Detection: High Packet Traffic
Overview
Detect high packet volume in VPC Flow Logs. High-volume data transfers that deviate from normal network traffic patterns could indicate potential data exfiltration attempts, unauthorized data transfers, or compromised cloud resources. Monitoring data transfer volumes helps identify suspicious activities such as lateral movement within your environment, the exploitation of cloud storage resources, or mass data downloads that may suggest credential compromise or insider threats.
This detection monitors only accepted traffic and alerts on flows with more than 10,000 packets.
References:
Usage
Run the detection in your terminal:
powerpipe detection run aws_vpc_flow_log_detections.detection.high_packet_trafficSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe detection run aws_vpc_flow_log_detections.detection.high_packet_traffic --shareSQL
This detection uses a named query:
select tp_timestamp as timestamp,action as operation,interface_id as resource,src_addr as source_ip,src_port::varchar as source_port,dst_addr as destination_ip,dst_port::varchar as destination_port,case when protocol = 1 then 'ICMP (1)' when protocol = 6 then 'TCP (6)' when protocol = 17 then 'UDP (17)' else 'Other (' || protocol || ')'end as protocol,account_id,region,vpc_id,tp_id as source_id, -- Create new aliases to preserve original row dataprotocol as protocol_src,*exclude (account_id, protocol, region, vpc_id)
from aws_vpc_flow_logwhere packets > 10000 and action = 'ACCEPT'order by packets desc, tp_timestamp desc;