identifying attacker IP in WAF overview.

Hello,

let me try to decompress your questions.

We can see both the access logs for allowed and blocked requests in the overview section Here I assume you are referring to the Sampled Requests? If so they are not real-time data and only contain a limited set of samples from the last 3 hours. https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-testing-view-sample.html

is there a way to view the top 5 or top 10 offending IP addresses in real-time? Yes but to my knowledge not out of the box. You will first need to sent the logs to either S3 or CloudWatch Logs. If you send your logs to S3 (lower cost) you can then use AWS Athena to query the logs. To do so you will need to create a table as instructed here: https://docs.aws.amazon.com/athena/latest/ug/waf-logs.html you could then have a query to filter the offending IPs. This could be automated with a Lambda to run the top IPs query frequently. Another option would be to send the logs to CloudWatch logs and perform the analysis with Contributor Insights -> https://aws.amazon.com/blogs/mt/analyzing-aws-waf-logs-in-amazon-cloudwatch-logs/

what is the best approach to identify the attacker using WAF? I personally have Sampled Requests enabled for a quick overview, then Logs sent to S3 and an Athena table ready to be queried. I run SQL queries against the table to identify what is getting blocked or if a suspicious pattern is being allowed. But I know there are more sophisticated ways to do it like the example here: https://aws.amazon.com/blogs/security/automatically-updating-aws-waf-rule-in-real-time-using-amazon-eventbridge/

Hope it helps you a bit. Thanks.