Network & Infrastructure Security
Network Logging & Threat Detection
4 min read
Without visibility, you can't detect attacks. Cloud network logging and threat detection services provide the foundation for security operations and incident response.
Essential Network Logs
Log Types by Provider
| Log Type | AWS | Azure | GCP |
|---|---|---|---|
| Network flow | VPC Flow Logs | NSG Flow Logs | VPC Flow Logs |
| DNS queries | Route 53 Query Logs | DNS Analytics | Cloud DNS Logs |
| API activity | CloudTrail | Activity Log | Cloud Audit Logs |
| Load balancer | ALB/NLB Access Logs | App Gateway Logs | Load Balancer Logs |
| WAF | WAF Logs | WAF Logs | Cloud Armor Logs |
AWS VPC Flow Logs Analysis
# Enable comprehensive flow logs
aws ec2 create-flow-logs \
--resource-type VPC \
--resource-ids vpc-12345678 \
--traffic-type ALL \
--log-destination-type s3 \
--log-destination arn:aws:s3:::flow-logs-bucket \
--log-format '${version} ${account-id} ${interface-id} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${packets} ${bytes} ${start} ${end} ${action} ${log-status} ${vpc-id} ${subnet-id} ${instance-id} ${tcp-flags} ${type} ${pkt-srcaddr} ${pkt-dstaddr}'
Flow log analysis queries (Athena):
-- Find rejected traffic (potential attacks)
SELECT srcaddr, dstaddr, dstport, COUNT(*) as count
FROM vpc_flow_logs
WHERE action = 'REJECT'
AND start > date_add('hour', -24, now())
GROUP BY srcaddr, dstaddr, dstport
ORDER BY count DESC
LIMIT 100;
-- Unusual outbound traffic (data exfiltration)
SELECT srcaddr, dstaddr, SUM(bytes) as total_bytes
FROM vpc_flow_logs
WHERE dstaddr NOT LIKE '10.%'
AND dstaddr NOT LIKE '172.16.%'
AND dstaddr NOT LIKE '192.168.%'
AND start > date_add('hour', -24, now())
GROUP BY srcaddr, dstaddr
HAVING SUM(bytes) > 1000000000 -- > 1GB
ORDER BY total_bytes DESC;
Cloud-Native Threat Detection
AWS GuardDuty
Intelligent threat detection using ML and threat intelligence:
# Enable GuardDuty
aws guardduty create-detector --enable
# Enable S3 protection
aws guardduty update-detector \
--detector-id 12abc34d567e8fa901bc2d34e56789f0 \
--data-sources S3Logs={Enable=true}
# Enable EKS protection
aws guardduty update-detector \
--detector-id 12abc34d567e8fa901bc2d34e56789f0 \
--features '[{"Name":"EKS_AUDIT_LOGS","Status":"ENABLED"}]'
GuardDuty finding types:
- Reconnaissance: Port scanning, API enumeration
- Instance compromise: Cryptocurrency mining, malware communication
- Account compromise: Unusual API calls, credential abuse
- Data exfiltration: Unusual S3 access patterns
Azure Defender for Cloud
# Enable Defender for Cloud
az security pricing create \
--name VirtualMachines \
--tier Standard
az security pricing create \
--name StorageAccounts \
--tier Standard
az security pricing create \
--name KeyVaults \
--tier Standard
GCP Security Command Center
# Enable Security Command Center Premium
gcloud scc settings update \
--organization=123456789 \
--enable-asset-discovery
# View findings
gcloud scc findings list \
--organization=123456789 \
--source=- \
--filter="state=\"ACTIVE\""
SIEM Integration
Centralized Log Collection
┌──────────────────────────────────────────────────────────┐
│ Log Sources │
├──────────────────────────────────────────────────────────┤
│ CloudTrail │ VPC Flow │ GuardDuty │ WAF │ CloudWatch │
└──────────────────────────────────────────────────────────┘
│
▼
┌──────────────────────────────────────────────────────────┐
│ SIEM Platform │
│ (Splunk, Elastic, Sumo Logic, Google SecOps, Sentinel) │
├──────────────────────────────────────────────────────────┤
│ - Correlation rules │
│ - Alerting │
│ - Investigation │
│ - Reporting │
└──────────────────────────────────────────────────────────┘
AWS Security Hub
Aggregate findings from multiple services:
# Enable Security Hub
aws securityhub enable-security-hub
# Enable standards
aws securityhub batch-enable-standards \
--standards-subscription-requests '[
{"StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/3.0.0"},
{"StandardsArn": "arn:aws:securityhub:::ruleset/aws-foundational-security-best-practices/v/1.0.0"}
]'
Network Security Monitoring Patterns
Baseline Establishment
Before detecting anomalies, establish normal patterns:
| Metric | Normal Range | Alert Threshold |
|---|---|---|
| Outbound traffic | 10GB/day | >50GB/day |
| Failed logins | <10/hour | >100/hour |
| Rejected flows | <1% | >5% |
| DNS queries | Known domains | Unknown TLDs |
| API calls | Business hours | 3 AM spikes |
Detection Rules
Suspicious SSH activity:
# CloudWatch Log Insight Query
fields @timestamp, srcAddr, dstPort, action
| filter dstPort = 22 and action = 'REJECT'
| stats count(*) as attempts by srcAddr
| filter attempts > 100
| sort attempts desc
Data exfiltration pattern:
# Large outbound transfers to new destinations
fields @timestamp, srcAddr, dstAddr, bytes
| filter bytes > 100000000 # 100MB
| filter dstAddr not like /^10\./
| stats sum(bytes) as total_bytes by srcAddr, dstAddr
| filter total_bytes > 1000000000 # 1GB total
Incident Response Readiness
Network Security Runbook
| Scenario | Detection | Response |
|---|---|---|
| Port scan detected | GuardDuty/Flow logs | Block source IP via NACL |
| Unusual outbound | Flow log analysis | Isolate instance, investigate |
| API abuse | CloudTrail anomaly | Revoke credentials, audit |
| DDoS attack | WAF/Shield alerts | Engage DRT, adjust rules |
| Data exfiltration | S3/Flow logs | Revoke access, forensics |
Next module: Container and Kubernetes security for cloud-native workloads. :::