/
VPC Virtual Private Cloud SQS collector
Document toolboxDocument toolbox

VPC Virtual Private Cloud SQS collector

Owned by Laszlo Frazer, created
Last updated: Feb 27, 2025
[ 1 Purpose ] [ 2 Example tables ] [ 3 Authorize It ] [ 4 Run It ] [ 5 Secure It ] [ 6 Monitor It ]

Purpose

An analyst wants to detect unauthorized access behavior in isolated virtual networks within AWS.  Using the VPC SQS collector to send Flow logs to Devo, the analyst will find any unauthorized IP traffic.  As a result, the analyst will block the intruder, preventing them from disrupting private network services.

Example tables

Table

Description

Table

Description

cloud.aws.vpc.flow

Network traffic in AWS virtual private networks

netstat.netflow.all

Union of network traffic from various sources

Authorize It

Devo recommends sending VPC data without using CloudWatch. If you wish to use CloudWatch instead of following these instructions, select the aws_sqs_cloudwatch_vpc service. The parsed logs will be the same.

  1. Authorize SQS Data Access.

  2. Add data to the S3 bucket.

    1. Select the VPC.

    2. Create flow log.

      image-20250129-211320.png

    3. Name the Flow “Devo.”

    4. Devo recommends Filter All so that wrongly rejected and wrongly accepted traffic can be analyzed.

    5. Select Send to an Amazon S3 bucket.

      image-20250129-211336.png

       

    6. Use the ARN of the S3 bucket you created during the authorization process.

image-20250122-184413.png

g. Keeping the defaults for the other settings, create the flow.

Run It

In the Cloud Collector App, create an SQS Collector instance using this parameters template, replacing the values enclosed in < >.

{ "inputs": { "sqs_collector": { "id": "<FIVE_UNIQUE_DIGITS>", "services": { "aws_sqs_vpc": {} }, "credentials": { "aws_cross_account_role": "arn:<PARTITION>:iam::<YOUR_AWS_ACCOUNT_NUMBER>:role/<YOUR_ROLE>", "aws_external_id": "<EXTERNAL_ID>" }, "region": "<REGION>", "base_url": "https://sqs.<REGION>.amazonaws.com/<YOUR_AWS_ACCOUNT_NUMBER>/<QUEUE_NAME>" } } }

Secure It

Devo Exchange includes an alert pack for Netflow data, including VPC Flow by using netstat.netflow.all as data source.

Unencrypted traffic

/* Traffic on port 80 is typically unencrypted HTTP connections, which could be intercepted by a threat that has access to the VPC. */ from cloud.aws.vpc.flow where eq(dstport,"80") group by dstaddr, action
image-20250122-191901.png

Interface disabled

/* Yesterday, an unauthorized entity turned off some interfaces within the private cloud, disabling services. Determine which interfaces need to be reenabled. */ from cloud.aws.vpc.flow group by interface_id select max(end_date) as last_seen where today()-1d<last_seen<today()//yesterday
image-20250123-172754.png

Malicious source IP accepted

/* Find all the connections made by a known compromised source IP in order to check if the destination IPs were also comprimised. */ from cloud.aws.vpc.flow where srcaddr = 193.34.212.75 //known indicator of compromise //, not eq(action,"REJECT") //hide successful rejections
image-20250129-211415.png

Port scan

/* If a source IP contacts an unusually large number of ports, it may indicate malicious reconnaissance. */ from cloud.aws.vpc.flow group by srcaddr select length(collectdistinct(dstport)) as number_of_ports
image-20250122-191520.png

Monitor It

Create an inactivity alert to detect interruptions of transfer of data from the source to the SQS queue using the query

from cloud.aws.vpc.flow where toktains(hostchain,"collector-") select split(hostchain,"-",1) as collector_id

Set the inactivity alert to keep track of the collector_id and accountId.