AWS VPC Flow Logs

Go to Services -> VPC:

VPC Search

Select a relevant VPC and under Flow Logs tab and click on Create flow log button. Then create a new flow log.

Go to AlphaSOC Console > Sources > AWS and use the provided S3 bucket ARN as a destination. It looks like this:

arn:aws:s3:::alphasoc-incoming-events/<token>/

Select a "Custom format" and provide (at least) the following fields:

${version} ${start} ${pkt-srcaddr} ${srcaddr} ${dstaddr} ${pkt-dstaddr} ${srcport} ${dstport} ${protocol} ${bytes} ${instance-id} ${action} ${tcp-flags}

Flow log configuration