Network traffic analysis has traditionally been crucial for ensuring that an organization has a strong security posture; as organizations have modernized their infrastructure this has remained true. As organizations begin leveraging more and more cloud infrastructure it continues to be vital for them to monitor network traffic.
For this reason QRadar natively supports an integration AWS VPC Flow Logs (here) for detecting threats in AWS environments. Amazon describes VPC Flow Logs as “a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data can be published to Amazon CloudWatch Logs or Amazon S3 (here)”.
Monitoring network traffic allows us to answer questions such as:
- How is network traffic moving through my environment? Where is it going?
- How much data is moving?
- What protocols are being used?
The answers to these questions help us detect potentially malicious activity such as: beaconing, tunneling detection, pivoting and lateral movement, anomalous protocol usage, and data exfiltration.
QRadar is able to ingest these VPC Flow Logs from an S3 bucket in AWS via our S3 protocol and into our native flow pipeline. The VPC Flow Logs can be then be seen in QRadar’s “Network Activity Tab”.
The ingestion process can be broken down into a few simple steps:
- VPC Flow Logs publish VPC Flow Logs to a S3 bucket
- S3 bucket publishes notifications for new log files to SQS
- QRadar pulls notifications from SQS
- QRadar pulls VPC Flow Logs from S3 via the S3 Protocol
- QRadar converts VPC Flow Logs to IPFIX
- VPC Flow Logs are sent directly to a Flow Processor
- VPC Flow Logs are visible in the Network Activity Tab
- QRadar deletes message in SQS
The information provided by VPC Flow Logs includes: AWS Account ID, AWS Action, AWS Log Status, Interface name, and much more. See below for an example of the valuable information provided by the VPC Flow Logs to QRadar that can be seen in the network activity tab.
Once the VPC Flow Logs are in QRadar, a team can leverage the QRadar analytics engine and visualization tools to gain actionable insights from the VPC Flow Logs data. Some examples of potential visualizations can be seen below. More to come on these (stay tuned)!
Are you looking at network traffic? If your environment spans AWS, I totally recommend bringing in those VPC Flow Logs from your environments into QRadar and taking a look!
What are you detecting using VPC Flow Logs? Let me know!