diff --git a/terraform/environments/core-network-services/logging.tf b/terraform/environments/core-network-services/logging.tf
index 1c3c04a1a..367984ab6 100644
--- a/terraform/environments/core-network-services/logging.tf
+++ b/terraform/environments/core-network-services/logging.tf
@@ -26,3 +26,10 @@ resource "aws_route53_resolver_query_log_config_association" "core_logging" {
   resolver_query_log_config_id = each.value.rlq_id
   resource_id                  = each.value.vpc_id
 }
+
+module "stream_firewall_logs" {
+  source                     = "github.com/ministryofjustice/modernisation-platform-terraform-aws-data-firehose?ref=cebe39c438390ffb5355827ec9469cfe9b09c22c" # v1.2.1
+  cloudwatch_log_group_names = [module.vpc_inspection["live_data"].fw_cloudwatch_name, aws_cloudwatch_log_group.external_inspection.name]
+  destination_http_endpoint  = data.aws_ssm_parameter.cortex_xsiam_endpoint.value
+  tags                       = local.tags
+}
\ No newline at end of file
diff --git a/terraform/environments/core-network-services/ssm.tf b/terraform/environments/core-network-services/ssm.tf
index 0aa847017..6b579aba6 100644
--- a/terraform/environments/core-network-services/ssm.tf
+++ b/terraform/environments/core-network-services/ssm.tf
@@ -2,3 +2,8 @@ data "aws_ssm_parameter" "core_logging_bucket_arns" {
   provider = aws.modernisation-platform
   name     = "core_logging_bucket_arns"
 }
+
+data "aws_ssm_parameter" "cortex_xsiam_endpoint" {
+  provider = aws.modernisation-platform
+  name     = "cortex_xsiam_endpoint"
+}
\ No newline at end of file