Query: large_data_transfer

select
  tp_timestamp as timestamp,
action as operation,
interface_id as resource,
src_addr as source_ip,
src_port::varchar as source_port,
dst_addr as destination_ip,
dst_port::varchar as destination_port,
case
  when protocol = 1 then 'ICMP (1)'
  when protocol = 6 then 'TCP (6)'
  when protocol = 17 then 'UDP (17)'
  else 'Other (' || protocol || ')'
end as protocol,
account_id,
region,
vpc_id,
tp_id as source_id,
 -- Create new aliases to preserve original row data
protocol as protocol_src,
*
exclude (account_id, protocol, region, vpc_id)

from
  aws_vpc_flow_log
where
  bytes > 500000000 -- More than 500MB in a single flow
  and action = 'ACCEPT'
order by
  bytes desc,
  tp_timestamp desc;