Generative AI for AWS WAF Log Analysis
Explore how Bedrock GenAI simplifies AWS WAF traffic management, streamlining log processing and enhancing security for web applications
chethan
Amazon Employee
Published Dec 19, 2024
Generative AI is a type of artificial intelligence technology that can produce various types of content, including text, imagery, audio in response to prompts.
Amazon Bedrock is a fully managed service that offers a choice of high-performing foundation models (FMs) from leading AI companies. Using Amazon Bedrock, you can easily experiment with and evaluate top FMs for your use case, privately customize them with your data using techniques such as fine-tuning.
In this post, we are exploring the use of Amazon Bedrock to translate a natural language question into an analysis of WAF logs. For this task, I have selected the Anthropic Claude 3 Haiku model to work as a SQL developer and provide a summary of the logs.
The primary objective is to demonstrate how advanced AI models can be leveraged to interpret human language queries and transform them into actionable SQL queries. This approach can significantly streamline the process of analyzing complex log data, making it more accessible to users who may not have extensive SQL expertise.
Instructions for the Agent: In this scenario, the AI model will take on the role of a SQL developer. It will be responsible for creating queries based on the natural language input provided. The agent should focus on interpreting the user's request, formulating appropriate SQL queries, and presenting the results in a clear and concise manner.
Lambda function to define how to handle an action group and to customize how you want the API response to be returned. You use the variables from the input event to define your functions and return a response to the agent. Fore more information here
Note: For your agent to use a Lambda function, you must attach a
resource-based policy
to the function to provide permissions for the agent.
The following is an example of how the Lambda function can be defined in Python to run the query to Athena.
For Orchestration strategy, customized for advanced use cases using the sample examples.
Now that we've set up the necessary components, we can start asking questions to your agent. To do this, use Test Agent in the Amazon Bedrock console.
Check the logs for last 2 hours and see if any sudden spikes in incoming traffic from multiple sources. Compare this with normal traffic patterns and based on that would you classify as DDOS ? Answer in one sentence.
The above query will run through the logs and list the top talkers with respect to number of requests.
I'm running the server which accepts 50K rps (request per second). Based on the traffic vloume recevied in last 10 days including the spiked traffic, Whould you recommend adding additional resources to serve customer requests?
Which provides us the results:
These are just one of the examples of how to analyze WAF logs. You can create and expand upon a variety of prompts to gain the specific information you are looking to extract from your WAF logs. By tailoring your queries and exploring different aspects of the log data, you can uncover valuable insights about your web application's security posture, potential threats, and areas for improvement.
With Bedrock GenAI, you can efficiently process and analyze not only AWS WAF logs but also other important log sources. These include VPC flow logs, ALB access logs, CloudFront logs, and more. By leveraging this comprehensive solution, you can gain valuable insights into your network traffic and security posture across multiple AWS services.
You can enhance this functionality further by experimenting with different foundation models available on Amazon Bedrock. These models provide a range of capabilities that can be tailored to your specific needs, allowing for more sophisticated traffic analysis and decision-making processes.
Additionally, you can take advantage of retrieval augmented generation (RAG) by incorporating knowledge bases into your setup. This approach allows you to provide your own data sources, enriching the AI's understanding and improving its performance in managing WAF traffic. By leveraging RAG, you can create a more customized and effective solution for your specific use case.
Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.