AWSNetworkFirewallFlow

AWSNetworkFirewallFlow Schema #

Table description #

TableSection	TableType	TableSectionName	Description
Usx	Regular	Microsoft Sentinel	The AWS Platform Firewall Flow logs, ingested from Sentinel’s connector, enabling real-time analysis and correlation with other security data sources like Detection alerts, firewall events network traffic logs, and more.

Table retention #

HotDays	ColdDays	TotalInteractiveDays
14	16	30

Schema #

Name	Description	Type
_BilledSize		Double
_IsBillable		String
Ack	Indicates whether the ACK flag is set in the TCP packet (true/false).	Boolean
AppProto	The application layer protocol detected (e.g., HTTP, HTTPS, DNS).	String
AvailabilityZone	The AWS Availability Zone where the firewall instance is located.	String
DestIp	The destination IP address of the packet.	String
DestPort	The destination port to which the packet was sent.	String
Ecn	Indicates whether the ECN flag is set in the TCP packet (true/false).	Boolean
EventTimestamp	The epoch timestamp of when the event occurred.	String
EventType	The type of event recorded (e.g., flow, alert, drop, pass).	String
Fin	Indicates whether the FIN flag is set in the TCP packet (true/false).	Boolean
FirewallName	The name of the AWS Network Firewall instance generating the log.	String
FlowId	A unique identifier for the network flow related to this event.	String
NetFlowAge	The duration of the network flow in seconds.	String
NetFlowBytes	The total number of bytes transferred in the network flow.	String
NetFlowEnd	The timestamp when the network flow ended.	DateTime
NetFlowMaxttl	The maximum Time-to-Live (TTL) observed in the network flow.	String
NetFlowMinttl	The minimum Time-to-Live (TTL) observed in the network flow.	String
NetFlowPkts	The number of packets in the network flow.	String
NetFlowStart	The timestamp when the network flow started.	DateTime
Proto	The protocol used (e.g., TCP, UDP, ICMP).	String
Psh	Indicates whether the PSH flag is set in the TCP packet (true/false).	Boolean
Rst	Indicates whether the RST flag is set in the TCP packet (true/false).	Boolean
SourceSystem		String
SrcIp	The source IP address of the packet that triggered the event.	String
SrcPort	The source port from which the packet originated.	String
Syn	Indicates whether the SYN flag is set in the TCP packet (true/false).	Boolean
TCPFlags	The TCP flags observed in the packet	String
TenantId	Unique identifier of the tenant into which the data connector ingests data.	String
TimeGenerated	The timestamp when the log entry was created in AWS Network Firewall.	DateTime
Timestamp	The exact timestamp when the event was captured.	DateTime
Type	The name of the table	String

Schema changes #

Date	Action
2026-01-02	Table added to tracking