AWS VPC Flow Logs

Create flow log

Go to Services -> VPC:

Select a relevant VPC and under Flow Logs tab and click on Create flow log button. Then create a new flow log.

Set up a destination

Go to AlphaSOC Console > Credentials and use the provided S3 bucket ARN as a destination. It looks like this:

arn:aws:s3:::alphasoc-incoming-events/<token>/

Select a "Custom format" and provide (at least) the following fields:

${version} ${start} ${pkt-srcaddr} ${srcaddr} ${dstaddr} ${pkt-dstaddr} ${srcport} ${dstport} ${protocol} ${bytes} ${instance-id} ${action} ${tcp-flags}

Flow log configuration

Create flow log​

Set up a destination​

Create flow log

Set up a destination