30d4-11f0-9eb5-8f6a0d106a1d","name":"panel_8","type":"visualization"},{"id":"c6952af0-30d4-11f0-9eb5-8f6a0d106a1d","name":"panel_9","type":"visualization"},{"id":"63e0d4c0-30b8-11f0-9eb5-8f6a0d106a1d","name":"panel_10","type":"visualization"}],"type":"dashboard","updated_at":"2025-05-15T06:06:12.962Z","version":"WzM2LDFd"}
{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Unique IP Address Count","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Unique IP Address Count\",\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"client_ip.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}}}"},"id":"8e9c5c50-30d3-11f0-9eb5-8f6a0d106a1d","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"50aec450-30b5-11f0-9eb5-8f6a0d106a1d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2025-05-14T14:56:03.733Z","version":"WzE5LDFd"}
{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Number of Requests per Country","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Number of Requests per Country\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Total Requests\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"country.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Country\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Total Requests\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Total Requests\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}"},"id":"397b01f0-30d7-11f0-9eb5-8f6a0d106a1d","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"50aec450-30b5-11f0-9eb5-8f6a0d106a1d","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2025-05-14T15:22:22.388Z","version":"WzM0LDFd"}
{"exportedCount":15,"missingRefCount":0,"missingReferences":[]}
```

### 🛠️ How to Import the Dashboard

1. Navigate to **OpenSearch Dashboards** → **Dashboards Management** → **Saved Objects**.
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1747897938665/d1acf6db-441c-4441-bc07-abbfcc87bed3.png align="center")
    
2. Click **Import** and upload your JSON file.
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1747898004708/6e897ecc-9ad5-49ce-a1df-8501590e7642.png align="center")
    
3. Confirm and overwrite if prompted.
    
4. Navigate to **Dashboards** → **WAF-Monitorings**.
    

This dashboard will instantly visualize live or historical WAF logs streamed from AWS into OpenSearch via your pipeline.

## ✅ Conclusion

This blog walked you through building a log analysis pipeline using AWS WAF, Firehose, S3, Logstash, and OpenSearch. With this setup, you gain full visibility into suspicious traffic, helping improve your application’s security posture in real-time.
