# Customize Amazon CloudWatch alerts for AWS Network Firewall
*Jason Owens, Amazon Web Services*
## Summary
The pattern helps you customize the Amazon CloudWatch alerts that are generated by AWS Network Firewall. You can use predefined rules or create custom rules that determine the message, metadata, and severity of the alerts. You can then act upon these alerts or automate responses by other Amazon services, such as Amazon EventBridge.
In this pattern, you generate Suricata-compatible firewall rules. [Suricata](https://suricata.io/) is an open-source threat detection engine. You first create simple rules and then test them to confirm that the CloudWatch alerts are generated and logged. Once you have successfully tested the rules, you modify them to define custom messages, metadata, and severities, and you then test once more to confirm the updates.
## Prerequisites and limitations
**Prerequisites **
+ An active AWS account.
+ AWS Command Line Interface (AWS CLI) installed and configured on your Linux, macOS, or Windows workstation. For more information, see [Installing or updating the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html).
+ AWS Network Firewall installed and configured to use CloudWatch Logs. For more information, see [Logging network traffic from AWS Network Firewall](https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-logging.html).
+ An Amazon Elastic Compute Cloud (Amazon EC2) instance in a private subnet of a virtual private cloud (VPC) that is protected by Network Firewall.
**Product versions**
+ For version 1 of AWS CLI, use 1.18.180 or later. For version 2 of AWS CLI, use 2.1.2 or later.
+ The classification.config file from Suricata version 5.0.2. For a copy of this configuration file, see the [Additional information](#customize-amazon-cloudwatch-alerts-for-aws-network-firewall-additional) section.
## Architecture
The architecture diagram shows the following workflow:
1. An Amazon EC2 instance in a private subnet makes a request by using either [curl](https://curl.se/) or [Wget](https://www.gnu.org/software/wget/).
1. Network Firewall processes the traffic and generates an alert.
1. Network Firewall sends the logged alerts to CloudWatch Logs.
## Tools
**AWS services**
+ [Amazon CloudWatch](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html) helps you monitor the metrics of your AWS resources and the applications you run on AWS in real time.
+ [Amazon CloudWatch Logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html) helps you centralize the logs from all your systems, applications, and AWS services so you can monitor them and archive them securely.
+ [AWS Command Line Interface (AWS CLI)](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html) is an open-source tool that helps you interact with AWS services through commands in your command-line shell.
+ [AWS Network Firewall](https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html) is a stateful, managed, network firewall and intrusion detection and prevention service for virtual private clouds (VPCs) in the AWS Cloud.
**Other tools**
+ [curl](https://curl.se/) is an open-source command line tool and library.
+ [GNU Wget](https://www.gnu.org/software/wget/) is a free command line tool.
## Epics
### Create the firewall rules and rule group
| Task | Description | Skills required |
| --- | --- | --- |
| Create rules. | [See the AWS documentation website for more details](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/customize-amazon-cloudwatch-alerts-for-aws-network-firewall.html) | AWS systems administrator, Network administrator |
| Create the rule group. | In the AWS CLI, enter the following command. This creates the rule group.❯ aws network-firewall create-rule-group \
--rule-group-name custom --type STATEFUL \
--capacity 10 --rules file://custom.rules \
--tags Key=environment,Value=development
The following is an example output. Make note of the `RuleGroupArn`, which you need in a later step.{
"UpdateToken": "4f998d72-973c-490a-bed2-fc3460547e23",
"RuleGroupResponse": {
"RuleGroupArn": "arn:aws:network-firewall:us-east-2:1234567890:stateful-rulegroup/custom",
"RuleGroupName": "custom",
"RuleGroupId": "238a8259-9eaf-48bb-90af-5e690cf8c48b",
"Type": "STATEFUL",
"Capacity": 10,
"RuleGroupStatus": "ACTIVE",
"Tags": [
{
"Key": "environment",
"Value": "development"
}
]
} | AWS systems administrator |
### Update the firewall policy
| Task | Description | Skills required |
| --- | --- | --- |
| Get the ARN of the firewall policy. | In the AWS CLI, enter the following command. This returns the Amazon Resource Name (ARN) of the firewall policy. Record the ARN for use later in this pattern.❯ aws network-firewall describe-firewall \
--firewall-name aws-network-firewall-anfw \
--query 'Firewall.FirewallPolicyArn'
The following is an example ARN that is returned by this command."arn:aws:network-firewall:us-east-2:1234567890:firewall-policy/firewall-policy-anfw"
| AWS systems administrator |
| Update the firewall policy. | In a text editor, copy the paste the following code. Replace `` with the value you recorded in the previous epic. Save the file as `firewall-policy-anfw.json`.{
"StatelessDefaultActions": [
"aws:forward_to_sfe"
],
"StatelessFragmentDefaultActions": [
"aws:forward_to_sfe"
],
"StatefulRuleGroupReferences": [
{
"ResourceArn": ""
}
]
}
Enter the following command in the AWS CLI. This command requires an [update token](https://docs.aws.amazon.com/cli/latest/reference/network-firewall/update-firewall-policy.html) to add the new rules. The token is used to confirm that the policy hasn't changed since you last retrieved it.UPDATETOKEN=(`aws network-firewall describe-firewall-policy \
--firewall-policy-name firewall-policy-anfw \
--output text --query UpdateToken`)
aws network-firewall update-firewall-policy \
--update-token $UPDATETOKEN \
--firewall-policy-name firewall-policy-anfw \
--firewall-policy file://firewall-policy-anfw.json
| AWS systems administrator |
| Confirm the policy updates. | (Optional) If you would like to confirm the rules were added and view the policy format, enter the following command in the AWS CLI.❯ aws network-firewall describe-firewall-policy \
--firewall-policy-name firewall-policy-anfw \
--query FirewallPolicy
The following is an example output.{
"StatelessDefaultActions": [
"aws:forward_to_sfe"
],
"StatelessFragmentDefaultActions": [
"aws:forward_to_sfe"
],
"StatefulRuleGroupReferences": [
{
"ResourceArn": "arn:aws:network-firewall:us-east-2:1234567890:stateful-rulegroup/custom"
}
]
} | AWS systems administrator |
### Test alert functionality
| Task | Description | Skills required |
| --- | --- | --- |
| Generate alerts for testing. | [See the AWS documentation website for more details](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/customize-amazon-cloudwatch-alerts-for-aws-network-firewall.html) | AWS systems administrator |
| Validate that the alerts are logged. | [See the AWS documentation website for more details](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/customize-amazon-cloudwatch-alerts-for-aws-network-firewall.html) | AWS systems administrator |
### Update the firewall rules and rule group
| Task | Description | Skills required |
| --- | --- | --- |
| Update the firewall rules. | [See the AWS documentation website for more details](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/customize-amazon-cloudwatch-alerts-for-aws-network-firewall.html) | AWS systems administrator |
| Update the rule group. | In the AWS CLI, run the following commands. Use the ARN of your firewall policy. These commands get an update token and update the rule group with the rule changes.❯ UPDATETOKEN=(`aws network-firewall \
describe-rule-group \
--rule-group-arn arn:aws:network-firewall:us-east-2:123457890:stateful-rulegroup/custom \
--output text --query UpdateToken`)
❯ aws network-firewall update-rule-group \
--rule-group-arn arn:aws:network-firewall:us-east-2:1234567890:stateful-rulegroup/custom \
--rules file://custom.rules \
--update-token $UPDATETOKEN
The following is an example output.{
"UpdateToken": "7536939f-6a1d-414c-96d1-bb28110996ed",
"RuleGroupResponse": {
"RuleGroupArn": "arn:aws:network-firewall:us-east-2:1234567890:stateful-rulegroup/custom",
"RuleGroupName": "custom",
"RuleGroupId": "238a8259-9eaf-48bb-90af-5e690cf8c48b",
"Type": "STATEFUL",
"Capacity": 10,
"RuleGroupStatus": "ACTIVE",
"Tags": [
{
"Key": "environment",
"Value": "development"
}
]
}
} | AWS systems administrator |
### Test the updated alert functionality
| Task | Description | Skills required |
| --- | --- | --- |
| Generate an alert for testing. | [See the AWS documentation website for more details](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/customize-amazon-cloudwatch-alerts-for-aws-network-firewall.html) | AWS systems administrator |
| Validate the alert changed. | [See the AWS documentation website for more details](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/customize-amazon-cloudwatch-alerts-for-aws-network-firewall.html) | AWS systems administrator |
## Related resources
**References**
+ [Send alerts from AWS Network Firewall to a Slack channel](https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/send-alerts-from-aws-network-firewall-to-a-slack-channel.html) (AWS Prescriptive Guidance)
+ [Scaling threat prevention on AWS with Suricata](https://aws.amazon.com/blogs/opensource/scaling-threat-prevention-on-aws-with-suricata/) (AWS blog post)
+ [Deployment models for AWS Network Firewall](https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/) (AWS blog post)
+ [Suricata meta keyworks](https://suricata.readthedocs.io/en/suricata-6.0.1/rules/meta.html) (Suricata documentation)
**Tutorials and videos**
+ [AWS Network Firewall workshop](https://networkfirewall.workshop.aws/)
## Additional information
The following is the classification configuration file from Suricata 5.0.2. These classifications are used when creating the firewall rules.
```
# config classification:shortname,short description,priority
config classification: not-suspicious,Not Suspicious Traffic,3
config classification: unknown,Unknown Traffic,3
config classification: bad-unknown,Potentially Bad Traffic, 2
config classification: attempted-recon,Attempted Information Leak,2
config classification: successful-recon-limited,Information Leak,2
config classification: successful-recon-largescale,Large Scale Information Leak,2
config classification: attempted-dos,Attempted Denial of Service,2
config classification: successful-dos,Denial of Service,2
config classification: attempted-user,Attempted User Privilege Gain,1
config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1
config classification: successful-user,Successful User Privilege Gain,1
config classification: attempted-admin,Attempted Administrator Privilege Gain,1
config classification: successful-admin,Successful Administrator Privilege Gain,1
# NEW CLASSIFICATIONS
config classification: rpc-portmap-decode,Decode of an RPC Query,2
config classification: shellcode-detect,Executable code was detected,1
config classification: string-detect,A suspicious string was detected,3
config classification: suspicious-filename-detect,A suspicious filename was detected,2
config classification: suspicious-login,An attempted login using a suspicious username was detected,2
config classification: system-call-detect,A system call was detected,2
config classification: tcp-connection,A TCP connection was detected,4
config classification: trojan-activity,A Network Trojan was detected, 1
config classification: unusual-client-port-connection,A client was using an unusual port,2
config classification: network-scan,Detection of a Network Scan,3
config classification: denial-of-service,Detection of a Denial of Service Attack,2
config classification: non-standard-protocol,Detection of a non-standard protocol or event,2
config classification: protocol-command-decode,Generic Protocol Command Decode,3
config classification: web-application-activity,access to a potentially vulnerable web application,2
config classification: web-application-attack,Web Application Attack,1
config classification: misc-activity,Misc activity,3
config classification: misc-attack,Misc Attack,2
config classification: icmp-event,Generic ICMP event,3
config classification: inappropriate-content,Inappropriate Content was Detected,1
config classification: policy-violation,Potential Corporate Privacy Violation,1
config classification: default-login-attempt,Attempt to login by a default username and password,2
# Update
config classification: targeted-activity,Targeted Malicious Activity was Detected,1
config classification: exploit-kit,Exploit Kit Activity Detected,1
config classification: external-ip-check,Device Retrieving External IP Address Detected,2
config classification: domain-c2,Domain Observed Used for C2 Detected,1
config classification: pup-activity,Possibly Unwanted Program Detected,2
config classification: credential-theft,Successful Credential Theft Detected,1
config classification: social-engineering,Possible Social Engineering Attempted,2
config classification: coin-mining,Crypto Currency Mining Activity Detected,2
config classification: command-and-control,Malware Command and Control Activity Detected,1
```