Intelligent Threat Detection: Organisation Transforms AWS WAF Monitoring with Serverless Anomaly Detection - allOps
Schedule a free consult
Back to Case Studies

Intelligent Threat Detection: Organisation Transforms AWS WAF Monitoring with Serverless Anomaly Detection

Organisation faced a critical challenge with their AWS WAF Rate Limit Rule generating excessive false alarms during normal traffic fluctuations. The security team experienced significant alert fatigue, making it difficult to distinguish between legitimate traffic spikes and actual distributed denial-of-service (DDoS) attacks. When Amazon Web Services (AWS) deprecated Amazon Lookout for Metrics, Trenkwalder’s planned anomaly detection solution was no longer viable. Working with their AWS Partner, Trenkwalder implemented a serverless monitoring system using AWS Lambda, Amazon DynamoDB, and Amazon CloudWatch with three detection modes—rapid 10-minute detection, high-confidence 30-minute validation, and a hybrid approach with intelligent alert suppression.

At a Glance

  • Industry Human Resources (HR) Services and Staffing
  • Engagement Type Cloud Infrastructure & Modernization, Cloud Operations & Managed Services

Challenge

Existing AWS WAF Rate Limit Rule configuration created a significant operational burden. The system generated excessive false alarms during normal traffic fluctuations, leading to alert fatigue that threatened their security posture. Security analysts struggled to distinguish between legitimate traffic spikes and actual DDoS attacks requiring immediate response.

Our Solution

allOps designed a serverless monitoring architecture addressing traditional threshold-based alerting limitations. The solution leverages Amazon CloudWatch for metrics collection, AWS Lambda for intelligent processing, and Amazon DynamoDB for state management.

The architecture implements three detection options: rapid 10-minute detection for immediate awareness, high-confidence 30-minute validation to reduce false positives, and a hybrid approach combining both with intelligent alert suppression.

AWS Lambda functions process CloudWatch metrics from AWS WAF, evaluating traffic patterns against historical baselines. Amazon DynamoDB stores relevant data for custom tracking capabilities, enabling identification of repeating patterns across incidents.

Amazon EventBridge orchestrates the workflow, triggering Lambda functions at appropriate intervals. Amazon Simple Notification Service (Amazon SNS) delivers alerts while Amazon Simple Email Service (Amazon SES) provides detailed incident reports. Intelligent alert suppression prevents notification storms during extended attacks.

For forensic analysis, the architecture stores logs in Amazon Simple Storage Service (Amazon S3) and CloudWatch Logs, with Amazon Athena enabling ad-hoc querying. AWS Cloud Development Kit (AWS CDK) ensures consistent, repeatable deployments.

AWS Services used

  • Amazon CloudWatch
  • Amazon DynamoDB
  • Amazon SES
  • AWS Lambda
  • AWS WAF

Results

The enhanced alarming system transformed organisations’s security operations. Intelligent detection logic dramatically reduced false positives, allowing the security team to focus on genuine threats. Alert fatigue decreased significantly, improving team morale and response effectiveness.

The three-tier detection approach provides operational flexibility—rapid detection during business-critical periods and high-confidence validation for routine monitoring.

The serverless architecture achieved cost objectives with expenses scaling directly with usage. Pay-per-invocation Lambda pricing and on-demand DynamoDB ensure monitoring costs remain proportional to traffic volumes.

  • Reduced false positives
  • Three-tier detection strategy
  • Significant reduction in alert fatigue
  • Improved incident response quality
  • Serverless, fully managed architecture

About allOps Solutions

allOps Solutions is a cloud-native engineering company specializing in designing, building, and operating secure, scalable solutions on Amazon Web Services (AWS). With a strong focus on automation, serverless architectures, and security-by-design principles, allOps helps customers modernize legacy systems, improve operational resilience, and reduce complexity through infrastructure as code and event-driven architectures. Deep AWS expertise, combined with real-world production experience, enables allOps to deliver pragmatic solutions that balance performance, cost efficiency, and operational excellence—while empowering customer teams to operate with confidence at scale.