/

cloud.aws.firewall

Document toolbox

cloud.aws.firewall

Owned by Juan Tomás Alonso Nieto (Deactivated), created

Last updated: May 22, 2023

1 min read

[ 1 Introduction ] [ 2 Valid tags and data tables ] [ 3 Table structure ]

Introduction

The tags beginning with cloud.aws.firewall identify events generated by AWS Network Firewall.

Valid tags and data tables

The full tag must have 4 levels. The first 3 are fixed as cloud.aws.firewall. The fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service	Tags	Data tables

Product / Service	Tags	Data tables
AWS Network Firewall	`cloud.aws.firewall.alert`	`cloud.aws.firewall.alert`
AWS Network Firewall	`cloud.aws.firewall.netflow`	`cloud.aws.firewall.netflow`

For more information, read more About Devo tags.

Table structure

These are the fields displayed in these tables:

cloud.aws.firewall.alert
cloud.aws.firewall.netflow

cloud.aws.firewall.alert

Field	Type	Extra fields

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
ACCID	`str`
REGION	`str`
firewall_name	`str`
availability_zone	`str`
event_timestamp	`str`
event__timestamp	`str`
event__flow_id	`int8`
event__event_type	`str`
event__src_ip	`ip4`
event__src_port	`int4`
event__dest_ip	`ip4`
event__dest_port	`int4`
event__proto	`str`
event__tx_id	`int4`
event__alert__action	`str`
event__alert__signature_id	`int4`
event__alert__rev	`int4`
event__alert__signature	`str`
event__alert__category	`str`
event__alert__severity	`int4`
event__http__hostname	`str`
event__http__url	`str`
event__http__http_user_agent	`str`
event__http__http_method	`str`
event__http__protocol	`str`
event__http__length	`int4`
event__app_proto	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

cloud.aws.firewall.netflow

Field	Type	Extra fields

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
ACCID	`str`
REGION	`str`
firewall_name	`str`
availability_zone	`str`
event_timestamp	`str`
event__timestamp	`str`
event__flow_id	`int8`
event__event_type	`str`
event__src_ip	`ip4`
event__src_port	`int4`
event__dest_ip	`ip4`
event__dest_port	`int4`
event__proto	`str`
event__netflow__pkts	`int4`
event__netflow__bytes	`int4`
event__netflow__start	`str`
event__netflow__end	`str`
event__netflow__age	`int4`
event__netflow__min_ttl	`int4`
event__netflow__max_ttl	`int4`
event__tcp__tcp_flags	`str`
event__tcp__syn	`bool`
event__tcp__ecn	`bool`
event__tcp__cwr	`bool`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Related content

firewall.f5

More like this

firewall.stormshield

firewall.stormshield

More like this

cloud.aws.cloudflare

cloud.aws.cloudflare

More like this

firewall.velocloud

firewall.velocloud

More like this

firewall.iptables

firewall.iptables

More like this

firewall.arista

firewall.arista

More like this