AWS Security Lake — VPC Flow Data via Security Lake

Query’s integration with AWS VPC Flow Log via Security Lake data allows analysts to do the following:

  • Retrieve details about network connections originating from and going to AWS resources (IP address, port, VPC resource ID).
  • Determine if network connections were ALLOWED or DENIED

For example, the analyst could obtain the following context:

  • Searching by an IP Address,  i.e. IP Address equals, the response would contain whether that network traffic was ALLOWED or BLOCKED, as well as the source and destination port.

To integrate AWS VPC Flow Logs, see integration documentation here.

The integration will normalize data pulled from Security Lake into Query’s OCSF based QDM (Query Data Model) which then enables cross-platform joins, compounding the analyst’s ability to investigate. Query normalizes Security Lake data into QDM User and Device objects, and IP Address information. Analysts can see key network attributes like IP address, VPC identification, allowed/blocked traffic, and port information in the QDM user object.

Using these following integrations, users of Query Federated Search can search for observables within these schemas to locate and pivot from Domains, Hostnames, IP Addresses, and Usernames. With Query Federated Search, all results are normalized, deduplicated, correlated, collated and enriched such that an entity-based search would surface similar data points across all of your onboarded resources. As an example, an Analyst investigating EDR findings could query by an AWS Cloud-hosted server with an EDR sensor by its IP Address and surface all related VPC Flow Logs.