AWS Network Firewall

  • Updated on Apr 30, 2025
  • Published on Apr 30, 2025
Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

Overview

AWS Network Firewall is a managed network security service that helps protect your VPCs by enabling customizable firewall rules to control both inbound and outbound traffic. It supports stateful and stateless inspection, intrusion prevention, domain filtering, and threat intelligence integration. Designed for scalability and high availability, it provides centralized control over traffic filtering across multiple VPCs without the need to manage physical appliances.

Supported data types

AWS Network Firewall Flow Logs

Table name: aws_network_firewall_flow_logs

AWS Network Firewall flow logs capture detailed information about allowed and denied traffic passing through the firewall. These logs include metadata such as source and destination IPs, ports, protocols, and actions taken, providing visibility into network activity for monitoring, compliance, and threat detection. Flow logs can be exported to Amazon S3, CloudWatch Logs, or Kinesis for storage and analysis.

AWS Network Firewall Alert Logs

Table name: aws_network_firewall_alert_logs

AWS Network Firewall alert logs record events where traffic matches a rule configured with an alert action, indicating potentially suspicious or policy-violating activity. These logs provide detailed information such as matched rule IDs, source and destination IPs, ports, protocols, and timestamps. Alert logs help security teams monitor threats in real time and investigate incidents without dropping traffic, and can be streamed to Amazon S3, CloudWatch Logs, or Kinesis for centralized analysis and response.

Send data to Hunters

To connect AWS Network Firewall logs:

  1. Follow this guide to export AWS Network Firewall logs to an S3 bucket.

  2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

AWS Network Firewall Flow Logs

{
  "firewall_name": "net-firewall-prod-poc-firewall",
  "availability_zone": "us-east-1c",
  "event_timestamp": "1736172301",
  "event": {
    "tcp": {
      "tcp_flags": "1b",
      "syn": true,
      "fin": true,
      "psh": true,
      "ack": true
    },
    "app_proto": "unknown",
    "src_ip": "1.1.1.1",
    "src_port": 123,
    "netflow": {
      "pkts": 1,
      "bytes": 1234,
      "start": "2025-01-06T13:59:10.196843+0000",
      "end": "2025-01-06T13:59:10.531812+0000",
      "age": 0,
      "min_ttl": 125,
      "max_ttl": 125
    },
    "event_type": "netflow",
    "flow_id": 1234567,
    "dest_ip": "1.1.1.1",
    "proto": "TCP",
    "dest_port": 111,
    "timestamp": "2025-01-06T14:05:01.693519+0000"
  }
}

AWS Network Firewall Alert Logs

{
  "firewall_name": "net-firewall-prod-poc-firewall",
  "availability_zone": "us-east-1c",
  "event_timestamp": "1736139611",
  "event": {
    "src_ip": "1.1.1.1",
    "src_port": 3130,
    "event_type": "alert",
    "alert": {
      "severity": 3,
      "signature_id": 2,
      "rev": 0,
      "signature": "aws:alert_strict action",
      "action": "allowed",
      "category": ""
    },
    "flow_id": 12345678,
    "dest_ip": "1.1.1.1",
    "proto": "TCP",
    "verdict": {
      "action": "alert"
    },
    "dest_port": 12,
    "pkt_src": "geneve encapsulation",
    "timestamp": "2025-01-06T05:00:11.704739+0000",
    "direction": "to_server"
  }
}