Threat Research

Make The Most of Network Firewall Logs with Elastic Security — Elastic Security Labs

Elastic.co
Make The Most of Network Firewall Logs with Elastic Security — Elastic Security Labs

This post explains the fundamentals of network firewall logs, why they matter alongside endpoint telemetry, and how to collect them into Elastic Security using Elastic Agent and integrations. It also describes how to begin visual exploration of ingested firewall data on the Elastic Security Network page to spot anomalies and prepare for automated detection in a follow-up post. #Elastic #PaloAlto

Keypoints

  • Network firewalls are critical gatekeepers that log north-south and east-west traffic and enforce security policies across on-prem and cloud environments.
  • Firewall logs contain key fields — timestamp, source/destination IPs and ports, protocol, action/rule IDs, traffic volume, NAT info, application info, and interface info — that form the “ground truth” for network investigations.
  • Analyzing fields like traffic volume, destination ports, and NAT mappings helps detect data exfiltration, lateral movement, brute-force attempts, and DoS or scanning activity.
  • Elastic supports collecting firewall logs via Elastic Agent (syslog), Logstash, or direct ingestion from cloud storage (e.g., S3, Azure Blob) and enriches logs with geolocation, host mapping, and threat intel.
  • Elastic Integrations provide tailored parsers for many firewall vendors, including Palo Alto, Fortinet FortiGate, Check Point, Cisco ASA, AWS Network Firewall, Azure Firewall, and GCP Firewall.
  • The Elastic Security Network Page offers interactive maps, drill-down widgets, focused tabs (Flows, DNS, HTTP, TLS), and Timeline integration to visually explore, pivot, and investigate network activity.
  • Part 2 will cover moving from exploration to automated detection using Elastic Security detection rules to find reconnaissance, C2, and exfiltration, and to correlate network data with endpoint telemetry.

MITRE Techniques

  • [T1046 ] Network Service Discovery – Used to detect reconnaissance such as port or ping sweeps; ‘unusual ICMP patterns might signal a ping sweep or a denial-of-service (DoS) attempt.’
  • [T1110 ] Brute Force – Firewall source IPs can reveal repeated authentication attempts indicative of brute-force activity; ‘Source IPs help identify malicious external origins or internal systems attempting brute-force attacks.’
  • [T1021 ] Remote Services – Logs show remote service use (e.g., RDP) that can enable lateral movement; ‘it might permit one system to use RDP to connect to another while blocking similar access from other systems.’
  • [T1498 ] Network Denial of Service – Protocol and traffic-volume fields highlight DoS activity; ‘unusual ICMP patterns might signal a ping sweep or a denial-of-service (DoS) attempt.’
  • [T1041 ] Exfiltration Over C2 Channel – Traffic volume and destination bytes are primary indicators of data exfiltration or beaconing; ‘These fields are primary indicators for data exfiltration. Sudden spikes in volume or large transfers to an external destination are often the “early warning” for data theft or malware beaconing.’
  • [T1071 ] Application Layer Protocol – Application and protocol fields help identify C2 channels and application-level malicious traffic; ‘Next-Generation Firewalls (NGFWs) go beyond ports to identify the actual application (e.g., Skype, BitTorrent, or HTTP).’

Indicators of Compromise

  • [IP addresses ] source and destination identifiers in logs – 198.51.100.23 (external example), 10.0.1.5 (internal example)
  • [Ports ] targeted service ports observed in destination.port – 22 (SSH), 443 (HTTPS)
  • [Protocols ] transport layer used to identify attack types – TCP, ICMP
  • [NAT IPs ] translated addresses for mapping internal hosts – source.nat.ip e.g., 192.0.2.10 (example)
  • [Application names ] NGFW-identified applications seen in network.application – Skype, BitTorrent
  • [Rule identifiers ] firewall policy metadata for allowed/blocked decisions – rule.name or rule.id e.g., “allow-rdp”, “deny-external-web”
  • [DNS domains ] DNS queries observed for suspicious lookups – example.com, internal.corp.local
  • [TLS details ] handshake and SNI/server name indications – mail.example.com, www.example.org

Read more: https://www.elastic.co/security-labs/make-the-most-of-network-firewall-logs-with-elastic