diff --git a/docs/integrations/cloud-security-monitoring-analytics/aws-waf.md b/docs/integrations/cloud-security-monitoring-analytics/aws-waf.md
index e7f91e4e8f..11a5df2ae3 100644
--- a/docs/integrations/cloud-security-monitoring-analytics/aws-waf.md
+++ b/docs/integrations/cloud-security-monitoring-analytics/aws-waf.md
@@ -11,6 +11,62 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
AWS WAF (web application firewall) data is a rich source of security findings, as it allows you to monitor the HTTP and HTTPS requests that are forwarded to CloudFront and let you control overall access to your content. Each dashboard within this application takes a different lens on AWS WAF data, from traffic patterns to threat intelligence, allowing you to truly identify the needles in the haystack that drives critical security concerns within your AWS infrastructure.
+## Sample log messages
+
+```json
+{
+ "timestamp": 1687891200000,
+ "formatVersion": 1,
+ "webaclId": "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/ExampleWebACL/abc12345-1234-1234-1234-abc123456789",
+ "terminatingRuleId": "ExampleRuleGroup",
+ "terminatingRuleType": "GROUP",
+ "action": "BLOCK",
+ "terminatingRuleMatchDetails": [],
+ "httpSourceName": "ALB",
+ "httpSourceId": "123456789012-app/ExampleALB/abc123",
+ "ruleGroupList": [
+ {
+ "ruleGroupId": "arn:aws:wafv2:us-east-1:123456789012:regional/rulegroup/ExampleRuleGroup/abc12345",
+ "terminatingRule": {
+ "ruleId": "ExampleRule",
+ "action": "BLOCK",
+ "ruleMatchDetails": []
+ },
+ "nonTerminatingMatchingRules": [],
+ "excludedRules": null
+ }
+ ],
+ "rateBasedRuleList": [],
+ "nonTerminatingMatchingRules": [],
+ "requestHeadersInserted": null,
+ "responseCodeSent": null,
+ "httpRequest": {
+ "clientIp": "198.51.100.42",
+ "country": "US",
+ "headers": [
+ { "name": "Host", "value": "example.com" },
+ { "name": "User-Agent", "value": "Mozilla/5.0" }
+ ],
+ "uri": "/login",
+ "args": "",
+ "httpVersion": "HTTP/1.1",
+ "httpMethod": "POST",
+ "requestId": "abc123def456"
+ }
+}
+```
+
+## Sample queries
+
+```sumo title="Blocked Traffic by Client IP"
+_sourceCategory=aws/waf BLOCK
+| json field=_raw "httpRequest", "action" nodrop
+| json field=httpRequest "clientIp", "httpMethod", "uri" nodrop
+| where action="BLOCK"
+| count by clientip, httpMethod, uri
+| sort _count
+```
+
## Collecting logs for AWS WAF Security Analytics
To configure Collection for AWS WAF App, follow the instructions from [Collecting Logs for the AWS WAF App](/docs/integrations/amazon-aws/waf#collecting-logs-for-the-aws-waf-app).
@@ -84,3 +140,29 @@ See details of allowed and blocked AWS WAF traffic that matches the built-in Sum
**Threat Breakdown by Sources.** Donut chart showing the ratios of connections broken down by source categories.
**Traffic by Malicious IPs.** Table showing details of connections keyed off of remote IP address.
+
+## Create monitors for AWS WAF Security Analytics app
+
+import CreateMonitors from '../../reuse/apps/create-monitors.md';
+
+
+
+### AWS WAF Security Analytics alerts
+
+| Name | Description | Alert Condition | Recover Condition |
+|:--|:--|:--|:--|
+| `AWS WAF - Allowed Traffic from Malicious IP` | This alert is triggered when AWS WAF allows traffic from an IP address that matches a known malicious source in the CrowdStrike threat intelligence feed, indicating a potential security gap in WAF rules. | Count > 0 | Count < = 0 |
+| `AWS WAF - High Volume of Blocked Requests from Single IP` | This alert is triggered when a single source IP generates more than 5 blocked requests within a 5-minute window, indicating active scanning, brute-force, or a persistent attack. | Count > 0 | Count < = 0 |
+| `AWS WAF - High Volume of Blocked Requests to Single URI` | This alert is triggered when a single URI receives more than 5 blocked requests within a 5-minute window, indicating targeted exploitation attempts such as vulnerability probing against a specific endpoint. | Count > 0 | Count < = 0 |
+
+## Upgrade/Downgrade the AWS WAF Security Analytics app (Optional)
+
+import AppUpdate from '../../reuse/apps/app-update.md';
+
+
+
+## Uninstalling the AWS WAF Security Analytics app (Optional)
+
+import AppUninstall from '../../reuse/apps/app-uninstall.md';
+
+