Skip to content
Product
Icon-Platform
Platform

Explore the core capabilities of the Cado Platform.

 Icon-Environments
Environments

Discover the broad support that the Cado platform offers.

 Icon-Integrations
Integrations

Learn how the Cado platform integrates into your broader ecosystem.
Solutions
Use Cases
Icon-Cross-Cloud Investigations
Cross Cloud Investigations

Respond to incidents identified in AWS, Azure, and GCP in a single pane of glass.

 Icon-Container-Investigations
Container & K8s Investigations

Perform container investigations in EKS, AKS, GKE, and Kubernetes.

 Icon-Endpoint-Triage
Endpoint Triage

Automate endpoint triage for immediate insights and quick escalation.

 Icon-BEC-Compromise
BEC Investigations

Analyze critical SaaS logs to investigate Business Email Compromise.

 Icon-Incident-Containment
Cloud Detection & Response (CDR)

Marry threat detection with forensic context to expedite response.

Icon-Incidident-Response Preparedness-II
Incident Response Preparedness

Continuously assess and optimize your incident response program.
Cado For
DFIR
SOC
MSSPs
Partners
Government
Resources
Icon-Report
All Resources

Explore Cado Security's entire content library.

 Icon-Blog
Blog

Timely commentary from the Cado Security team.

 Icon-Playbook
Playbooks

Best practices for investigating and responding to threats.

Icon-Cheat-Sheet
Cheat Sheets

Quick tips for investigating and responding to incidents.

 Icon-News
News

The latest Cado company announcements, press, and more.

 Icon-Community
Community

Access to our free edition of the Cado platform.

 Icon-documentation
Documentation

Technical documentation on how to best leverage the Cado platform.

 White Paper 80x80
Wiki

Everything you need to know about cloud security and cloud forensics.

Company
Icon-About
About

Learn more about the Cado Security mission, vision, and team.

 Icon-Careers
Careers

Check out current career opportunities at Cado Security.
Get a Demo
    Get a Demo
      curve design on left cloud image

      Decoding Logs in the Cloud: AWS VPC Flow Logs

      Written by: Calum Hall

      In our "Decoding Logs in the Cloud" series, we aim to demystify the various log types you encounter in cloud environments. In our previous installment, we explored AWS CloudTrail logs. In this post, we'll take a look into AWS VPC Flow Logs, a crucial component for network monitoring and security in your AWS infrastructure.

       

      Flow logs in VPC

      What are AWS VPC Flow Logs?

      AWS VPC (Virtual Private Cloud) Flow Logs capture information about the IP traffic going to and from network interfaces in your VPC. These logs are instrumental for:

      Network Monitoring: Tracking traffic flow to identify bottlenecks, unusual patterns, or potential security threats.

      Security Analysis: Detecting and investigating unauthorized access attempts or data exfiltration.

      Compliance: Maintaining records of network traffic for regulatory requirements.

       

      Importance of AWS VPC Flow Logs

      VPC Flow Logs are invaluable for:

      Troubleshooting: Identifying and resolving connectivity issues within your VPC.

      Security Forensics: Analyzing traffic to detect malicious activities.

      Performance Optimization: Understanding traffic patterns to optimize network performance.

       

      Structure of AWS VPC Flow Logs

      VPC Flow Logs are stored in a specified format that contains multiple fields. Each log entry represents a network flow and includes the following key fields:

      • version: The version of the flow log format.
      • account-id: The AWS account ID for the flow log.
      • interface-id: The ID of the network interface for which the log is generated.
      • srcaddr: The source IP address of the traffic.
      • dstaddr: The destination IP address of the traffic.
      • srcport: The source port of the traffic.
      • dstport: The destination port of the traffic.
      • protocol: The protocol number of the traffic (e.g., TCP, UDP).
      • packets: The number of packets transferred during the flow.
      • bytes: The number of bytes transferred during the flow.
      • start: The start time of the flow in Unix epoch time.
      • end: The end time of the flow in Unix epoch time.
      • action: The action taken (ACCEPT or REJECT).
      • log-status: The logging status (e.g., OK, NODATA, SKIPDATA).

       

      Example of an AWS VPC Flow Log Entry

      Here is an example of a VPC Flow Log entry for reference:

      2 123456789012 eni-abc123def456 10.0.0.1 10.0.0.2 12345 80 6 10 840 1620382227 1620382287 ACCEPT OK


       

      Analyzing AWS VPC Flow Logs

      To effectively utilize VPC Flow Logs, you can:

      1. Centralize Logging: Store logs in Amazon S3 or Amazon CloudWatch Logs for centralized access and analysis.
      2. Automate Analysis: Use AWS Lambda functions to automate the analysis and detection of anomalies in your VPC traffic.
      3. Visualize Traffic: Leverage tools like Kibana or Amazon QuickSight to visualize network traffic patterns and gain insights.

       

      The Cado Platform

      Cado Security empowers security teams to get to the bottom of what happened faster. With Cado, what used to take analysts days, now takes minutes. Automate data collection. Process data at cloud speed. Analyze with purpose. No confusion, no complexity.

      Collect From Anywhere: whether it's a multi-cloud, container-based, serverless, SaaS, or on-premises set up. Automatically capture hundreds of data sources across cloud-provider logs, disk, memory, and more. No agent required means zero impact to production systems.

      Cloud Native: Cado deploys natively within your cloud environment to ensure your unique data privacy requirements are met. You choose: to deploy in AWS, GovCloud, Azure, or GCP in minutes, decreasing time to investigation and eliminating egress costs.

      Powerful Analytics: Collected data is enriched using third-party and proprietary threat intelligence. Key incident details such as root cause, compromised roles and assets, and a complete timeline of events are automatically surfaced. 

       

      AWS VPC Flow Logs provide a detailed view of network traffic within your VPC, essential for maintaining network security, troubleshooting connectivity issues, and ensuring compliance. By understanding the structure and significance of these logs, you can enhance your cloud infrastructure's visibility and security posture.

      In the next blog of this series, we'll explore another type of cloud log and continue our journey into decoding logs in the cloud. 

      Tag(s): Cloud DFIR

      More from the blog

      View All Posts
      Cloud DFIR icon
      blog icon Cloud DFIR
      Decoding Logs in the Cloud: Azure Activity Logs
      August 14, 2024

      Continuing with our "Decoding Logs in the Cloud" series, we now turn our focus to Azure Activity Logs. In the previous...

      Continue Reading
      Cloud DFIR icon
      blog icon Cloud DFIR
      Decoding Logs in the Cloud: Azure NSG Flow Logs
      August 16, 2024

      In this ongoing series, "Decoding Logs in the Cloud," we've covered AWS CloudTrail, AWS VPC Flow Logs, and Azure Activity...

      Continue Reading
      Cloud DFIR icon
      blog icon Cloud DFIR
      Decoding Logs in the Cloud: AWS CloudTrail
      August 7, 2024

      As the digital world continues its move to the cloud, logs are crucial for monitoring, troubleshooting, and securing cloud...

      Continue Reading