VPC Flow Activity in AWS

You can monitor Amazon Virtual Private Cloud (VPC) traffic on the VPC Flow Logs page for the AWS cloud service. The dynamic graphic shows the accepted and rejected traffic between your networks’ ports and IP addresses, including the flow of the traffic, and any traffic that has warnings. The flow information is auto-populated from Amazon AWS VPC flow log sources.

Ensure that you have the correct AWS credential information on the configuration page, so that the traffic is properly grouped by VPC. If the credentials are incorrect, missing, or don't correspond to the flow data, the traffic goes to a VPC that is labeled as Unknown. For more information about configuring your credentials, see Manually setting up Amazon AWS cross-account access by using the AWS IAM service.

The overview VPC display shows disks that represent the VPC nodes. One disk represents each VPC, and another unlabeled disk represents the internet. The traffic between the VPC nodes is tracked for a specific timeframe, which you can select in the filters. By default, the last 5 minutes is selected.

On the VPC overview display, the outer border of the disk indicates the percentage of total nodes that are owned by that VPC. The inner arc of the circle helps you understand the ratio of successful to rejected traffic in a particular VPC. If a public or unresolvable IP is detected in more than one VPC, it is counted in each VPC.

When you have only one VPC, QRadar Cloud Visibility automatically drills down into the details of the VPC after the data loads. Otherwise, you can click a VPC disk to drill down to a particular VPC. From an individual VPC, click Back to return to the overview mode. You cannot click the disk that represents the internet.

If you click a connection between two nodes within a VPC, it opens up a Flow list page in QRadar, where you can monitor and investigate the flow in real time by filtering the data, or conduct advanced searches to filter the displayed flows.