Identifying Denied Flows in the Flow Logs Dashboard

Lesson Overview

In this lesson, we will explore how to identify denied flows using the Flow Logs Dashboard in Kibana. Flow logs are instrumental in troubleshooting network issues, analyzing security policies, and refining access controls. We will cover how flow logs are reported by both the source and destination, how to filter denied flows, and how to interpret the reporter field to determine where the denial occurred. Additionally, we will demonstrate real-world scenarios, including detecting suspicious public IP activity targeting workloads.

Learning Objectives

By the end of this lesson, you will be able to:

1. Understand how flow logs capture allowed and denied traffic within Kubernetes clusters.

2. Differentiate between source-reported and destination-reported flow logs.

3. Use Kibana queries and filters to isolate denied flows across clusters and namespaces.

4. Analyze volumetric traffic charts to identify traffic being blocked at different points.

5. Investigate denied flows affecting specific workloads and namespaces.

6. Detect and analyze suspicious denied flows, including public IP scans targeting workloads.

Key Takeaways

✅ Use the reporter field to determine whether a flow was denied at the source or destination.
✅ Filter denied flows by namespaces, workloads, and public IPs to detect potential threats.
✅ Analyze volumetric charts to understand network behavior and policy impact.
✅ Investigate suspicious denied traffic, such as unauthorized public IP scans.

Conclusion and Next Steps

• Denied flows provide critical insights into network security and policy enforcement.

• The Flow Logs Dashboard allows users to filter denied traffic, identify impacted workloads, and investigate security threats.

• Understanding source vs. destination reporting is key to troubleshooting network issues.

• Suspicious activity, such as unauthorized access attempts from public IPs, can be detected through denied flow logs.