Vercel WAF¶
About¶
Vercel's Web Application Firewall (WAF) is a customizable security tool that protects web applications from various online threats and attacks, acting as an additional layer of defense alongside Vercel's platform-wide firewall. It provides granular control over application traffic, allowing users to define rules based on various parameters like IP address, geolocation, and user agent. The WAF offers features like managed rulesets, rate limiting, and instant rule deployment, ensuring comprehensive protection and operational transparency.
Product Details¶
Vendor URL: Vercel
Product Type: WAF
Product Tier: Tier III
Integration Method: Webhook
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 100%
Data Label: VERCEL_WAF
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| deploymentId | metadata.product_deployment_id |
| environment | additional.fields |
| ExceptionType | security_result.action_details |
| executionRegion | target.location.name |
| host | principal.hostname |
| id | metadata.product_log_id |
| ja4Digest | additional.fields |
| level | security_result.severity |
| message | security_result.description |
| path | observer.file.full_path |
| projectId | target.cloud.project.id |
| projectName | target.cloud.project.name |
| proxy.cacheId | additional.fields |
| proxy.clientIp | target.ip |
| proxy.errorCode | additional.fields |
| proxy.host | target.hostname |
| proxy.method | network.http.method |
| proxy.path | target.file.full_path |
| proxy.pathType | target.resource.attribute.labels |
| proxy.pathTypeVariant | target.resource.attribute.labels |
| proxy.referer | network.http.referral_url |
| proxy.referer | target.url |
| proxy.region | additional.fields |
| proxy.scheme | additional.fields |
| proxy.userAgent | network.http.user_agent |
| proxy.vercelCache | additional.fields |
| proxy.vercelId | target.user.userid |
| proxy.wafAction | additional.fields |
| proxy.wafRule | security_result.rule_name |
| reason | security_result.action_details |
| requestId | additional.fields |
| source | principal.asset.hostname |
| statusCode | network.http.response_code |
| type | metadata.product_event_type |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| generic | GENERIC_EVENT |
| https | NETWORK_HTTP |
| user | USER_UNCATEGORIZED |
Log Sample¶
{"deploymentId":"dpl_ABCD123EmUmSbR6tQ3aSY3P7rmZuZ","environment":"production","executionRegion":"pdx1","host":"www.example.org","id":"40378938010174844800533956700000","level":"info","message":"[static] / status=200","path":"src/middleware","projectId":"prj_ABCD1234aRZoCEOJMZ3LNaNftXFVE","projectName":"example-org","proxy":{"clientIp":"10.247.189.107","host":"www.example.org","lambdaRegion":"pdx1","method":"GET","path":"/_next/static/media/1234567891234567-s.p.woff2","pathType":"middleware","referer":"https://www.example.org/Patients-and-Visitors/Medical-Records","region":"pdx1","scheme":"https","statusCode":200,"timestamp":1748448005331,"userAgent":["Mozilla/5.0 (iPhone; CPU iPhone OS 18_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.0 Mobile/15E148 Safari/604.1"],"vercelCache":"MISS"},"requestId":"fsbpv-1748448005331-d8c3b3f681de","source":"edge","statusCode":200,"timestamp":1748448005339,"type":"middleware-invocation"}
Sample Parsing¶
additional.fields["environment"] = "production"
additional.fields["proxy_region"] = "pdx1"
additional.fields["proxy_scheme"] = "https"
additional.fields["proxy_timestamp"] = "1748448005331"
additional.fields["proxy_vercelCache"] = "MISS"
additional.fields["requestId"] = "fsbpv-1748448005331-d8c3b3f681de"
metadata.event_type = "NETWORK_HTTP"
metadata.product_deployment_id = "dpl_ABCD123EmUmSbR6tQ3aSY3P7rmZuZ"
metadata.product_event_type = "middleware-invocation"
metadata.product_log_id = "40378938010174844800533956700000"
metadata.product_name = "VERCEL_WAF"
metadata.vendor_name = "VERCEL_WAF"
network.application_protocol = "HTTPS"
network.http.method = "GET"
network.http.referral_url = "https://www.example.org/Patients-and-Visitors/Medical-Records"
network.http.response_code = 200
network.http.user_agent = "Mozilla/5.0 (iPhone; CPU iPhone OS 18_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.0 Mobile/15E148 Safari/604.1"
observer.file.full_path = "src/middleware"
principal.asset.hostname = "edge"
principal.hostname = "www.example.org"
security_result.description = "[static] / status=200"
security_result.severity = "INFORMATIONAL"
security_result.severity_details = "info"
target.asset.hostname = "www.example.org"
target.asset.ip = "10.247.189.107"
target.cloud.project.id = "prj_ABCD1234aRZoCEOJMZ3LNaNftXFVE"
target.cloud.project.name = "example-org"
target.file.full_path = "/_next/static/media/1234567891234567-s.p.woff2"
target.hostname = "www.example.org"
target.ip = "10.247.189.107"
target.location.name = "pdx1"
target.resource.attribute.labels.key = "pathType"
target.resource.attribute.labels.value = "middleware"
target.url = "https://www.example.org/Patients-and-Visitors/Medical-Records"