[WAF] insight 로그 모음

 

- 국가 기반, ip 기반 WAF rate-limit blockcount 조회 쿼리

fields @timestamp, @message
| filter @message like /Rate-Limit/ and @message like /BLOCK/
| parse @message '"terminatingRuleId":"*"' as ruleId
| parse @message '"clientIp":"*"' as clientIp
| parse @message '"country":"*"' as country
| stats count(*) as blockCount by clientIp, country
| sort blockCount desc
| limit 100