AWS Network Firewall
The AWS Network Firewall application provides visibility into traffic flows and alerts generated by AWS Network Firewall.
Log types
The AWS Network Firewall application uses logs generated by the AWS Network firewall. It leverages the Netflow and Alert logs.
Prerequisites
Before you begin, you must:
- Enable logging from the AWS Network Firewall to an Amazon S3 bucket as described in the AWS Network Firewall documentation.
- Confirm that logs are being delivered to the S3 bucket.
- Grant Sumo Logic Access to the Amazon S3 Bucket.
Collecting logs for AWS Network Firewall
This section has instructions for collecting logs for the Sumo Logic App for AWS Network Firewall Logs.
Enable S3 Ingestion
Follow steps to create Amazon S3 Source.
The following is an example of a path expression that supports ingesting alerts.
Sample log messages
This section provides an example of AWS Network Firewall Alert and Netflow log messages.
{
"firewall_name": "example-firewall",
"availability_zone": "us-west-1b",
"event_timestamp": "1604597216",
"event": {
"timestamp": "2020-11-05T17:26:56.075365+0000",
"flow_id": 1552126922778600,
"event_type": "alert",
"src_ip": "10.0.0.227",
"src_port": 55188,
"dest_ip": "13.227.75.102",
"dest_port": 80,
"proto": "TCP",
"tx_id": 0,
"alert": {
"action": "allowed",
"signature_id": 5,
"rev": 0,
"signature": "Malicious User Agent",
"category": "",
"severity": 1
},
"http": {
"hostname": "www.somehackerurl.com",
"url": "/",
"http_user_agent": "hacker-tool-user-agent",
"http_method": "GET",
"protocol": "HTTP/1.1",
"length": 0
},
"app_proto": "http"
}
}
{
"firewall_name": "example-firewall",
"availability_zone": "us-west-1b",
"event_timestamp": "1604598416",
"event": {
"timestamp": "2020-11-05T17:46:56.003583+0000",
"flow_id": 554650891867171,
"event_type": "netflow",
"src_ip": "209.115.181.113",
"src_port": 123,
"dest_ip": "10.0.0.227",
"dest_port": 60642,
"proto": "UDP",
"app_proto": "ntp",
"netflow": {
"pkts": 1,
"bytes": 90,
"start": "2020-11-05T17:41:54.611363+0000",
"end": "2020-11-05T17:41:54.675362+0000",
"age": 0,
"min_ttl": 43,
" max_ttl": 238
}
}
}
Sample queries
This section provides a sample from the Traffic By Application panel on the AWS Network Firewall - Netflow Overview dashboard.
_sourceCategory=aws/vanta/*
| json "firewall_name", "availability_zone", "event" nodrop
| json field=event "event_type", "src_ip", "src_port", "dest_ip", "dest_port", "proto", "app_proto", "netflow" nodrop
| json field=netflow "bytes", "pkts" nodrop
| where event_type="netflow"
| timeslice 15m
| count _timeslice, app_proto
| transpose row _timeslice column app_proto
Installing the AWS Network Firewall App
This section provides instructions for installing the Sumo Logic App for AWS Network Firewall.
To install the app, do the following:
Next-Gen App: To install or update the app, you must be an account administrator or a user with Manage Apps, Manage Monitors, Manage Fields, Manage Metric Rules, and Manage Collectors capabilities depending upon the different content types part of the app.
- Select App Catalog.
- In the 🔎 Search Apps field, run a search for your desired app, then select it.
- Click Install App.
note
Sometimes this button says Add Integration.
- Click Next in the Setup Data section.
- In the Configure section of your respective app, complete the following fields.
- Field Name. If you already have collectors and sources set up, select the configured metadata field name (eg _sourcecategory) or specify other custom metadata (eg: _collector) along with its metadata Field Value.
- Click Next. You will be redirected to the Preview & Done section.
Post-installation
Once your app is installed, it will appear in your Installed Apps folder, and dashboard panels will start to fill automatically.
Each panel slowly fills with data matching the time range query received since the panel was created. Results will not immediately be available but will be updated with full graphs and charts over time.
Viewing AWS Network Firewall dashboards
All dashboards have a set of filters that you can apply to the entire dashboard. Use these filters to drill down and examine the data to a granular level.
- You can change the time range for a dashboard or panel by selecting a predefined interval from a drop-down list, choosing a recently used time range, or specifying custom dates and times. Learn more.
- You can use template variables to drill down and examine the data on a granular level. For more information, see Filtering Dashboards with Template Variables.
- Most Next-Gen apps allow you to provide the scope at the installation time and are comprised of a key (
_sourceCategoryby default) and a default value for this key. Based on your input, the app dashboards will be parameterized with a dashboard variable, allowing you to change the dataset queried by all panels. This eliminates the need to create multiple copies of the same dashboard with different queries.
Netflow Overview
The AWS Network Firewall - Netflow Overview provides visibility into network flows traversing across the firewall. This includes visibility into traffic by application, protocol, traffic over time, and top connections.
Use this dashboard to:
- Monitor traffic types and rates traveling through the firewall
- Gain visibility into common protocols and hosts in use behind the firewall.
IDS Overview
The AWS Network Firewall - IDS Overview provides visibility into alerts generated by the firewall rules. This includes geolocation information on top destinations, alerts over time, correlation with Sumo Logic threat intelligence data, and top systems blocked.
Use this dashboard to:
- Gain visibility into alerts generated by the AWS Network Firewall including location information from top destinations.
- Gain visibility into traffic from malicious IPs determined by correlating AWS Network Firewall data with Sumo Logic threat intelligence data.
