Amazon Web Services (AWS) released a new threat detection solution, AWS Network Firewall, "a managed service that makes it easy to deploy essential network protections for all of your Amazon Virtual Private Clouds (VPCs)." Integration with AWS Network Firewall allows Alert Logic to capture AWS Network Firewall alerts as log messages and enables a customer to generate incidents via custom correlation rules. As AWS Network Firewall discovers web attacks, the Alert Logic Managed Detection & Response (MDR) platform analyzes, correlates, and proactively surfaces security threats in the Alert Logic console.
Alert Logic provides a set of rules to configure AWS Network Firewall that cover a set of web application attacks. When Alert Logic MDR is integrated with AWS Network Firewall, you can report on, correlate, and generate incidents based on the AWS Network Firewall alerts.
Configuration of AWS Network Firewall
To include Alert Logic rules to be evaluated by AWS Network Firewall, you must create a new Rule Group containing downloaded rules. To begin this process, follow the instructions on-screen in the AWS Management Console.
Note: Alert Logic does not require use of our rules, but you must configure AWS Network Firewall to send log alerts to Amazon S3. Once this is done, configure the collection of alerts via the Application Registry.
While configuring the firewall, you will have the opportunity to add stateful rule groups to the policy. Alert Logic stateful rule groups are what will allow Alert Logic to connect with and analyze AWS Network Firewall traffic. Alert Logic provides rulestrings that can be used to configure your firewall stateful inspection to detect many web attacks.
Creating & Applying Alert Logic Stateful Rule Groups
To configure an Alert Logic stateful rule group for AWS Network Firewall, you must first download our rules from the Alert Logic console at main menu () > Configuration > Application Registry > AWS > AWS Network Firewall > Download Rules. Then, within the AWS Management Console, you will import the rule into a Suricata compatible IPS rule. See full details on configuring your stateful rule groups within our Configure AWS Network Firewall Log Collector documentation.
Note: When configuring your Alert Logic stateful rule group, make sure to select Suricata compatible IPS rules and to set your Actions option to Alert in the AWS Management Console in order to properly integrate AWS Network Firewall traffic with Alert logic analysis.
Accessing Incidents Generated from AWS Network Firewall
Once you have successfully integrated Alert Logic and AWS Network Firewall, you will begin receiving incident notifications for security threats. These can be found within the Alert Logic console in our log search functionality at main menu > Investigate > Search > Log Search. Search on message type AWS Network Firewall Alert to see all alerts generated from AWS Network Firewall traffic.