Data Source: AWS CloudWatchLogs VPCflow

Date: 2025-01-23

ID: 38a34fc4-e128-4478-a8f4-7835d51d5135

Author: Bhavin Patel, Splunk

Description

Logs an event when network traffic flow information such as source and destination IPs, ports, protocol, and action (allow/deny) is captured for VPC in AWS.

Details

Property	Value
Source	`aws_cloudwatchlogs_vpcflow`
Sourcetype	`aws:cloudwatchlogs:vpcflow`

Name ▲▼	Technique ▲▼	Type ▲▼
Internal Horizontal Port Scan	Network Service Discovery	TTP
Internal Horizontal Port Scan NMAP Top 20	Network Service Discovery	TTP
Internal Vertical Port Scan	Network Service Discovery	TTP

Supported Apps

Splunk Add-on for AWS (version 8.1.0)

Event Fields

+ Fields

  <span class="pill kill-chain">_raw</span>
  
  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">account_id</span>
  
  <span class="pill kill-chain">action</span>
  
  <span class="pill kill-chain">app</span>
  
  <span class="pill kill-chain">aws_account_id</span>
  
  <span class="pill kill-chain">bytes</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dest_ip</span>
  
  <span class="pill kill-chain">dest_port</span>
  
  <span class="pill kill-chain">duration</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">end_time</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">interface_id</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">log_status</span>
  
  <span class="pill kill-chain">packets</span>
  
  <span class="pill kill-chain">protocol</span>
  
  <span class="pill kill-chain">protocol_code</span>
  
  <span class="pill kill-chain">protocol_full_name</span>
  
  <span class="pill kill-chain">protocol_version</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">region</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">splunk_server_group</span>
  
  <span class="pill kill-chain">src</span>
  
  <span class="pill kill-chain">src_ip</span>
  
  <span class="pill kill-chain">src_port</span>
  
  <span class="pill kill-chain">start_time</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::action</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">transport</span>
  
  <span class="pill kill-chain">user_id</span>
  
  <span class="pill kill-chain">vendor_account</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
  <span class="pill kill-chain">version</span>
  
  <span class="pill kill-chain">vpcflow_action</span>
  
</div>

Example Log

12 123397614277 eni-0b0f9f261f45e6489 10.0.1.30 10.0.1.1 47254 22 17 2 98 1697608042 1697608070 ACCEPT OK

Required Output Fields

action
src
src_ip
dest
dest_ip
dest_port
transport

Source: GitHub | Version: 2