AWS VPC Flow Log Analysis

Investigate network traffic anomalies and suspicious connections using structured AI analysis of VPC flow logs. This workflow helps you parse log data, identify threats, and generate actionable reports.

⚡ Takes ~2–3 minutes 📊 Output: Summary + IOCs 🔒 No login required 🔥 Most used workflow

No setup needed — just paste and run

  • Unusual outbound traffic detected
  • Unknown IP communication in logs
  • Suspicious data transfer patterns
1

Baseline Traffic Profiling

You are a SOC analyst reviewing AWS VPC Flow Logs. I am going to paste raw VPC flow log data below. Your job: 1. Identify the top 5 source IP addresses by connection count 2. Identify the top 5 destination IP addresses by connection count 3. List the most frequently targeted destination ports 4. Flag any IPs with unusually high outbound byte counts (potential exfiltration) 5. Present all findings as a structured table with columns: IP Address, Connection Count, Total Bytes, Direction, Notable Observation Be specific. Use only data from the logs I provide — do not assume or invent values. [PASTE 20–50 VPC FLOW LOG ENTRIES HERE]
2

Anomaly Detection

Based on the VPC flow log data from Step 1, now perform anomaly detection. First analyze patterns, then produce findings. Look specifically for: 1. Sequential port connections from a single source IP (port scanning pattern) 2. Repeated REJECT actions from the same source (brute-force or probing) 3. Any internal IP communicating on ports 22, 3389, 445, or 4444 4. Any single flow with outbound byte count above 500MB (data exfiltration indicator) 5. Any connection to or from a non-RFC1918 address on unusual ports For each anomaly found: - State exactly which log entries triggered the finding (use source IP, destination IP, port) - Explain WHY this pattern is suspicious based on the actual data - Assign a severity: Critical / High / Medium / Low - Do not flag things that are not present in the data Output as a numbered findings list, sorted by severity.
3

MITRE ATT&CK Mapping

Take the suspicious findings from Step 2 and map each one to the MITRE ATT&CK framework. For each finding provide: - Technique Name - Technique ID (e.g. T1046) - Tactic Category (e.g. Discovery, Exfiltration, Lateral Movement) - One sentence explaining why this finding maps to this technique - Confidence level: High / Medium / Low Format as a table with these columns: Finding | Technique Name | Technique ID | Tactic | Reasoning | Confidence If a single finding maps to multiple techniques, list each one on a separate row. Only include mappings you are confident about based on the data provided. If no clear MITRE mapping exists, return No confident mapping.
4

Investigation Summary Report

Based on all previous steps, generate a structured SOC investigation report. Use this exact format: EXECUTIVE SUMMARY - What happened (2-3 sentences) - Overall risk level: Critical / High / Medium / Low - Number of suspicious findings SUSPICIOUS FINDINGS - List each finding with: severity, source, destination, what was observed MITRE ATT&CK SUMMARY - Table of all mapped techniques from Step 3 AFFECTED ASSETS - List all internal IPs involved with their roles if identifiable RECOMMENDED IMMEDIATE ACTIONS - List 3-5 specific, actionable steps (not generic advice) - Examples: "Block IP x.x.x.x at perimeter firewall", "Isolate host 10.0.1.5 from network" FURTHER INVESTIGATION REQUIRED - What additional log sources should be reviewed - What questions remain unanswered Risk Level: [Critical / High / Medium / Low]

Example Output

Here's what you can expect after completing this workflow:

EXECUTIVE SUMMARY ================== Investigation of VPC flow logs for vpc-0a1b2c3d4e5f (Production Environment) Analysis Period: 2024-01-15 14:00:00 to 2024-01-15 15:00:00 UTC Total Flows Analyzed: 15,847 Suspicious Flows: 234 (1.5%) Critical Findings: 3 High Priority Findings: 12 Overall Risk: HIGH - Potential port scanning and data exfiltration detected DETAILED FINDINGS ================== [CRITICAL-001] Port Scanning Activity Detected Severity: CRITICAL Source IP: 203.0.113.45 (External) Target: 10.0.1.25 (Web Server) Timeline: 14:23:15 - 14:24:08 UTC Activity: 847 connection attempts to ports 20-1024 Result: 845 REJECTED, 2 ACCEPTED (ports 22, 443) Threat Intel: IP flagged on AbuseIPDB (confidence: 94%), associated with automated scanning tools Impact: Successful reconnaissance of open services Recommendation: BLOCK source IP immediately, review security group rules [HIGH-002] Unusual Data Transfer Volume Severity: HIGH Source: 10.0.2.15 (Database Server) Destination: 198.51.100.23 (External - Singapore) Protocol: TCP/443 (HTTPS) Data Volume: 4.7 GB outbound over 45 minutes Normal Baseline: 200 MB/hour Threat Intel: Destination IP is clean but unusual for this server Impact: Potential data exfiltration Recommendation: Investigate database server for compromise, review authorized external connections INDICATORS OF COMPROMISE ========================= Malicious IPs: - 203.0.113.45 (Port Scanner) - 192.0.2.67 (Failed authentication attempts) - 198.51.100.89 (C2 beacon pattern) Suspicious Ports: - 4444 (Common reverse shell port) - 8443 (Non-standard HTTPS) RECOMMENDED ACTIONS =================== IMMEDIATE: 1. Block IPs: 203.0.113.45, 192.0.2.67, 198.51.100.89 2. Isolate host 10.0.2.15 for forensic analysis 3. Review security group sg-0a1b2c3d for over-permissive rules INVESTIGATION: 1. Check CloudTrail logs for API calls from compromised hosts 2. Review application logs on 10.0.2.15 for unauthorized access 3. Analyze full packet captures if available PREVENTIVE: 1. Implement VPC Flow Logs analysis automation 2. Configure GuardDuty for real-time threat detection 3. Update security groups to enforce principle of least privilege 4. Enable AWS Shield for DDoS protection

Generate SOC Investigation Summary

Populate a ready-to-paste investigation report for your ticket or incident log.

Copied!