opensearch-project
diff --git a/‎server/adaptors/integrations/__data__/repository/.DS_Store
6 KB b/‎server/adaptors/integrations/__data__/repository/.DS_Store
6 KB
diff --git a/‎server/adaptors/integrations/__data__/repository/amazon_networkfirewall/.DS_Store
6 KB b/‎server/adaptors/integrations/__data__/repository/amazon_networkfirewall/.DS_Store
6 KB
diff --git a/‎server/adaptors/integrations/__data__/repository/amazon_networkfirewall/amazon_networkfirewall-1.0.0.json
Lines changed: 103 additions & 0 deletions b/‎server/adaptors/integrations/__data__/repository/amazon_networkfirewall/amazon_networkfirewall-1.0.0.json
Lines changed: 103 additions & 0 deletions
diff --git a/‎server/adaptors/integrations/__data__/repository/amazon_networkfirewall/assets/amazon_networkfirewall-1.0.0.ndjson
Lines changed: 49 additions & 0 deletions b/‎server/adaptors/integrations/__data__/repository/amazon_networkfirewall/assets/amazon_networkfirewall-1.0.0.ndjson
Lines changed: 49 additions & 0 deletions
diff --git a/‎server/adaptors/integrations/__data__/repository/amazon_networkfirewall/assets/create_mv-1.0.0.sql
Lines changed: 38 additions & 0 deletions b/‎server/adaptors/integrations/__data__/repository/amazon_networkfirewall/assets/create_mv-1.0.0.sql
Lines changed: 38 additions & 0 deletions
diff --git a/‎server/adaptors/integrations/__data__/repository/amazon_networkfirewall/assets/create_mv_aggregated-1.0.0 copy.sql
Lines changed: 76 additions & 0 deletions b/‎server/adaptors/integrations/__data__/repository/amazon_networkfirewall/assets/create_mv_aggregated-1.0.0 copy.sql
Lines changed: 76 additions & 0 deletions
diff --git a/‎server/adaptors/integrations/__data__/repository/amazon_networkfirewall/assets/create_skipping_index-1.0.0.sql
Lines changed: 14 additions & 0 deletions b/‎server/adaptors/integrations/__data__/repository/amazon_networkfirewall/assets/create_skipping_index-1.0.0.sql
Lines changed: 14 additions & 0 deletions
@@ -0,0 +1,103 @@
+{
+    "name": "amazon_networkfirewall",
+    "version": "1.0.0",
+    "displayName": "Amazon Network Firewall",
+    "description": "Monitor flow logs and alerts from AWS Network Firewall.",
+    "license": "Apache-2.0",
+    "type": "logs_amazon_networkfirewall",
+    "labels": ["Observability", "Logs", "AWS", "Cloud", "S3 Glue"],
+    "author": "OpenSearch",
+    "sourceUrl": "https://github.com/opensearch-project/opensearch-catalog/releases/tag/amazon_vpc_flow_1.1.0",
+    "workflows": [
+      {
+        "name": "queries",
+        "label": "Queries (recommended)",
+        "description": "Tables and pre-written queries for quickly getting insights on your data.",
+        "enabled_by_default": true
+      },
+      {
+        "name": "dashboards",
+        "label": "Dashboards & Visualizations",
+        "description": "Dashboards and indices that enable you to easily visualize important metrics.",
+        "enabled_by_default": false
+      }
+    ],
+    "statics": {
+      "logo": {
+        "annotation": "AWS Network Firewall Logo",
+        "path": "logo.svg"
+      },
+      "gallery": [
+        {
+          "annotation": "AWS Network Firewall Dashboard",
+          "path": "dashboard.png"
+        },
+        {
+          "annotation": "AWS Network Firewall Dashboard",
+          "path": "dashboard1.png"
+        },
+        {
+          "annotation": "AWS Network Firewall Dashboard",
+          "path": "dashboard2.png"
+        },
+        {
+          "annotation": "AWS Network Firewall Dashboard",
+          "path": "dashboard3.png"
+        }
+      ]
+    },
+    "components": [
+      {
+        "name": "amazon_networkfirewall",
+        "version": "1.0.0"
+      },
+      {
+        "name": "cloud",
+        "version": "1.0.0"
+      },      
+      {
+        "name": "logs_amazon_networkfirewall",
+        "version": "1.0.0"
+      }
+    ],
+    "assets": [
+      {
+        "name": "amazon_networkfirewall",
+        "version": "1.0.0",
+        "extension": "ndjson",
+        "type": "savedObjectBundle",
+        "workflows": ["dashboards"]
+      },
+      {
+        "name": "example_queries",
+        "version": "1.0.0",
+        "extension": "ndjson",
+        "type": "savedObjectBundle",
+        "workflows": ["queries"]
+      },
+      {
+        "name": "create_table",
+        "version": "1.0.0",
+        "extension": "sql",
+        "type": "query"
+      },      
+      {
+        "name": "create_skipping_index",
+        "version": "1.0.0",
+        "extension": "sql",
+        "type": "query",
+        "workflows": ["queries"]
+      },
+      {
+        "name": "create_mv",
+        "version": "1.0.0",
+        "extension": "sql",
+        "type": "query",
+        "workflows": ["dashboards"]
+      }
+    ],
+    "sampleData": {
+      "path": "sample.json"
+    }
+  }
+  
@@ -0,0 +1,38 @@
+CREATE MATERIALIZED VIEW {table_name}__mview AS
+SELECT
+  /* General log info */
+  firewall_name AS `aws.networkfirewall.firewall_name`,
+  /* General event info */
+  CAST( event.timestamp AS TIMESTAMP) AS `aws.networkfirewall.event.timestamp`,
+  event.src_ip AS `aws.networkfirewall.event.src_ip`,
+  event.src_port AS `aws.networkfirewall.event.src_port`,
+  event.dest_ip AS `aws.networkfirewall.event.dest_ip`,
+  event.dest_port AS `aws.networkfirewall.event.dest_port`,
+  event.proto AS `aws.networkfirewall.event.proto`,
+  event.app_proto AS `aws.networkfirewall.event.app_proto`,
+  /* TCP Events info */
+  event.tcp.tcp_flags AS `aws.networkfirewall.event.tcp.tcp_flags`,
+  event.tcp.syn AS `aws.networkfirewall.event.tcp.syn`,
+  event.tcp.ack AS `aws.networkfirewall.event.tcp.ack`,
+  /* Alert events info */
+  event.alert.action AS `aws.networkfirewall.event.alert.action`,
+  event.alert.signature_id AS `aws.networkfirewall.event.alert.signature_id`,
+  event.alert.signature AS `aws.networkfirewall.event.alert.signature`,
+  /* HTTP events info */
+  event.http.hostname AS `aws.networkfirewall.event.http.hostname`,
+  event.http.url AS `aws.networkfirewall.event.http.url`,
+  event.http.http_user_agent AS `aws.networkfirewall.event.http.http_user_agent`,
+  /* TLS Events info */ 
+  event.tls.sni AS `aws.networkfirewall.event.tls.sni`,
+  /* Netflow Events info */
+  event.netflow.pkts AS `aws.networkfirewall.event.netflow.pkts`,
+  event.netflow.bytes AS `aws.networkfirewall.event.netflow.bytes`,
+  event.netflow.age AS `aws.networkfirewall.event.netflow.age`  
+FROM
+  {table_name}
+WITH (
+  auto_refresh = true,
+  refresh_interval = '15 Minute',
+  checkpoint_location = '{s3_checkpoint_location}',
+  watermark_delay = '1 Minute'
+)
@@ -0,0 +1,76 @@
+CREATE MATERIALIZED VIEW {table_name}__mview AS
+SELECT
+  TUMBLE(`@timestamp`, '5 Minute').start AS `aws.networkfirewall.event.timestamp`,
+  firewall_name AS `aws.networkfirewall.firewall_name`,
+  event_src_ip AS `aws.networkfirewall.event.src_ip`,
+  event_src_port AS `aws.networkfirewall.event.src_port`,
+  event_dest_ip AS `aws.networkfirewall.event.dest_ip`,
+  event_dest_port AS `aws.networkfirewall.event.dest_port`,
+  event_proto AS `aws.networkfirewall.event.proto`,
+  event_app_proto AS `aws.networkfirewall.event.app_proto`,
+  event_tcp_tcp_flags AS `aws.networkfirewall.event.tcp.tcp_flags`,
+  event_tcp_syn AS `aws.networkfirewall.event.tcp.syn`,
+  event_tcp_ack AS `aws.networkfirewall.event.tcp.ack`,
+  event_alert_action AS `aws.networkfirewall.event.alert.action`,
+  event_alert_signature_id AS `aws.networkfirewall.event.alert.signature_id`,
+  event_alert_signature AS `aws.networkfirewall.event.alert.signature`,
+  event_http_hostname AS `aws.networkfirewall.event.http.hostname`,
+  event_http_url AS `aws.networkfirewall.event.http.url`,
+  event_http_http_user_agent AS `aws.networkfirewall.event.http.http_user_agent`,
+  event_tls_sni AS `aws.networkfirewall.event.tls.sni`,
+  /* Aggregations */  
+  SUM(CAST(event_netflow_bytes AS BIGINT)) AS `aws.networkfirewall.total_bytes`,
+  SUM(CAST(event_netflow_pkts AS BIGINT)) AS `aws.networkfirewall.event.netflow.pkts`,
+  AVG(CAST(event_netflow_age AS DOUBLE)) AS `aws.networkfirewall.event.netflow.age`,
+  COUNT(*) AS `aws.networkfirewall.total_count`
+FROM (
+  SELECT
+    CAST(event.timestamp AS TIMESTAMP) AS `@timestamp`,
+    firewall_name AS `firewall_name`,
+    event.src_ip AS `event_src_ip`,
+    event.src_port AS `event_src_port`,
+    event.dest_ip AS `event_dest_ip`,
+    event.dest_port AS `event_dest_port`,
+    event.proto AS `event_proto`,
+    event.app_proto AS `event_app_proto`,
+    event.tcp.tcp_flags AS `event_tcp_tcp_flags`,
+    event.tcp.syn AS `event_tcp_syn`,
+    event.tcp.ack AS `event_tcp_ack`,
+    event.alert.action AS `event_alert_action`,
+    event.alert.signature_id AS `event_alert_signature_id`,
+    event.alert.signature AS `event_alert_signature`,
+    event.http.hostname AS `event_http_hostname`,
+    event.http.url AS `event_http_url`,
+    event.http.http_user_agent AS `event_http_http_user_agent`,
+    event.tls.sni AS `event_tls_sni`,
+    event.netflow.pkts AS `event_netflow_pkts`,
+    event.netflow.bytes AS `event_netflow_bytes`,
+    event.netflow.age AS `event_netflow_age`
+  FROM
+    {table_name}
+)
+GROUP BY
+  TUMBLE(`@timestamp`, '5 Minute'),
+  firewall_name,
+  event_src_ip,
+  event_src_port,
+  event_dest_ip,
+  event_dest_port,
+  event_proto,
+  event_app_proto,
+  event_tcp_tcp_flags,
+  event_tcp_syn,
+  event_tcp_ack,
+  event_alert_action,
+  event_alert_signature_id,
+  event_alert_signature,
+  event_http_hostname,
+  event_http_url,
+  event_http_http_user_agent,
+  event_tls_sni
+WITH (
+  auto_refresh = true,
+  refresh_interval = '15 Minute',
+  watermark_delay = '1 Minute',
+  checkpoint_location = '{s3_checkpoint_location}'
+);
@@ -0,0 +1,14 @@
+CREATE SKIPPING INDEX ON {table_name} (
+    `event.src_ip` BLOOM_FILTER,
+    `event.dest_ip` BLOOM_FILTER,
+    `event.proto` VALUE_SET,    
+    `event.alert.severity` VALUE_SET,
+    `event.event_type` VALUE_SET,
+    `firewall_name` VALUE_SET,
+    `availability_zone` VALUE_SET
+) WITH (
+    auto_refresh = true,
+    refresh_interval = '15 Minutes',
+    checkpoint_location = '{s3_checkpoint_location}',
+    watermark_delay = '1 Minute'
+)