VXLAN support for Network Interface traffic is a great new feature in QRadar 7.3.2 Patch 3. This feature allows deep visibility into your Azure and AWS environments, with Azure vTap and AWS VPC Network Mirroring. Leveraging these integrations allows you to detect and stop advanced threats in the cloud – with unparalleled visibility into the raw traffic going to and from your instances, without the need to deploy additional hardware. This article discusses the steps required to configure Azure vTap and AWS VPC Traffic Mirroring, and then perform threat hunting in your cloud traffic using QRadar.
Azure vTap and VPC Traffic Mirroring are the first native network TAP functionalities available in the public cloud. Each of these solutions do a deep copy of the inbound and outbound VM network traffic. This traffic can then be mirrored to any QRadar endpoint with flow processing capabilities, such as a Data Gateway or All-In-One console.
This deep visibility allows you to write rules and generate offenses on any traffic coming and going from your cloud instance. You now have the ability to detect a whole range of previously invisible threat vectors – such as APT beaconing, network scans, port scans, DDoS attacks, large file transfers and more.
Configuring vTap in Azure:
Below is an example deployment making use of a QRadar Data Gateway and leveraging this capability in Azure:
Heading over to the Network Activity screen you can now see all of the inbound and outbound traffic from your Azure or AWS instance within QRadar. This mirrored traffic can easily be identified by searching for the matching Flow Source/Interface field you specified above. As both Azure vTap and VPC Traffic Mirroring export this traffic using VXLAN, you can also see this VXLAN Network Identifier has been extracted from all of these flows and appears as a new flow field “VXLAN Network Identifier”. What's more, you even have access to the traffic payload, which is used to do advanced application determination and can be used in your Custom Flow Properties and rule sets.
You can query, write rules and create offenses with this traffic, and utilise all the usual QRadar functionality. For example, you could write a rule to detect when a user is accessing assets outside of normal working hours, or when your instances are experiencing a DDoS attack.
As an analyst, you now have the power to perform advanced threat hunting in the cloud, securing your applications running in Azure or AWS through the power of deep network analysis.