Detection: Large Data Transfer
Overview
Detect large data transfers in VPC Flow Logs. High-volume data transfers that deviate from normal network traffic patterns could indicate potential data exfiltration attempts, unauthorized data transfers, or compromised cloud resources. Monitoring data transfer volumes helps identify suspicious activities such as lateral movement within your environment, the exploitation of cloud storage resources, or mass data downloads that may suggest credential compromise or insider threats.
This detection monitors only accepted traffic and alerts on flows transferring more than 500MB.
References:
Usage
Run the detection in your terminal:
powerpipe detection run aws_vpc_flow_log_detections.detection.large_data_transferSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe detection run aws_vpc_flow_log_detections.detection.large_data_transfer --shareSQL
This detection uses a named query:
select tp_timestamp as timestamp, action as operation, interface_id as resource, src_addr as source_ip, src_port :: varchar as source_port, dst_addr as destination_ip, dst_port :: varchar as destination_port, case when protocol = 1 then 'ICMP (1)' when protocol = 6 then 'TCP (6)' when protocol = 17 then 'UDP (17)' else 'Other (' || protocol || ')' end as protocol, account_id, region, vpc_id, tp_id as source_id, -- Create new aliases to preserve original row data protocol as protocol_src, * exclude (account_id, protocol, region, vpc_id)from aws_vpc_flow_logwhere bytes > 500000000 -- More than 500MB in a single flow and action = 'ACCEPT'order by bytes desc, tp_timestamp desc;