/

cloud.aws.firewall

Document toolbox

cloud.aws.firewall

Owned by Juan Tomás Alonso Nieto (Deactivated), created

Last updated: May 22, 2023

1 min read

[ 1 Introduction ] [ 2 Valid tags and data tables ] [ 3 Table structure ]

Introduction

The tags beginning with cloud.aws.firewall identify events generated by AWS Network Firewall.

Valid tags and data tables

The full tag must have 4 levels. The first 3 are fixed as cloud.aws.firewall. The fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service	Tags	Data tables

Product / Service	Tags	Data tables
AWS Network Firewall	`cloud.aws.firewall.alert`	`cloud.aws.firewall.alert`
AWS Network Firewall	`cloud.aws.firewall.netflow`	`cloud.aws.firewall.netflow`

For more information, read more About Devo tags.

Table structure

These are the fields displayed in these tables:

cloud.aws.firewall.alert
cloud.aws.firewall.netflow

cloud.aws.firewall.alert

Field	Type	Extra fields

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
ACCID	`str`
REGION	`str`
firewall_name	`str`
availability_zone	`str`
event_timestamp	`str`
event__timestamp	`str`
event__flow_id	`int8`
event__event_type	`str`
event__src_ip	`ip4`
event__src_port	`int4`
event__dest_ip	`ip4`
event__dest_port	`int4`
event__proto	`str`
event__tx_id	`int4`
event__alert__action	`str`
event__alert__signature_id	`int4`
event__alert__rev	`int4`
event__alert__signature	`str`
event__alert__category	`str`
event__alert__severity	`int4`
event__http__hostname	`str`
event__http__url	`str`
event__http__http_user_agent	`str`
event__http__http_method	`str`
event__http__protocol	`str`
event__http__length	`int4`
event__app_proto	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

cloud.aws.firewall.netflow

Field	Type	Extra fields

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
ACCID	`str`
REGION	`str`
firewall_name	`str`
availability_zone	`str`
event_timestamp	`str`
event__timestamp	`str`
event__flow_id	`int8`
event__event_type	`str`
event__src_ip	`ip4`
event__src_port	`int4`
event__dest_ip	`ip4`
event__dest_port	`int4`
event__proto	`str`
event__netflow__pkts	`int4`
event__netflow__bytes	`int4`
event__netflow__start	`str`
event__netflow__end	`str`
event__netflow__age	`int4`
event__netflow__min_ttl	`int4`
event__netflow__max_ttl	`int4`
event__tcp__tcp_flags	`str`
event__tcp__syn	`bool`
event__tcp__ecn	`bool`
event__tcp__cwr	`bool`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓