...
Table | Description |
|---|---|
cloud.aws.vpc.flow | Network traffic in AWS virtual private networks |
Union of network traffic from various sources |
Authorize It
Devo recommends sending VPC data without using CloudWatch. If you wish to use CloudWatch instead of following these instructions, select the aws_sqs_cloudwatch_vpc service. The parsed logs will be the same.
...
| Code Block |
|---|
{
"inputs": {
"sqs_collector": {
"id": "<FIVE_UNIQUE_DIGITS>",
"services": {
"aws_sqs_vpc": {}
},
"credentials": {
"aws_cross_account_role": "arn:<PARTITION>:iam::<YOUR_AWS_ACCOUNT_NUMBER>:role/<YOUR_ROLE>",
"aws_external_id": "<EXTERNAL_ID>"
},
"region": "<REGION>",
"base_url": "https://sqs.<REGION>.amazonaws.com/<YOUR_AWS_ACCOUNT_NUMBER>/<QUEUE_NAME>"
}
}
} |
Secure It
Devo Exchange includes an alert pack for Netflow data, including VPC Flow.
Unencrypted traffic
| Code Block |
|---|
/* Traffic on port 80 is typically unencrypted HTTP connections, which could be intercepted by a threat that has access to the VPC. */ from cloud.aws.vpc.flow where eq(dstport,"80") group by dstaddr, action |
...