Amazon Virtual Private Clouds (VPC) are used in hybrid cloud enterprise environments to securely host certain workloads and customers need to enable their SOC to identify potential threats with these components of their infrastructure. The RSA NetWitness Platform supports ingest of many 3rd party sources, including Amazon CloudTrail, GuardDuty, and now VPC Flow Logs.
The RSA NetWitness Platform has reporting content for Analysts to leverage in assessing the VPC security and overall health. In https://community.rsa.com/docs/DOC-97451 we illustrate out-of-the-box reporting content to allow an analyst to get quick visibility into potential operational issues, such as highest and lowest accepted/rejected connections and traffic patterns on each VPC.
VPC Flow Logs is an AWS monitoring feature that captures information about the IP traffic going to and from network interfaces in your VPC. Flow log data can be published to Amazon CloudWatch Logs and Amazon S3. After you've created a flow log, you can retrieve and view its data in the chosen destination.
- Amazon VPC Flow Logs: https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html
- Amazon CloudWatch: https://aws.amazon.com/cloudwatch/
Logs from Amazon VPCs can be exported to CloudWatch. The RSA NetWitness Platform AWS VPC plugin uses CloudWatch API to capture the logs.