CloudCloudWatch Metric Streams + IAM

AWS WAF Integration

Monitor web ACL request metrics, rule match counts, and blocked request analytics across your AWS WAF deployments. Get AI-powered anomaly detection for threat patterns before they impact application availability.

Connect WAF Book a Demo

Setup

How It Works

Enable WAF Metric Logging

Ensure your Web ACLs have CloudWatch metrics enabled. Each rule group and managed rule within the ACL automatically publishes request counts to the AWS/WAFV2 namespace.

Deploy CloudWatch Metric Streams

Run the TigerOps CloudFormation stack to create a Metric Stream for the AWS/WAFV2 namespace. All Web ACL request and block metrics begin flowing to TigerOps immediately.

Configure Threat Spike Alerts

Set alert thresholds on blocked request rates, SQL injection matches, and XSS matches. TigerOps fires alerts when attack patterns deviate from historical baselines.

Correlate with Application Errors

TigerOps links WAF block spikes with application error rate increases, helping distinguish legitimate traffic drops from ongoing attacks targeting your APIs.

Capabilities

What You Get Out of the Box

Web ACL Request Metrics

Total allowed, blocked, and counted requests per Web ACL. Track request volume trends and detect sudden traffic spikes that indicate scraping or DDoS activity.

Rule Match Analytics

Per-rule and per-rule-group match counts including AWS Managed Rules, custom rules, and rate-based rules. Understand which rules are firing most frequently.

Blocked Request Trends

Historical blocked request rates by rule type including SQLi, XSS, IP reputation, and geo-match blocks. Build security dashboards showing attack surface over time.

Rate Limit Trigger Monitoring

Track when rate-based rules trigger and by how much. Correlate rate limit activations with specific IP ranges, user agents, or URI paths from WAF full logs.

Multi-Region WAF Coverage

Aggregate Web ACL metrics from all AWS regions plus CloudFront-associated global WAFs into a single TigerOps dashboard for unified security posture visibility.

AI Anomalous Request Detection

TigerOps AI establishes request pattern baselines per ACL and alerts on anomalous spikes in specific rule categories, reducing false positives from normal traffic variance.

Configuration

CloudFormation Stack for WAF Metric Streams

Deploy the TigerOps CloudFormation stack to start streaming WAF metrics and blocked request analytics.

tigerops-waf-streams.yaml

# TigerOps CloudFormation — WAF Metric Streams
# aws cloudformation deploy \
#   --template-file tigerops-waf-streams.yaml \
#   --stack-name tigerops-waf \
#   --capabilities CAPABILITY_IAM

Parameters:
  TigerOpsApiKey:
    Type: String
    NoEcho: true

Resources:
  # Regional WAF stream (deploy in each region)
  TigerOpsWAFRegionalStream:
    Type: AWS::CloudWatch::MetricStream
    Properties:
      Name: tigerops-waf-regional-stream
      FirehoseArn: !GetAtt TigerOpsDeliveryStream.Arn
      RoleArn: !GetAtt MetricStreamRole.Arn
      OutputFormat: opentelemetry0.7
      IncludeFilters:
        - Namespace: AWS/WAFV2
        - Namespace: AWS/WAF

  # Note: For CloudFront WAF, also deploy this stack in us-east-1
  TigerOpsDeliveryStream:
    Type: AWS::KinesisFirehose::DeliveryStream
    Properties:
      HttpEndpointDestinationConfiguration:
        EndpointConfiguration:
          Url: https://ingest.atatus.net/api/v1/cloudwatch
          AccessKey: !Ref TigerOpsApiKey
        RequestConfiguration:
          CommonAttributes:
            - AttributeName: service
              AttributeValue: waf
            - AttributeName: region
              AttributeValue: !Ref AWS::Region
        RetryOptions:
          DurationInSeconds: 60

# Enable WAF logging to S3 for full request log analysis:
# aws wafv2 put-logging-configuration \
#   --logging-configuration \
#     ResourceArn=<WEB_ACL_ARN>,\
#     LogDestinationConfigs=<FIREHOSE_ARN>
#     RedactedFields=[]

FAQ

Common Questions

Does TigerOps support both WAFv1 and WAFv2?

TigerOps supports WAFv2 (AWS WAFV2) via CloudWatch Metric Streams from the AWS/WAFV2 namespace. Legacy WAFv1 metrics from the AWS/WAF namespace are also supported for accounts still using classic WAF resources.

Can TigerOps ingest WAF full request logs for deeper analysis?

Yes. In addition to CloudWatch metrics, TigerOps can ingest WAF full logs delivered to S3 or Kinesis Firehose. This enables IP-level blocked request analysis, URI path matching, and user agent breakdown beyond what CloudWatch metrics alone provide.

How do I monitor WAF rules associated with CloudFront?

CloudFront-associated Web ACLs are global (us-east-1) resources. TigerOps includes a global WAF Metric Stream in the us-east-1 region that captures all CloudFront ACL metrics alongside your regional WAF deployments.

Can TigerOps alert when my WAF switches a rule from Count to Block mode?

Yes. TigerOps monitors WAF rule configuration changes via AWS CloudTrail events. When a rule group action changes, TigerOps creates an annotation on your metrics timeline so you can correlate block rate changes with rule configuration updates.

Does TigerOps track AWS Managed Rule false positives?

Yes. TigerOps allows you to define expected block rate ranges per managed rule group. When a rule group fires at a rate significantly above the expected baseline, TigerOps flags it as a potential false positive spike for review.

Get Started

Stop Discovering WAF Attack Spikes After the Damage Is Done

Web ACL metrics, rule match analytics, and AI anomalous request detection. Deploy in 5 minutes.

Start Free Talk to an Engineer

Explore More

Related Integrations

View all 275+ integrations