What Changed
Two new ASIM WebSession parsers have been added for AWS Web Application Firewall (WAF):
- ASimWebSessionAWSWAF – parameter-less normalization parser
- vimWebSessionAWSWAF – filtering/parameterized parser
Both parsers normalize logs from the AWSWAF table into the ASIM WebSession schema v0.2.7. The top-level umbrella parsers ASimWebSession (bumped to v0.5.7) and imWebSession (bumped to v0.6.5) have been updated to include the new AWS WAF source.
Parser Impact
Schema: WebSession v0.2.7 – source table: AWSWAF
Key field mappings:
| AWSWAF source field | ASIM normalized field | Notes |
|---|---|---|
| Action (via lookup) | DvcAction, EventResult, EventSeverity | ALLOW->Allow/Success; BLOCK/CAPTCHA/CHALLENGE->Deny/Failure |
| Action | DvcOriginalAction | Raw action value preserved |
| HttpRequest.clientIp | SrcIpAddr, Src | |
| HttpRequest.country | SrcGeoCountry | |
| HttpRequest.uri, host, scheme, args | Url | Reconstructed full URL |
| HttpRequest.httpMethod | HttpRequestMethod | |
| HttpRequest.httpVersion | HttpVersion | |
| HttpRequest.headers | HttpHost, HttpUserAgent, HttpReferrer, HttpCookie, HttpRequestXff | Extracted via mv-apply on host/user-agent/referer/cookie/X-Forwarded-For |
| TerminatingRuleId | RuleName, Rule | The WAF rule that terminated evaluation |
| ResponseCodeSent | EventResultDetails, HttpStatusCode | Only populated when custom block response is configured |
| HttpSourceId | DstDvcId | |
| WebAclId | Dvc, DvcId | Falls back to AWS/WAF if empty |
Destination resolution: The parser implements robust host parsing – strips brackets from IPv6 addresses, handles host:port patterns, distinguishes valid IPs from IP-shaped strings, and populates DstIpAddr, DstHostname, DstFQDN, and DstDomain accordingly.
AdditionalFields (pack=true): HttpSourceName, TerminatingRuleType, TerminatingRuleMatchDetails, RuleGroupList, RateBasedRuleList, Labels, Ja3Fingerprint (JA3).
Gap closed: Prior to this parser, AWSWAF data was not reachable by any imWebSession-based detection or Hunting Query. Existing source-agnostic rules (e.g., TI-match against imWebSession, anomalous URL patterns) now extend to AWS WAF traffic without modification.
MITRE Coverage
No MITRE techniques are encoded in the parser YAML. However, WAF normalization into imWebSession unlocks coverage for web-based initial access and exploitation techniques (e.g., T1190 – Exploit Public-Facing Application) via existing unified detections.
Affected Files
.script/tests/KqlvalidationsTests/CustomTables/AWSWAF.json
Parsers/ASimWebSession/ARM/ASimWebSession/ASimWebSession.json
Parsers/ASimWebSession/ARM/ASimWebSessionAWSWAF/ASimWebSessionAWSWAF.json
Parsers/ASimWebSession/ARM/ASimWebSessionAWSWAF/README.md
Parsers/ASimWebSession/ARM/FullDeploymentWebSession.json
Parsers/ASimWebSession/ARM/imWebSession/imWebSession.json
Parsers/ASimWebSession/ARM/vimWebSessionAWSWAF/README.md
Parsers/ASimWebSession/ARM/vimWebSessionAWSWAF/vimWebSessionAWSWAF.json
Parsers/ASimWebSession/CHANGELOG/ASimWebSession.md
Parsers/ASimWebSession/CHANGELOG/ASimWebSessionAWSWAF.md
Parsers/ASimWebSession/CHANGELOG/imWebSession.md
Parsers/ASimWebSession/CHANGELOG/vimWebSessionAWSWAF.md
Parsers/ASimWebSession/Parsers/ASimWebSession.yaml
Parsers/ASimWebSession/Parsers/ASimWebSessionAWSWAF.yaml
Parsers/ASimWebSession/Parsers/imWebSession.yaml
Parsers/ASimWebSession/Parsers/vimWebSessionAWSWAF.yaml
Parsers/ASimWebSession/Tests/AWS_WAF_ASimWebSession_DataTest.csv
Parsers/ASimWebSession/Tests/AWS_WAF_ASimWebSession_SchemaTest.csv
Parsers/ASimWebSession/Tests/AWS_WAF_vimWebSession_DataTest.csv
Parsers/ASimWebSession/Tests/AWS_WAF_vimWebSession_SchemaTest.csv
Sample Data/ASIM/AWS_WAF_WebSession_IngestedLogs.csv