Filtering the VPC flow log visualization

Use filters to show you where potential security risks exist in your network traffic. The available filters to use depend on whether you are on the VPC overview page or the page that represents a single VPC. Only the nodes that represent the traffic for a particular VPC are shown if you are on the page that represents a single VPC.

Before you begin

Ensure that you have the correct credential and role information on the AWS Configuration page so that the traffic is properly grouped by VPC. If the credentials are incorrect, missing, or don't correspond to the flow data, the traffic goes to a VPC that is labeled as Unknown. For more information about configuring your credentials, see Configuring cloud service providers to communicate with QRadar Cloud Visibility.

Procedure

  1. On the VPC Flow Logs page, click the filter icon to open the sidebar.
  2. Select a time period (Last 5 minutes, Last 60 minutes, Last 24 hours, Last 7 days, and Last 30 days).
    The default time is Last 5 minutes. For some environments, the Last 30 days might not be effective if too much traffic is displayed.
  3. Select the type of traffic to visualize.
    Traffic type Description
    Accepted Shows the traffic that is allowed to access your environment.
    Warning Shows which VPC logs might not be set up properly. For more information, see VPC flow logs (https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html).
    Rejected Shows the traffic that is blocked from accessing your environment.
  4. Select an application to visualize. The app displays the applications that initiated the traffic. For example, if the DataTransferWindows app is in the list, data leakage might be occurring from within the VPC to the outside.
    Tip: If you have a huge list of applications, you can select and deselect all the applications in the list at once to save time and effort.
  5. Select the traffic flow protocol to visualize.
    Tip: If you have a huge list of protocols, you can select and deselect all the protocols in the list at once to save time and effort.
  6. Select the node display options for network interfaces and IP addresses, such as FTP or HTTP traffic, by either IPs or IPs and ports.
  7. Sort the network nodes to display the network interfaces in different ways. The Default order option sorts the nodes by known VPCs first, then by unknown internal IP addresses, and then by external IP addresses. All other sorting orders sort the nodes according to the selected traffic flow type, from the highest number of traffic flows to the lowest number of traffic flows. The number of traffic flows are indicated in parentheses. If you sort by bytes, the nodes are sorted according to the number of bytes, from the highest number to the lowest number.

    The following table shows the different node display options and what the information can reveal about your network.

    Sorted by option What it can reveal
    Default order General network overview
    Number of bytes Potential denial of service (DoS) or high network usage. If the IP addresses in these areas are not expected, someone might be using your resources.
    Unique outgoing flows Potential data leaks
    Unique incoming flows Potential denial of service (DoS)
    Total outgoing bytes Potential data leaks
    Total incoming bytes Potential denial of service (DoS) or high network usage. If the IP addresses in these areas are not expected, someone might be using your resources.
    Unique outgoing rejected flows Incorrect security credentials, potential data leaks
    Unique incoming rejected flows Potential attack
    Total outgoing rejected bytes Potential data leaks
    Total incoming rejected bytes Potential buffer overflow
    Unique outgoing unlogged flows Incorrect configuration
    Unique incoming unlogged flows Incorrect configuration
    Total outgoing unlogged flows Incorrect configuration
    Total incoming unlogged flows Incorrect configuration
    Unique outgoing accepted flows Potential data leaks
    Unique incoming accepted flows Potential denial of service (DoS) or high network usage. If the IPs in these areas are not expected, someone might be using your resources.
    Total outgoing accepted bytes Potential data leaks
    Total incoming accepted bytes Potential denial of service (DoS) or high network usage. If the IP addresses in these areas are not expected, someone might be using your resources.
  8. Select and clear each network interface or IP individually, or click Deselect all, Select default, or Select all. On the page that represents a single VPC, click Deselect all or Select related nodes. To change the number of VPC nodes that display on the page, click Select top 10 or Select bottom 10. The number of nodes changes incrementally by 10 at a time, and the link name reflects the displayed number.

Results

If flows don't appear as expected, make sure that the flows are properly set up. See step 8 in Creating and editing VPC Flow log sources.