Get instant visibility into AWS WAF with the Cribl Search Pack

Last edited: January 14, 2026

The Cribl Search Pack for AWS WAF helps security and operations teams quickly understand, search, and visualize their AWS Web Application Firewall (WAF) logs without building dashboards, saved searches, or data pipelines from scratch.

Instead of re-ingesting logs or pushing everything into a SIEM, this pack enables search-in-place directly over data stored in Amazon S3, giving you immediate visibility into web traffic and threats with far less engineering effort.

What this Pack Delivers

The pack includes dashboards and saved searches tailored to the AWS WAF JSON log format, giving you immediate visibility into:

1. Overall WAF Activity

Total requests, allow/block volume, and traffic trends
High-level visibility for baselining and policy evaluation

2. Threat Detection Signals

Most triggered rules and rule groups
Top offending IPs, URIs, and geographies
Spikes that may indicate SQL injection, XSS, and other attack types

3. Operational Observability

Which accounts, apps, and environments generate the most WAF traffic
Data to help tune rules and reduce noise
Context needed for triage, forensics, and policy refinement

Because the pack runs on Cribl Search, you get federated querying across AWS logs in S3 — meaning you can analyze WAF events alongside CloudFront, ALB, VPC Flow Logs, CloudTrail, and more for richer investigation workflows.

Key Benefits

Using this pack, teams can:

Speed up time to value: prebuilt visualizations and queries enable you to go from installation to useful dashboards in minutes.
Better security visibility: correlate blocked and allowed requests with suspicious IPs, user agents, and request patterns to detect abuse earlier.
No ETL or SIEM dependency: avoid heavy engineering work: there is no need to ETL WAF logs into a separate SIEM or data warehouse just to search them.
Fully customizable: clone dashboards, adapt field, extend the Pack to support adjacent datasets such as AWS Shield or Amazon Security Lake

You get control, speed, and flexibility — without having to design everything yourself.

Prerequisites

Before installation, ensure you have:

A running Cribl Search deployment with access to your AWS environment.
AWS WAF logging enabled, sending logs to an Amazon S3 bucket (typically via Kinesis Data Firehose or direct S3 logging configuration).
IAM permissions that allow Cribl Search workers to list and read objects from the S3 bucket that stores your WAF logs.

Having a consistent S3 prefix and partitioning scheme (for example, by date) simplifies dataset configuration and improves query performance.

Installation steps

To install the Cribl Search Park for AWS WAF:

Open Packs → Dispensary in the Cribl Search U. Search for “AWS WAF”.I
Select the pack from the catalogue and choose Install into your Cribl Search environment.
Open the pack to review its contents: datasets, dashboards, saved searches, and sample data.
Configure a Search Dataset connect it to your WAF data. For the S3 bucket, use the Searching AWS S3 instructions.
Update the WAF dataset name to the dataset configured in Cribl Search by updating the macro wafDataset. Use double quotes to replace the preconfigured value, like “myWafDataset”.
- By default, the dataset is using the canned sample data shipped with the pack, using the following expression: "$vt_lookups" lookupFile="waf_data" | extract type=json

This expression utilizes the sample dataset shipped as a lookup table with the pack to populate the visualizations instead of the actual data sourced from the WAF dataset. You can update the macro wafDataset back to this value to revert to the sample data to test the visualizations and the queries.

Using Dashboards and Searches

After the dataset is wired up, open the included dashboards to validate everything against either the bundled sample data or your live S3 logs. You can then:

Drill into time ranges where block rates spike to inspect individual requests and rule hits.
Filter by application, path, or IP range to understand how specific services are being protected and where rules might need tuning.

From there, copy or adapt the saved searches to create alerts, scheduled reports, or custom visualisations that match your threat models and operational SLAs. For threat investigations and operational visibility, this pack gives you a ready-made foundation you can expand as you grow.

Start Searching Your WAF Logs the Smart Way

Get to insight faster. Cut down engineering effort. Analyze threats directly in S3 without re-architecting your pipeline.

Install the Cribl Search Park for AWS WAF and see how much easier WAF visibility can be.

Cribl, the Data Engine for IT and Security, empowers organizations to transform their data strategy. Customers use Cribl’s suite of products to collect, process, route, and analyze all IT and security data, delivering the flexibility, choice, and control required to adapt to their ever-changing needs.

We offer free training, certifications, and a free tier across our products. Our community Slack features Cribl engineers, partners, and customers who can answer your questions as you get started and continue to build and evolve. We also offer a variety of hands-on Sandboxes for those interested in how companies globally leverage our products for their data challenges.

Previous articleNext article