IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

QRadar integration with Amazon VPC Flow Logs

By Patrick Routh posted Wed June 19, 2019 09:38 AM

  
  • Updated QRadar AWS S3 Protocol adds support for VPC Flow Logs
  • Monitor network traffic in AWS environments to better protect cloud resources
  • Quickly detect threats and anomalous traffic patterns in AWS

 

What is Amazon Virtual Private Cloud (VPC)?

 

Amazon VPC is a service that allows customers to create separate virtual networks within AWS to launch and manage resources. In order to maintain control and order, businesses will often isolate cloud resources into subnetworks based on geographic region, team arrangement, or specific internal schema to fit their enterprise needs.

 

Network Traffic Analysis in the Cloud

 

Today’s cloud environments are global in reach and dynamic in nature with ephemeral virtual machines and tiered-storage resources continuously being accessed and updated. This variability and unpredictability makes it difficult for SecOps and IT teams to implement effective security monitoring and incident response in the cloud. Network traffic data sources are integral to security teams’ ability to gain real-time granular visibility across a cloud infrastructure.

 

Types of Data in VPC Flow Logs

 

  • Where a connection originated (such as the source IP)
  • Detect connection’s endpoint (such as the destination IP)
  • Protocol used to send the data
  • Port numbers used for requests
  • Success or failure of the data flow
  • Traffic rejected due to Security Group and/or Network Access Control List rules

 

Value of AWS VPC Flow Logs

 

AWS VPC Flow Logs provide a single source of information for monitoring data across parts of the network. Inbound network connections from external IP addresses, traffic produced by traditional services on the internal network and connections between microservices are all visible from VPC Flow logs. VPC Flow Logs offer a centralized, comprehensive way to monitor aspects of an AWS network. That makes them an especially useful source of information for Security and DevOps teams focused on efficiency and across-the-board visibility.


QRadar Flows
QRadar will ingest VPC Flow Logs from AWS environments with the updated S3 Protocol. These logs will be treated as flows traveling through QRadar's Flow Pipeline and counting against customer's flow license FPM entitlements. Customers will be able to see this data in the Network Activity tab.

VPC Flows visualization tool
Coming soon is a VPC Flow Visualization tool in QRadar Cloud Visibility!


Additional Resources

VPC Flows in AWS

Working with Flows in AWS

Publishing VPC Flow logs to S3

Amazon VPC Flow Logs Documentation

 

Contact

Patrick Routh

Offering Manager – QRadar Cloud Security

 

0 comments
44 views

Permalink

https://community.ibm.com/community/user/blogs/patrick-routh/2019/06/19/qradar-integration-with-amazon-vpc-flow-logs