Use filters to show you where potential security risks exist in your network traffic. The
available filters to use depend on whether you are on the VPC overview page or
the page that represents a single VPC. Only the nodes that represent the traffic for a particular
VPC are shown if you are on the page that represents a single VPC.
Before you begin
Ensure that you have the correct credential and role information on the AWS
Configuration page so that the traffic is properly grouped by VPC. If the credentials are
incorrect, missing, or don't correspond to the flow data, the traffic goes to a VPC that is labeled
as Unknown. For more information about configuring your credentials, see
Configuring cloud service providers to communicate with QRadar Cloud Visibility.
Procedure
-
On the VPC Flow Logs page, click the filter icon to open the
sidebar.
-
Select a time period (Last 5 minutes, Last 60
minutes, Last 24 hours, Last 7 days, and
Last 30 days).
The default time is Last 5 minutes. For some environments, the
Last 30 days might not be effective if too much traffic is
displayed.
-
Select the type of traffic to visualize.
Traffic type |
Description |
Accepted |
Shows the traffic that is allowed to access your environment. |
Warning |
Shows which VPC logs might not be set up properly. For more information, see VPC flow logs
(https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html). |
Rejected |
Shows the traffic that is blocked from accessing your environment. |
-
Select an application to visualize. The app displays the applications that initiated the
traffic. For example, if the DataTransferWindows app is in the list, data leakage
might be occurring from within the VPC to the outside.
Tip: If you have a huge list of applications, you can select and
deselect all the applications in the list at once to save time and effort.
-
Select the traffic flow protocol to visualize.
Tip: If you have a huge list of protocols, you can select and
deselect all the protocols in the list at once to save time and effort.
-
Select the node display options for network interfaces and IP addresses, such as FTP or HTTP
traffic, by either IPs or IPs and ports.
-
Sort the network nodes to display the network interfaces in different ways. The
Default order option sorts the nodes by known VPCs first, then by unknown
internal IP addresses, and then by external IP addresses. All other sorting orders sort the nodes
according to the selected traffic flow type, from the highest number of traffic flows to the lowest
number of traffic flows. The number of traffic flows are indicated in parentheses. If you sort by
bytes, the nodes are sorted according to the number of bytes, from the highest number to the lowest
number.
The following table shows the different node display options and what the information can reveal
about your network.
Sorted by option |
What it can reveal |
Default order |
General network overview |
Number of bytes |
Potential denial of service (DoS) or high network usage. If the IP addresses in these areas
are not expected, someone might be using your resources. |
Unique outgoing flows |
Potential data leaks |
Unique incoming flows |
Potential denial of service (DoS) |
Total outgoing bytes |
Potential data leaks |
Total incoming bytes |
Potential denial of service (DoS) or high network usage. If the IP addresses in these areas
are not expected, someone might be using your resources. |
Unique outgoing rejected flows |
Incorrect security credentials, potential data leaks |
Unique incoming rejected flows |
Potential attack |
Total outgoing rejected bytes |
Potential data leaks |
Total incoming rejected bytes |
Potential buffer overflow |
Unique outgoing unlogged flows |
Incorrect configuration |
Unique incoming unlogged flows |
Incorrect configuration |
Total outgoing unlogged flows |
Incorrect configuration |
Total incoming unlogged flows |
Incorrect configuration |
Unique outgoing accepted flows |
Potential data leaks |
Unique incoming accepted flows |
Potential denial of service (DoS) or high network usage. If the IPs in these areas are not
expected, someone might be using your resources. |
Total outgoing accepted bytes |
Potential data leaks |
Total incoming accepted bytes |
Potential denial of service (DoS) or high network usage. If the IP addresses in these areas
are not expected, someone might be using your resources. |
-
Select and clear each network interface or IP individually, or click Deselect
all, Select default, or Select all. On the
page that represents a single VPC, click Deselect all or Select
related nodes. To change the number of VPC nodes that display on the page, click
Select top 10 or Select bottom 10. The number of nodes
changes incrementally by 10 at a time, and the link name reflects the displayed number.