autobotAI

Multi-Account WAF Log Analysis with autobotAI

Overview

autobotAI enables automated analysis and response to AWS WAF findings across hundreds of AWS accounts through intelligent workflows, working with your existing centralized logging infrastructure.

Architecture

Validating Mermaid syntax...

How autobotAI Works with Centralized Logging

What You Provide

  • Centralized logging infrastructure (Amazon Security Lake, SIEM, or S3)
  • WAF logs aggregated from multiple accounts
  • Existing visualization tools (QuickSight, Grafana, SIEM dashboards)

What autobotAI Does

  • Queries your centralized log data
  • Applies intelligent filtering to generate high-fidelity findings
  • Automates response actions based on findings
  • Enriches data with threat intelligence and context

Configuration Steps

Step 1: Set Up Centralized Logging (Customer Responsibility)

Choose your centralized logging platform:

  • Amazon Security Lake: Native AWS multi-account log aggregation
  • SIEM Platform: Splunk, QRadar, Elasticsearch, etc.
  • S3 Data Lake: Custom aggregation with AWS Glue/Athena

Configure WAF logs from all accounts to flow into this central repository.

Step 2: Deploy autobotAI with Access to Log Data

  1. Deploy autobotAI workspace (SaaS or self-hosted)
  2. Configure permissions to query your log repository:
    • For Security Lake: Read access to Security Lake data
    • For SIEM: API access credentials
    • For S3: Cross-account role with S3 read permissions
  3. No data duplication—autobotAI queries data where it lives

Step 3: Build Custom Analysis Workflows

Create autobotAI workflows that:

  • Query WAF logs with specific filters (high-severity attacks, specific IPs, patterns)
  • Apply ML/AI-based analysis to reduce noise
  • Generate high-fidelity findings (confirmed threats, not all events)
  • Enrich with threat intelligence from MISP, VirusTotal, etc.

Step 4: Automate Response Actions

Based on high-fidelity findings, autobotAI can:

  • Create tickets in Jira/ServiceNow with context
  • Send alerts to Slack/Teams with drill-down links
  • Execute remediation (update WAF rules, block IPs via Security Groups)
  • Escalate critical threats to SOC team
  • Update threat intelligence platforms

Step 5: Visualization Options

autobotAI supports two approaches for visualizing filtered data:

Option A: Export to Existing Visualization Tools

  • autobotAI workflows generate filtered, high-fidelity datasets
  • Export to QuickSight, Grafana, Kibana, or SIEM dashboards
  • Customer builds visualizations in their preferred tool

Option B: Agentic Interactive Analysis

  • Use autobotAI's agentic chat interface
  • Ask questions: "Show me top attacking IPs this week"
  • Agent queries data and generates charts/graphs in chat
  • Interactive drill-down through conversation

Example Workflow: Detecting Sophisticated Attacks

Validating Mermaid syntax...

Benefits

  • No Data Duplication: autobotAI doesn't store logs, queries your existing infrastructure
  • High-Fidelity Alerts: Reduces thousands of WAF events to actionable findings
  • Automated Response: Immediate action on confirmed threats
  • Flexible Visualization: Use your existing dashboards or agentic chat
  • Cross-Account Intelligence: Correlate attacks across entire AWS organization

For WAF analytics, use:

  • Amazon Security Lake dashboards
  • Your SIEM platform (Splunk, QRadar, Elastic)
  • AWS QuickSight with autobotAI-filtered data
  • Custom Grafana/Kibana dashboards