☁️
CTHFM: AWS
  • Welcome
  • Getting Started
    • Account Setup
  • AWS CLI
    • AWS CLI Overview
    • Installation
  • AWS Fundamentals
    • AWS Documentation
    • AWS Shared Responsibility Model
    • Organizational Hierarchy
    • AWS Principals
    • IAM Fundamentals
      • IAM Policy Components
      • IAM Documentation References
    • AWS Security Services Overview
    • AWS Core Services
    • AWS Frameworks
    • Regions and Availability Zones
  • SQL
    • SQL Refresher for Threat Hunting
  • Logging Reference
    • Cloudtrail
      • What is Cloudtrail?
      • Setting Up Cloudtrail
      • Cloudtrail Events Structure
      • Filtering and Searching CloudTrail Logs
      • IAM ID Prefixes
      • Additional Resources
      • API References
    • VPCFlow Logs
    • GuardDuty
      • Multi-Account Setup
      • GuardDuty Concepts
      • GuardDuty Finding References
      • S3 Protection
      • Malware Protection
        • EC2 Malware Protection
          • EC2 Protection Resources
          • Monitoring Scans
          • EC2 Malware Protection Events: CloudWatch
        • S3 Malware Protection
          • Enabling S3 Malware Protection
          • After Enabling S3 Malware Protection
          • S3 Malware Resource Plan Status
          • S3 Malware Protection Quotas
      • RDS Protection Enablement
      • Lambda Protection Enablement
      • Trusted IP Lists and Threat Lists in Amazon GuardDuty
      • Remediation Recommendations
      • GuardDuty API Reference
      • GuardDuty Quotas
    • Access Analyzer
      • Setup
      • External Access and Unused Access Analyzer Findings
      • Review Findings
      • Access Analyzer Resources
      • Access Analyzer API Reference
    • AWS Network Firewall
      • Permissions
      • Firewall Log Contents
      • Logging Destinations
      • CloudWatch Firewall Metrics
    • AWS Config
      • Resource Management in AWS Config
      • AWS Config Integrations
      • AWS Config Resources
      • Configuration Item
      • Config Rules
        • Evaluation Modes
  • CloudWatch
    • Amazon CloudWatch
      • CloudWatch Concepts
      • CloudWatch Metrics
        • Filter Pattern Syntax
      • CloudWatch Alarms
        • Alarm Recommendations
      • Subscriptions
      • CloudWatch Agent
      • CloudWatch Insights
        • Supported Logs and Discovered Fields
        • CloudWatch Insights Query Syntax
      • Anomaly Detection
        • Create Anomaly Detector
        • Alarms for Anomaly Detections
      • CloudWatch Filter Syntax
      • CloudWatch Service Quota
  • Athena For Threat Hunting
    • Introduction to Athena
    • Setting Up Athena
    • SQL For Threat Hunters
    • Automated Response
    • Query Best Practices
  • AWS Security Research and Resources
    • AWS Security Blog
    • AWS Goat
    • Cloud Goat
    • Pacu
    • Prowler
    • Scout Suite
  • Threat Hunting in AWS
    • Threat Hunting in AWS
    • Threat Hunting Introduction
    • Threat Hunting Process
      • Hypothesis Generation
      • Investigation
      • Identification
      • Resolution & Follow Up
    • Pyramid of Pain
    • MITRE Att&ck
      • MITRE Att&ck Concepts
      • MITRE Att&CK Data Sources
      • MITRE Att&CK Mitigations
    • MITRE Att&ck: AWS
      • MITRE Att&CK Matrix
      • Amazon Web Services Security Control Mappings
    • AWS Threat Hunting Ideas
      • AWS Threat Hunting Ideas: EC2
      • AWS Threat Hunting Ideas: Lambda
      • AWS Threat Hunting Ideas: SQS
      • AWS Threat Hunting Ideas: SNS
      • AWS Threat Hunting Ideas: RDS
Powered by GitBook
On this page
  • AWS Network Firewall Logs Overview
  • Log Components and Fields
  • Types of Events in Network Firewall Logs
  • Example Log Entries
  1. Logging Reference
  2. AWS Network Firewall

Firewall Log Contents

AWS Network Firewall Logs Overview

Log Components and Fields

  1. firewall_name

    • The name of the firewall associated with the log entry.

  2. availability_zone

    • The Availability Zone where the firewall endpoint generated the log entry.

  3. event_timestamp

    • The time the log was created in epoch seconds (UTC).

  4. event

    • Contains detailed information about the event, including:

      • Human-readable timestamp

      • Event type (e.g., alert, netflow, tls)

      • Network packet details

      • Information on stateful rules (if applicable)

Types of Events in Network Firewall Logs

1. Alert and Flow Events (Suricata EVE Format)

  • Produced by Suricata, the open-source threat detection engine.

  • Alert Logs: Use the EVE output type alert to log detected security events.

  • Flow Logs: Use the EVE output type netflow to log uni-directional network flows (each flow entry logs traffic in a single direction).

Custom Field:

  • If TLS inspection is enabled, the logs include the field: "tls_inspected": true If TLS inspection is not configured, this field is omitted.

2. TLS Events (Dedicated TLS Engine)

  • Generated by a separate stateful TLS inspection engine.

  • Use the EVE output type tls for SSL/TLS events.

TLS Inspection Configuration:

  • These logs only appear if the firewall is configured for TLS inspection. For details, refer to TLS Inspection Configurations.

Custom Fields in TLS Logs:

  1. "tls_error":

    • Reports TLS-related issues, such as Server Name Indication (SNI) mismatches.

    • Example Errors:

      • Client Hello SNI is NULL or mismatches the server certificate subject name.

  2. "revocation_check":

    • Reports failed certificate revocation checks for outbound traffic.

    • Includes:

      • Revocation status

      • Action taken (e.g., DROP)

      • SNI for the revoked certificate

Example Log Entries

1. Example Alert Log Entry (Suricata EVE Format)

{
    "firewall_name": "test-firewall",
    "availability_zone": "us-east-1b",
    "event_timestamp": "1602627001",
    "event": {
        "timestamp": "2020-10-13T22:10:01.006481+0000",
        "flow_id": 1582438383425873,
        "event_type": "alert",
        "src_ip": "203.0.113.4",
        "src_port": 55555,
        "dest_ip": "192.0.2.16",
        "dest_port": 111,
        "proto": "TCP",
        "alert": {
            "action": "allowed",
            "signature_id": 5,
            "rev": 0,
            "signature": "test_tcp",
            "category": "",
            "severity": 1
        }
    }
}

Explanation:

  • This log shows an alert event triggered by Suricata.

  • Source IP: 203.0.113.4 attempted a TCP connection to 192.0.2.16 on port 111.

  • The alert action was "allowed", with a severity level of 1.

2. Example TLS Log Entry (Certificate Revocation Check Failure)

{
    "firewall_name": "egress-fw",
    "availability_zone": "us-east-1d",
    "event_timestamp": 1708361189,
    "event": {
        "src_ip": "10.0.2.53",
        "src_port": "55930",
        "revocation_check": {
            "leaf_cert_fpr": "1234567890EXAMPLE0987654321",
            "status": "REVOKED",
            "action": "DROP"
        },
        "dest_ip": "54.92.160.72",
        "dest_port": "443",
        "timestamp": "2024-02-19T16:46:29.441824Z",
        "sni": "revoked-rsa-dv.ssl.com"
    }
}

Explanation:

  • Source IP: 10.0.2.53 tried to connect to destination IP 54.92.160.72 over port 443 (HTTPS).

  • The certificate revocation check failed with the status "REVOKED", and the connection was dropped.

  • The log includes the SNI value: revoked-rsa-dv.ssl.com.

PreviousPermissionsNextLogging Destinations

Last updated 8 months ago