Posted On: Dec 19, 2019

AWS WAF has added a new log field, terminatingRuleMatchDetails, that allows you to identify the area within a request deemed to be suspicious by SQLi or XSS detection rules.

This new log field can help you in troubleshooting false-positive scenarios, allowing quick identification of problematic areas for whitelisting. It can also help you locate areas within requests that are frequently targeted by malicious actors.

There is no additional configuration required to enable this new field for existing log streams. For new log streams, it is included when you enable logging on your web ACL. Enabling logging for web ACLs is done in two steps. First, create an instance of the Amazon Kinesis Data Firehose from the Amazon Kinesis console. Afterwards, in the WAF & Shield console select the web ACL, go to logging and metrics tab, and select the Firehose instance that you have created.

There is no additional cost to enable logging on AWS WAF (minus Kinesis Firehose and any storage cost). To learn more, please see the AWS WAF developer guide on logging.