-
Notifications
You must be signed in to change notification settings - Fork 395
/
Copy pathaws_cloudwatchlogs_vpcflow.yml
82 lines (82 loc) · 1.38 KB
/
aws_cloudwatchlogs_vpcflow.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
name: AWS CloudWatchLogs VPCflow
id: 38a34fc4-e128-4478-a8f4-7835d51d5135
version: 2
author: Bhavin Patel, Splunk
date: '2025-01-23'
description: Logs an event when network traffic flow information such as source and
destination IPs, ports, protocol, and action (allow/deny) is captured for VPC in
AWS.
mitre_components:
- Network Traffic Flow
- Network Connection Creation
source: aws_cloudwatchlogs_vpcflow
sourcetype: aws:cloudwatchlogs:vpcflow
supported_TA:
- name: Splunk Add-on for AWS
version: 7.9.1
url: https://splunkbase.splunk.com/app/1876
fields:
- _raw
- _time
- account_id
- action
- app
- aws_account_id
- bytes
- date_hour
- date_mday
- date_minute
- date_month
- date_second
- date_wday
- date_year
- date_zone
- dest
- dest_ip
- dest_port
- duration
- dvc
- end_time
- eventtype
- host
- index
- interface_id
- linecount
- log_status
- packets
- protocol
- protocol_code
- protocol_full_name
- protocol_version
- punct
- region
- source
- sourcetype
- splunk_server
- splunk_server_group
- src
- src_ip
- src_port
- start_time
- tag
- tag::action
- tag::eventtype
- timeendpos
- timestartpos
- transport
- user_id
- vendor_account
- vendor_product
- version
- vpcflow_action
output_fields:
- action
- src
- src_ip
- src_port
- dest
- dest_ip
- dest_port
- transport
example_log: 2 123397614277 eni-0b0f9f261f45e6489 10.0.1.30 10.0.1.1 47254 22 17 2
98 1697608042 1697608070 ACCEPT OK