This document explains how to ingest AWS Network Firewall logs to Google Security Operations. AWS Network Firewall is a managed service that provides protection to your VPC against malicious traffic. By sending Network Firewall logs to Google SecOps, you can improve your monitoring, analysis, and threat detection.
Select the name of the firewall that you want to edit.
Select the Firewall details tab.
In the Logging section, click Edit.
Select the log types: Flow, Alert and TLS.
For each selected log type, choose S3 for the destination type.
Click Save.
Set up feeds
There are two different entry points to set up feeds in the
Google SecOps platform:
SIEM Settings > Feeds > Add New
Content Hub > Content Packs > Get Started
How to set up the AWS Network Firewall feed
Click the Amazon Cloud Platform pack.
Locate the AWS Network Firewall log type.
Specify the values in the following fields.
Source Type: Amazon SQS V2
Queue Name: The SQS queue name to read from
S3 URI: The bucket URI.
s3://your-log-bucket-name/
Replace your-log-bucket-name with the actual name of your S3 bucket.
Source deletion options: Select the deletion option according to your ingestion preferences.
Maximum File Age: Include files modified in the last number of days. Default is 180 days.
SQS Queue Access Key ID: An account access key that is a 20-character alphanumeric string.
SQS Queue Secret Access Key: An account access key that is a 40-character alphanumeric string.
Advanced options
Feed Name: A prepopulated value that identifies the feed.
Asset Namespace: Namespace associated with the feed.
Ingestion Labels: Labels applied to all events from this feed.
Click Create feed.
For more information about configuring multiple feeds for different log types within this product family, see Configure feeds by product.
UDM Mapping Table
Log Field
UDM Mapping
Logic
availability_zone
target.resource.attribute.cloud.availability_zone
Directly mapped from the availability_zone field.
event.app_proto
network.application_protocol
Directly mapped from the event.app_proto field, converted to uppercase if not one of the specified values (ikev2, tftp, failed, snmp, tls, ftp). HTTP2 is replaced with HTTP.
event.dest_ip
target.ip
Directly mapped from the event.dest_ip field.
event.dest_port
target.port
Directly mapped from the event.dest_port field, converted to integer.
Directly mapped from the event.tcp.tcp_flags field.
event_timestamp
metadata.event_timestamp.seconds
Directly mapped from the event_timestamp field, parsed as a timestamp.
event_timestamp
timestamp.seconds
Directly mapped from the event_timestamp field, parsed as a timestamp.
firewall_name
metadata.product_event_type
Directly mapped from the firewall_name field. Set to "NETWORK_CONNECTION" if both event.src_ip and event.dest_ip are present, otherwise set to "GENERIC_EVENT". Hardcoded to "AWS Network Firewall". Hardcoded to "AWS".
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis guide outlines how to ingest AWS Network Firewall logs into Google Security Operations (SecOps) for enhanced monitoring and threat detection.\u003c/p\u003e\n"],["\u003cp\u003eTo begin, ensure you have a Google SecOps instance and privileged access to AWS before configuring logging for the AWS Network Firewall.\u003c/p\u003e\n"],["\u003cp\u003eIn the AWS Management Console, you must enable logging for the desired log types (Flow, Alert, and TLS) and direct them to an S3 bucket.\u003c/p\u003e\n"],["\u003cp\u003eWithin Google SecOps, create a new feed specifying Amazon S3 as the source type and AWS Network Firewall as the log type, providing the necessary S3 bucket details and credentials.\u003c/p\u003e\n"],["\u003cp\u003eA detailed UDM mapping table is provided to illustrate how AWS Network Firewall log fields correspond to the Google SecOps data model.\u003c/p\u003e\n"]]],[],null,["# Collect AWS Network Firewall logs\n=================================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis document explains how to ingest AWS Network Firewall logs to Google Security Operations. AWS Network Firewall is a managed service that provides protection to your VPC against malicious traffic. By sending Network Firewall logs to Google SecOps, you can improve your monitoring, analysis, and threat detection.\n\nBefore you begin\n----------------\n\nEnsure you have the following prerequisites:\n\n- Google SecOps instance\n- Privileged access to AWS\n\nHow to configure Logging for AWS Network Firewall\n-------------------------------------------------\n\n1. Sign in to the [AWS Management Console](https://aws.amazon.com/console/).\n2. Open the [Amazon VPC console](https://console.aws.amazon.com/vpc/).\n3. In the navigation pane, select **Firewalls**.\n4. Select the name of the firewall that you want to edit.\n5. Select the **Firewall details** tab.\n6. In the **Logging** section, click **Edit**.\n7. Select the log types: **Flow** , **Alert** and **TLS**.\n8. For each selected log type, choose **S3** for the destination type.\n\n | **Note:** In order to change the destination for an existing log type, you must first disable logging for the policy. \n | Then, edit the policy and specify the new destination(s) for the log type.\n9. Click **Save**.\n\nSet up feeds\n------------\n\nThere are two different entry points to set up feeds in the\nGoogle SecOps platform:\n\n- **SIEM Settings \\\u003e Feeds \\\u003e Add New**\n- **Content Hub \\\u003e Content Packs \\\u003e Get Started**\n\nHow to set up the AWS Network Firewall feed\n-------------------------------------------\n\n1. Click the **Amazon Cloud Platform** pack.\n2. Locate the **AWS Network Firewall** log type.\n3. Specify the values in the following fields.\n\n - **Source Type**: Amazon SQS V2\n - **Queue Name**: The SQS queue name to read from\n - **S3 URI** : The bucket URI.\n - `s3://your-log-bucket-name/`\n - Replace `your-log-bucket-name` with the actual name of your S3 bucket.\n - **Source deletion options**: Select the deletion option according to your ingestion preferences.\n\n | **Note:** If you select the `Delete transferred files` or `Delete transferred files and empty directories` option, make sure that you granted appropriate permissions to the service account.\n - **Maximum File Age**: Include files modified in the last number of days. Default is 180 days.\n\n - **SQS Queue Access Key ID**: An account access key that is a 20-character alphanumeric string.\n\n - **SQS Queue Secret Access Key**: An account access key that is a 40-character alphanumeric string.\n\n **Advanced options**\n - **Feed Name**: A prepopulated value that identifies the feed.\n - **Asset Namespace**: Namespace associated with the feed.\n - **Ingestion Labels**: Labels applied to all events from this feed.\n4. Click **Create feed**.\n\n| **Note:** The Content Hub is not available on the SIEM standalone platform. To upgrade, contact your Google SecOps representative.\n\nFor more information about configuring multiple feeds for different log types within this product family, see [Configure feeds by product](/chronicle/docs/ingestion/ingestion-entities/configure-multiple-feeds).\n\nUDM Mapping Table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]