Introduction
The tags beginning with cloud.aws.firewall
identify events generated by AWS Network Firewall.
Valid tags and data tables
The full tag must have 4 levels. The first 3 are fixed as cloud.aws.firewall
. The fourth level indicates the event subtype.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
---|---|---|
AWS Network Firewall |
|
|
|
|
For more information, read more About Devo tags.
Table structure
These are the fields displayed in these tables:
cloud.aws.firewall.alert
Field | Type | Extra fields |
---|---|---|
eventdate |
| |
hostname |
| |
ACCID |
| |
REGION |
| |
firewall_name |
| |
availability_zone |
| |
event_timestamp |
| |
event__timestamp |
| |
event__flow_id |
| |
event__event_type |
| |
event__src_ip |
| |
event__src_port |
| |
event__dest_ip |
| |
event__dest_port |
| |
event__proto |
| |
event__tx_id |
| |
event__alert__action |
| |
event__alert__signature_id |
| |
event__alert__rev |
| |
event__alert__signature |
| |
event__alert__category |
| |
event__alert__severity |
| |
event__http__hostname |
| |
event__http__url |
| |
event__http__http_user_agent |
| |
event__http__http_method |
| |
event__http__protocol |
| |
event__http__length |
| |
event__app_proto |
| |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |
cloud.aws.firewall.netflow
Field | Type | Extra fields |
---|---|---|
eventdate |
| |
hostname |
| |
ACCID |
| |
REGION |
| |
firewall_name |
| |
availability_zone |
| |
event_timestamp |
| |
event__timestamp |
| |
event__flow_id |
| |
event__event_type |
| |
event__src_ip |
| |
event__src_port |
| |
event__dest_ip |
| |
event__dest_port |
| |
event__proto |
| |
event__netflow__pkts |
| |
event__netflow__bytes |
| |
event__netflow__start |
| |
event__netflow__end |
| |
event__netflow__age |
| |
event__netflow__min_ttl |
| |
event__netflow__max_ttl |
| |
event__tcp__tcp_flags |
| |
event__tcp__syn |
| |
event__tcp__ecn |
| |
event__tcp__cwr |
| |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |