November 07, 2017 / by jburks / In guides /

Analytics with AWS VPC Flow Logs

To provide better support for network security, we’re introducing Flow Logs monitoring for the Amazon Virtual Private Cloud.

What are VPC Flow Logs?

VPC Flow Logs is a feature that enables you to capture information on the IP traffic moving to and from network interfaces in your VPC.

The information captured includes details on:

  • Allowed and Denied traffic (based on security group and network ACL rules)

  • Source and Destination IP addresses

  • Ports

  • IANA protocol number

  • Packet and Byte counts

  • Time interval for observing the flow

  • Action (ACCEPT or REJECT)

Why Flow Logs are important?

By logging all the traffic, root cause analysis(RCA) can reveal malicious traffic moving around your network. It also helps system analysts identify latencies, estimate performance baselines, and tweak system performance. Flow Logs can reveal flow duration and latency, and bytes transferred, which allows users to quickly identify performance issues and deliver a better user experience.

How We Help
  • Customized Dashboards for real time traffic flows

  • Enrichment of captured traffic data with a layer of in-built threat intelligence

  • Customized heat maps, widgets, reports, and notification features based on threshold values of network parameters

  • Easy to implement use cases, as per security, business, and user requirements

Use Cases
Monitor AWS infra via Virtual Private Cloud flow logs

Incoming traffic from known malicious sources

A chart or a widget that gives a clear view of the known malicious sources from an external threat feed in the last 24 hours.

Threat heatmap

A geographic representation of different types of malicious activity encountered within the VPC infrastructure in the last 24 hours and the countries they are originating from.

Top 10 hosts sending outbound traffic

View outbound network activity for the top 10 source IP addresses, over the last 24 hours.

Inbound network activity

View the overall inbound network activity for the source host IP address, over the last 24 hours.