View Amazon Athena queries - Security Automations for AWS WAF
View WAF log queriesView application access log queriesView adding Athena partition queries

View Amazon Athena queries

If you selected Yes - Amazon Athena log parser for the Activate HTTP Flood Protection or Activate Scanner & Probe Protection template parameters, this solution creates and runs Athena queries for CloudFront or ALB (ScannersProbesLogParser) or AWS WAF logs (HTTPFloodLogParser), parses the output, and updates AWS WAF accordingly.

To improve performance and keep costs low, the solution partitions logs based on timestamps in the file names. The solution dynamically generates Athena queries to use partition keys (year, month, day, and hour). By default, queries run every five minutes. You can configure their run schedules by changing the value of the Athena Query Run Time Schedule (Minute) template parameter. Each query run scans the last four to five hours of data by default. You can configure the amount of data that a query scans by changing the value of the WAF Block Period template parameter. The solution also places queries in separate workgroups to manage query access and costs.

Note

Verify that Athena is configured to access the AWS AWS Glue Data Catalog. This solution creates the access logs data catalog in AWS Glue and configures an Athena query to process the data. If Athena isn’t configured correctly, the query doesn’t run. For more information, refer to Upgrading to the latest AWSAWS Glue Data Catalog step-by-step.

Use the following procedure to view these queries:

View WAF log queries

  1. Sign in to the Amazon Athena console.

  2. Choose Launch query editor.

  3. Select the database for this solution.

  4. Select WAFLogAthenaQueryWorkGroup from the dropdown list.

    Note

    This workgroup exists only if you selected Yes - Amazon Athena log parser for the Activate HTTP Flood Protection template parameter.

  5. Choose Switch to switch the workgroup.

Screenshot of Athena query editor showing no queries

  1. Select the History tab.

  2. Select and open SELECT queries from the list.

View application access log queries

  1. Sign in to the Amazon Athena console.

  2. Select the Workgroup tab.

  3. Select WAFAppAccessLogAthenaQueryWorkGroup from the list.

    Note

    This workgroup exists only if you selected Yes - Amazon Athena log parser for the Activate Scanner & Probe Protection template parameter.

  4. Choose Switch workgroup.

  5. Select the Recent queries tab.

  6. Select and open SELECT queries from the list.

View adding Athena partition queries

  1. Sign in to the Amazon Athena console.

  2. Select the Workgroup tab.

  3. Select WAFAddPartitionAthenaQueryWorkGroup from the list.

    Note

    This workgroup exists only if you selected Yes - Amazon Athena log parser for the Activate HTTP Flood Protection and/or Activate Scanner & Probe Protection template parameter.

  4. Select Switch workgroup.

  5. Select the History tab.

  6. Select and open ALTER TABLE queries from the list. These queries run every hour to add a new hourly partition to the Athena table.