Filtering the VPC flow log visualization
Use filters to show you where potential security risks exist in your network traffic. The available filters to use depend on whether you are on the VPC overview page or the page that represents a single VPC. Only the nodes that represent the traffic for a particular VPC are shown if you are on the page that represents a single VPC.
Ensure that you have the correct credential and role information on the AWS Configuration page so that the traffic is properly grouped by VPC. If the credentials are incorrect, missing, or don't correspond to the flow data, the traffic goes to a VPC that is labeled as Unknown. For more information about configuring your credentials, see Configuring cloud service providers to communicate with QRadar Cloud Visibility.
Before you begin
- On the VPC Flow Logs page, click the filter icon to open the sidebar.
Select a time period (Last 5 minutes, Last 60
minutes, Last 24 hours, Last 7 days, and
Last 30 days).
The default time is Last 5 minutes. For some environments, the Last 30 days might not be effective if too much traffic is displayed.
Select the type of traffic to visualize.
Traffic type Description Accepted Shows the traffic that is allowed to access your environment. Warning Shows which VPC logs might not be set up properly. For more information, see VPC flow logs (https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html). Rejected Shows the traffic that is blocked from accessing your environment.
Select an application to visualize. The app displays the applications that initiated the
traffic. For example, if the DataTransferWindows app is in the list, data leakage
might be occurring from within the VPC to the outside. Tip: If you have a huge list of applications, you can select and deselect all the applications in the list at once to save time and effort.
Select the traffic flow protocol to visualize. Tip: If you have a huge list of protocols, you can select and deselect all the protocols in the list at once to save time and effort.
- Select the node display options for network interfaces and IP addresses, such as FTP or HTTP traffic, by either IPs or IPs and ports.
Sort the network nodes to display the network interfaces in different ways. The
Default order option sorts the nodes by known VPCs first, then by unknown
internal IP addresses, and then by external IP addresses. All other sorting orders sort the nodes
according to the selected traffic flow type, from the highest number of traffic flows to the lowest
number of traffic flows. The number of traffic flows are indicated in parentheses. If you sort by
bytes, the nodes are sorted according to the number of bytes, from the highest number to the lowest
The following table shows the different node display options and what the information can reveal about your network.
Sorted by option What it can reveal Default order General network overview Number of bytes Potential denial of service (DoS) or high network usage. If the IP addresses in these areas are not expected, someone might be using your resources. Unique outgoing flows Potential data leaks Unique incoming flows Potential denial of service (DoS) Total outgoing bytes Potential data leaks Total incoming bytes Potential denial of service (DoS) or high network usage. If the IP addresses in these areas are not expected, someone might be using your resources. Unique outgoing rejected flows Incorrect security credentials, potential data leaks Unique incoming rejected flows Potential attack Total outgoing rejected bytes Potential data leaks Total incoming rejected bytes Potential buffer overflow Unique outgoing unlogged flows Incorrect configuration Unique incoming unlogged flows Incorrect configuration Total outgoing unlogged flows Incorrect configuration Total incoming unlogged flows Incorrect configuration Unique outgoing accepted flows Potential data leaks Unique incoming accepted flows Potential denial of service (DoS) or high network usage. If the IPs in these areas are not expected, someone might be using your resources. Total outgoing accepted bytes Potential data leaks Total incoming accepted bytes Potential denial of service (DoS) or high network usage. If the IP addresses in these areas are not expected, someone might be using your resources.
- Select and clear each network interface or IP individually, or click Deselect all, Select default, or Select all. On the page that represents a single VPC, click Deselect all or Select related nodes. To change the number of VPC nodes that display on the page, click Select top 10 or Select bottom 10. The number of nodes changes incrementally by 10 at a time, and the link name reflects the displayed number.
If flows don't appear as expected, make sure that the flows are properly set up. See step 8 in Creating and editing VPC Flow log sources.