Network Telemetry onboarding

Owned by Thomas Sileo
Feb 03, 2022
2 min read

Enabling network telemetry allows us to analyze the IP/DNS traffic going through your AWS VPC to help uncover infected hosts, emerging threats, and targeted attacks.

This requires configuring AWS to send network telemetry events for analysis to Data Theorem.
Events from AWS VPC flow logs and AWS Route 53 resolver query logs are supported.

Please reach out to us/contact support@datatheorem.com before starting the onboarding process.

You will need:

  • a custom identifier given by Data Theorem

  • administrative privileges in your AWS account

  • enabling at least one of the integration (AWS VPC Flow Logs and/or AWS Route 53 Resolver Query Logs)

AWS VPC Flow Logs

  • Go to the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  • In the left-hand sidebar, go to Your VPCs

  • Select the checkbox for the relevant VPCs and then choose Actions, Create flow log.

  • Set the Name, we recommend Data Theorem network telemetry

  • For Filter, choose All

  • For Maximum aggregation interval, choose 10 minutes

  • For Destination , choose Send to an Amazon S3 bucket

  • For S3 bucket ARN, set the custom identifier given by Data Theorem

  • For Log record format, choose Custom format and select the following fields:

    • version

    • start

    • pkt-srcaddr

    • srcaddr

    • dstaddr

    • pkt-dstaddr

    • srcport

    • dstport

    • protocol

    • bytes

    • instance-id

    • action

    • tcp-flags

    • The final format preview should looks like ${version} ${start} ${pkt-srcaddr} ${srcaddr} ${dstaddr} ${pkt-dstaddr} ${srcport} ${dstport} ${protocol} ${bytes} ${instance-id} ${action} ${tcp-flags}

  • Click on Create flow log

AWS Route 53 Resolver Query Logs

  • Go the Amazon Route 53 console at https://console.aws.amazon.com/route53

  • In the left-hand sidebar, go to Resolver / Query logging

  • Choose Configure query logging

  • In the Query logging configuration name section, set the Name, we recommend Data Theorem network telemetry

  • In the Query logs destination section, select S3 bucket

  • For Amazon S3 bucket, set the custom identifier given by Data Theorem

  • In the VPCs to log queries for section, add all the relevant VPCs

  • Click on Configure query logging