Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Version History

« Previous Version 2 Next »

Purpose

An analyst wants to detect unauthorized access behavior in isolated virtual networks within AWS.  Using the VPC SQS collector to send Flow logs to Devo, the analyst will find any unauthorized IP traffic.  As a result, the analyst will block the intruder, preventing them from disrupting private network services.

Example tables

Table

Description

cloud.aws.vpc.flow

Network traffic in AWS virtual private networks

Authorize It

Devo recommends sending VPC data without using CloudWatch. If you wish to use CloudWatch instead of following these instructions, select the aws_sqs_cloudwatch_vpc service. The parsed logs will be the same.

  1. Authorize SQS Data Access.

  2. Add data to the S3 bucket.

    1. In step 6 of the Amazon instructions, use the ARN of the S3 bucket you created during the authorization process.

Run It

In the Cloud Collector App, create an SQS Collector instance using this parameters template, replacing the values enclosed in < >.

{
  "inputs": {
    "sqs_collector": {
      "id": "<FIVE_UNIQUE_DIGITS>",
      "services": {
        "aws_sqs_vpc": {}
      },
      "credentials": {
              "aws_cross_account_role": "arn:<PARTITION>:iam::<YOUR_AWS_ACCOUNT_NUMBER>:role/<YOUR_ROLE>",
              "aws_external_id": "<EXTERNAL_ID>"
      },
      "region": "<REGION>",
      "base_url": "https://sqs.<REGION>.amazonaws.com/<YOUR_AWS_ACCOUNT_NUMBER>/<QUEUE_NAME>"
    }
  }
}

Secure It

Monitor It

Create an inactivity alert to detect interruptions of transfer of data from the source to the SQS queue using the query

from TABLE 
where toktains(hostchain,"collector-") 
select split(hostchain,"-",1) as collector_id

Set the inactivity alert to keep track of the collector_id.

  • No labels