Versions Compared

Version Old Version 6 New Version 7
Changes made by

Laszlo Frazer

Virginia Camuñas Núñez

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
minLevel1
maxLevel2
outlinefalse
typeflat
separatorbrackets
printabletrue

Purpose

An analyst wants to detect unauthorized access behavior in isolated virtual networks within AWS.  Using the VPC SQS collector to send Flow logs to Devo, the analyst will find any unauthorized IP traffic.  As a result, the analyst will block the intruder, preventing them from disrupting private network services.

...

Authorize It

Devo recommends sending VPC data without using CloudWatch. If you wish to use CloudWatch instead of following these instructions, select the aws_sqs_cloudwatch_vpc service. The parsed logs will be the same.

  1. Authorize SQS Data Access.

  2. Add data to the S3 bucket.

    1. Select the VPC.

    2. Create flow log.

      image-20250122-183716.png

    3. Name the Flow “Devo.”

    4. Devo recommends Filter All so that wrongly rejected and wrongly accepted traffic can be analyzed.

    5. Select Send to an Amazon S3 bucket.

      image-20250122-184143.png

    6. Use the ARN of the S3 bucket you created during the authorization process.

      image-20250122-184413.png

    7. Keeping the defaults for the other settings, create the flow.

Run It

In the Cloud Collector App, create an SQS Collector instance using this parameters template, replacing the values enclosed in < >.

Code Block
{
  "inputs": {
    "sqs_collector": {
      "id": "<FIVE_UNIQUE_DIGITS>",
      "services": {
        "aws_sqs_vpc": {}
      },
      "credentials": {
              "aws_cross_account_role": "arn:<PARTITION>:iam::<YOUR_AWS_ACCOUNT_NUMBER>:role/<YOUR_ROLE>",
              "aws_external_id": "<EXTERNAL_ID>"
      },
      "region": "<REGION>",
      "base_url": "https://sqs.<REGION>.amazonaws.com/<YOUR_AWS_ACCOUNT_NUMBER>/<QUEUE_NAME>"
    }
  }
}

Secure It

Devo Exchange includes an alert pack for Netflow data, including VPC Flow by using netstat.netflow.all as data source.

Unencrypted traffic

Code Block
/*
Traffic on port 80 is typically unencrypted 
HTTP connections, which could be intercepted
by a threat that has access to the VPC.
*/
from cloud.aws.vpc.flow
where eq(dstport,"80")
group by dstaddr, action

...

Code Block
/* 
If a source IP contacts an unusually large number of ports, 
it may indicate malicious reconnaissance.
*/
from cloud.aws.vpc.flow
group by srcaddr 
select length(collectdistinct(dstport)) as number_of_ports

...

Monitor It

Create an inactivity alertto detect interruptions of transfer of data from the source to the SQS queue using the query

...