Configure AWS Flow Logs 

Qualys CDR allows you to configure collecting flow logs in your TotalCloud account for AWS. Configuring flow logs allows for deeper analysis into your cloud network to identify indicators of compromise like suspicious processes, registry changes, and file modifications.

The new AWS tab allows you to configure flow logs for AWS. Your earlier deployments can be managed on AWS (Legacy) tab, but new deployments cannot be executed here.

Pre-requisites

  • Set up a TotalCloud AWS Connector for the resources you want to view Flow Logs on the TotalCloud Inventory. Click here to learn how to set up a TotalCloud AWS connector. 
  • Generate a Subscription Token to use when configuring the CFT stack.
  • Enable VPC Flow Logs to publish to an S3 bucket on the AWS account where the user wants to monitor for threats. Click here for more details.
  • Flow Logs should be configured with a private IP Address, networkInterfaceId, and the AWS AccountID to view the alerts on the TotalCloud UI.

Generate a Subscription Token

A subscription token is required to authenticate yourself when running the CFT stack for Flow Logs configuration. Follow the steps below to generate the required Subscription Token.

Run the Following Command to Generate AuthToken 

curl --location --request POST 'https://< API Gateway URL >/auth' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'username=<QualysUsername>' --data-urlencode 'password=<QualysPassword>' --data-urlencode 'token=true'

Run the Following Command to Generate SubscriptionToken 

curl --location --request POST 'https://< API Gateway URL>/qas/subscription-token' --header 'Content-Type: application/json' --header 'Authorization: Bearer <Auth Token>' --data-raw '{ "expiry": 500000}'

Store the generated SubscriptionToken for later.

Create a Deployment

Before starting with the Flow Log configuration, you must create an AWS deployment on the TotalCloud UI.

Navigate to TotalCloud > Configure > Threat Scanners > AWS.

  1. Click Create Deployment. Provide the following three input values.
  2. Deployment Name - Provide a unique name to the Flow Logs deployment. Ensure you start the deployment name with the prefix `aws-' for identification.
  3. Account ID - Provide the account ID of the AWS account to deploy Flow Logs on.
  4. Region - Select the region where the threat scanner must be deployed on.
  5. Once these values are provided, click Create.

The deployment is listed under the CDR Appliance section of the Threat Scanner tab. The ‘status’ column shows the status of your deployment. As you progress with your CDR onboarding steps, the deployment status updates from Pending to Licensed and Activated

Configure Flow Logs

Navigate to Configure > Threat Scanners > Configure Flow Logs to get started.

Configure flow logs by providing the storage account details.

Provide the following input values.

  1. Deployment Name - Provide a unique name for the Flow Logs deployment. For identification, ensure you start the deployment name with the prefix `aws-'.
  2. Account ID - Provide the AccountID to share the AMI with CDR.
  3. Provide the Flow Log storage information such as,
    1. Bucket ARN
    2. Region/Zone
    3. Flow Log Bucket Encryption Key ARN
  4. You can click Add more buckets to configure more S3 buckets.
  5. Click Save to create your Flow Log configuration.

Launch the Stack

Once your Flow Log configuration is done from the Threat Scanners tab, you must launch the AWS stack to collect the logs for your inventory.

Navigate to Configure > Threat Scanners View Details to see the Flow Logs configuration details.

Click Launch Stack to create a CloudFormation stack on the AWS console.

Now, provide the necessary inputs.

  1. Stack name.
  2. APIGatewayURL - You can find your Gateway URL for your Qualys POD from the Platform Identification.
  3. Select the required AWS regions from the dropdown to receive GuardDuty alerts in TotalCloud.
  4. Provide the subscription token created at Generate a Subscription Token.
    If the subscription token is expired, you can generate a new token and update the existing CFT with the new token.
  5. The FlowLogsBucket and 

If you provide a value for FlowLogsBucketEncryptionKeyArn, it is used. Otherwise, arn:aws:kms:::key is auto-filled. This key authenticates, and accesses encrypted bucket contents regardless of bucket encryption status.

The stack has all the required values populated on it. Click Create Stack.

You can view the details from the CDR findings on an Inventory resource.

View Flow Logs on the Inventory

Once your Flow Logs configuration is set up for CDR. You can view the findings on the TotalCloud Inventory.

Navigate to TotalCloud > Inventory > Navigate to any required resource type (for example, IAM Users).

Click any resource.

Click the Cloud Detection and Response tab on the left side panel. 

Navigate to the Supsicious Communication tab to view the Flow Logs findings with the total count.