get_waf_sampled_requests

Retrieve sampled web requests from AWS WAF Web ACLs to analyze traffic patterns and identify potential security threats for monitoring and troubleshooting purposes.

Instructions

Retrieves sampled requests from a Web ACL.

Input Schema

TableJSON Schema

Name	Required	Description
`web_acl_arn`	Yes	The ARN of the Web ACL.
`rule_metric_name`	Yes	The metric name of the rule to sample.
`scope`	No	The scope (default: REGIONAL).
`time_window_seconds`	No	Time window in seconds (e.g., 3600 for 1 hour).

Implementation Reference

src/index.ts:2022-2051 (handler)

Handler function that executes the AWS WAFv2 GetSampledRequestsCommand to retrieve sampled requests from a specified Web ACL rule.

if (name === "get_waf_sampled_requests") {
    const aclArn = (args as any)?.web_acl_arn;
    const metricName = (args as any)?.rule_metric_name;
    const scope = (args as any)?.scope || "REGIONAL";
    const timeWindow = (args as any)?.time_window_seconds || 3600;

    // WAFv2 Sampled Requests requires a time window
    const endTime = new Date();
    const startTime = new Date(endTime.getTime() - timeWindow * 1000);

    const command = new GetSampledRequestsCommand({
        WebAclArn: aclArn,
        RuleMetricName: metricName,
        Scope: scope,
        TimeWindow: { StartTime: startTime, EndTime: endTime },
        MaxItems: 100
    });
    const response = await wafv2Client.send(command);

    const requests = response.SampledRequests?.map(r => ({
        ClientIP: r.Request?.ClientIP,
        Country: r.Request?.Country,
        URI: r.Request?.URI,
        Method: r.Request?.Method,
        Headers: r.Request?.Headers,
        Action: r.Action,
        Timestamp: r.Timestamp
    })) || [];
    return { content: [{ type: "text", text: JSON.stringify(requests, null, 2) }] };
}

src/index.ts:621-646 (registration)

Tool registration in the ListTools response, including name, description, and input schema definition.

    name: "get_waf_sampled_requests",
    description: "Retrieves sampled requests from a Web ACL.",
    inputSchema: {
        type: "object",
        properties: {
            web_acl_arn: {
                type: "string",
                description: "The ARN of the Web ACL."
            },
            rule_metric_name: {
                type: "string",
                description: "The metric name of the rule to sample."
            },
            scope: {
                type: "string",
                enum: ["CLOUDFRONT", "REGIONAL"],
                description: "The scope (default: REGIONAL)."
            },
            time_window_seconds: {
                type: "number",
                description: "Time window in seconds (e.g., 3600 for 1 hour)."
            }
        },
        required: ["web_acl_arn", "rule_metric_name"]
    }
},

src/index.ts:621-646 (schema)

Input schema for validating tool arguments: web_acl_arn, rule_metric_name (required), scope, time_window_seconds.

    name: "get_waf_sampled_requests",
    description: "Retrieves sampled requests from a Web ACL.",
    inputSchema: {
        type: "object",
        properties: {
            web_acl_arn: {
                type: "string",
                description: "The ARN of the Web ACL."
            },
            rule_metric_name: {
                type: "string",
                description: "The metric name of the rule to sample."
            },
            scope: {
                type: "string",
                enum: ["CLOUDFRONT", "REGIONAL"],
                description: "The scope (default: REGIONAL)."
            },
            time_window_seconds: {
                type: "number",
                description: "Time window in seconds (e.g., 3600 for 1 hour)."
            }
        },
        required: ["web_acl_arn", "rule_metric_name"]
    }
},

AWS MCP Server