AWS Network Firewall
The AWS Network Firewall application provides visibility into traffic flows and alerts generated by AWS Network Firewall.
Log types
The AWS Network Firewall application uses logs generated by the AWS Network firewall. It leverages the Netflow and Alert logs.
Prerequisites
Before you begin, you must:
- Enable logging from the AWS Network Firewall to an Amazon S3 bucket as described in the AWS Network Firewall documentation.
- Confirm that logs are being delivered to the S3 bucket.
- Grant Sumo Logic Access to the Amazon S3 Bucket.
Collecting logs for AWS Network Firewall
This section has instructions for collecting logs for the Sumo Logic App for AWS Network Firewall Logs.
Enable S3 Ingestion
Follow steps to create Amazon S3 Source.
The following is an example of a path expression that supports ingesting alerts.
Sample log messages
This section provides an example of AWS Network Firewall Alert and Netflow log messages.
{
"firewall_name": "example-firewall",
"availability_zone": "us-west-1b",
"event_timestamp": "1604597216",
"event": {
"timestamp": "2020-11-05T17:26:56.075365+0000",
"flow_id": 1552126922778600,
"event_type": "alert",
"src_ip": "10.0.0.227",
"src_port": 55188,
"dest_ip": "13.227.75.102",
"dest_port": 80,
"proto": "TCP",
"tx_id": 0,
"alert": {
"action": "allowed",
"signature_id": 5,
"rev": 0,
"signature": "Malicious User Agent",
"category": "",
"severity": 1
},
"http": {
"hostname": "www.somehackerurl.com",
"url": "/",
"http_user_agent": "hacker-tool-user-agent",
"http_method": "GET",
"protocol": "HTTP/1.1",
"length": 0
},
"app_proto": "http"
}
}
{
"firewall_name": "example-firewall",
"availability_zone": "us-west-1b",
"event_timestamp": "1604598416",
"event": {
"timestamp": "2020-11-05T17:46:56.003583+0000",
"flow_id": 554650891867171,
"event_type": "netflow",
"src_ip": "209.115.181.113",
"src_port": 123,
"dest_ip": "10.0.0.227",
"dest_port": 60642,
"proto": "UDP",
"app_proto": "ntp",
"netflow": {
"pkts": 1,
"bytes": 90,
"start": "2020-11-05T17:41:54.611363+0000",
"end": "2020-11-05T17:41:54.675362+0000",
"age": 0,
"min_ttl": 43,
" max_ttl": 238
}
}
}
Sample queries
This section provides a sample from the Traffic By Application panel on the AWS Network Firewall - Netflow Overview dashboard.
_sourceCategory=aws/vanta/*
| json "firewall_name", "availability_zone", "event" nodrop
| json field=event "event_type", "src_ip", "src_port", "dest_ip", "dest_port", "proto", "app_proto", "netflow" nodrop
| json field=netflow "bytes", "pkts" nodrop
| where event_type="netflow"
| timeslice 15m
| count _timeslice, app_proto
| transpose row _timeslice column app_proto
Installing the AWS Network Firewall App
This section provides instructions for installing the Sumo Logic App for AWS Network Firewall.
To install the app:
- Select App Catalog.
- In the 🔎 Search Apps field, run a search for your desired app, then select it.
- Click Install App.
note
Sometimes this button says Add Integration.
- On the next configuration page, under Select Data Source for your App, complete the following fields:
- Data Source. Select one of the following options:
- Choose Source Category and select a source category from the list; or
- Choose Enter a Custom Data Filter, and enter a custom source category beginning with an underscore. For example,
_sourceCategory=MyCategory.
- Folder Name. You can retain the existing name or enter a custom name of your choice for the app.
- All Folders (optional). The default location is the Personal folder in your Library. If desired, you can choose a different location and/or click New Folder to add it to a new folder.
- Data Source. Select one of the following options:
- Click Next.
- Look for the dialog confirming that your app was installed successfully.
Post-installation
Once your app is installed, it will appear in your Personal folder or the folder that you specified. From here, you can share it with other users in your organization. Dashboard panels will automatically start to fill with data matching the time range query received since you created the panel. Results won't be available immediately, but within about 20 minutes, you'll see completed graphs and maps.
Viewing AWS Network Firewall Dashboards
This section offers descriptions and examples for each of the pre-configured app dashboards.
Template variables provide dynamic dashboards that can rescope data on the fly. As you apply variables to troubleshoot through your dashboard, you view dynamic changes to the data for a quicker resolution to the root cause. You can use template variables to drill down and examine the data on a granular level. For more information, see Filter with template variables.
Netflow Overview
The AWS Network Firewall - Netflow Overview provides visibility into network flows traversing across the firewall. This includes visibility into traffic by application, protocol, traffic over time, and top connections.
Use this dashboard to:
- Monitor traffic types and rates traveling through the firewall
- Gain visibility into common protocols and hosts in use behind the firewall.
IDS Overview
The AWS Network Firewall - IDS Overview provides visibility into alerts generated by the firewall rules. This includes geolocation information on top destinations, alerts over time, correlation with Sumo Logic threat intelligence data, and top systems blocked.
Use this dashboard to:
- Gain visibility into alerts generated by the AWS Network Firewall including location information from top destinations.
- Gain visibility into traffic from malicious IPs determined by correlating AWS Network Firewall data with Sumo Logic threat intelligence data.
