Web application firewalls bypasses collection and testing tools

How to test, evaluate, compare, and bypass web application and API security solutions like WAF, NGWAF, RASP, and WAAP

How To Analyze AWS WAF Logs to Find Attackers

AWS WAF monitors your application’s activity to block attacks before they happen. It does this by analyzing the type of requests and responses that your application makes.

WAF analyzes log files to find attack patterns, which is useful if you want to keep track of the ongoing security threats and their impact on your AWS account. However, not all log files contain attack patterns; some may hide more harmful information instead. Here are some things you should know when analyzing WAF logs to find attackers.

How does AWS WAF Works?

AWS WAF uses log files to analyze application activity. It generates attack patterns that you can use to keep track of the ongoing security threats and their impact on your AWS account.

When AWS WAF launches, it analyzes your app’s logs for attack patterns and blocks malicious requests before they reach your servers. When an attacker tries to make a request that is blocked, AWS WAF sends them a response containing information about the attack such as the time it was blocked, who made it, what type of request and what IP address was used.

WAF won’t launch if you haven’t enabled it yet; so if you have not yet set up a WAF policy, do so now!

Find Attack Patterns in WAF Logs

You will find attack patterns in WAF’s log files. These patterns represent the average behavior of your application’s requests and responses in an anomalous way. If you notice such a pattern, then it is likely that you are being targeted by an attacker.

When looking at your WAF logs, take note of the following:

  • The log file name
  • The time when the attack was detected
  • The location where the response was sent from
  • The state of the request
  • The type of request that is being made

Know the Meaning of Attacker Words in WAF Logs

The words attacker and attacks are used in the WAF logs to denote different things. The word attacker refers to hosts that attempt to connect and sends a request, while the word attack refers to an attack pattern that is logged by WAF.

An attacker might be a malicious agent attempting to send requests, or it could be a legitimate user connecting from an IP address outside of your network. While this may seem like a small difference between these two terms, it’s actually quite important.

Find More Harmful Information in WAF Logs

When you find an attack pattern in your WAF logs, it may be difficult to identify the attacker. So, you should also look at other types of logs that are captured by your WAF logs like security alerts and access patterns.

These other types of logs can help reveal additional information about the attack that was blocked by your WAF. For example, if an unknown IP address is blocked from accessing your application or if a particular user is blocked from accessing it, you can use this information to analyze the attacker’s identity and formulate a plan for how to make changes to your application so they don’t continue their attacks.

You should also consider using AWS CloudWatch Logs to help identify attackers without having to rely on WAF’s log files. If a potential attacker tries one or more failed requests repeatedly and then abandons their attempts after a few minutes, they might be trying to manipulate your application into giving them unauthorized access over its API. This would lead you to suspect that they are trying something nefarious on your website or application which is why you should also be monitoring CloudWatch Logs for suspicious activity related to your website or application’s APIs as well as any other system-related activities like instance creation, termination, etc.


AWS WAF is a common and important service for many companies. However, it can be difficult to pinpoint the root cause of an attack in a timely manner. The goal of this post is to provide a guide on how to use AWS WAF logs to find attackers.