A copy of my snippets for Amazon Cloudwatch Insights for VPC networkflows whatnot
filter srcPort in [515,516,517,518] |
stats count(*) as records by dstAddr,srcPort |
sort records asc |
limit 50This one shows you the # of unique hosts who have gone to ports 515 516 etc. I use source port to analyze the 'source' ip addresses as opposed to the destinations. For some reason this gave me the results I was looking for.
filter dstPort in [514,515,516,517] and action = "ACCEPT"Show me all the things in these destination ports that were accepted, raw format. Just change to 'reject' to see the things that were rejected.
filter (srcPort > 1024 and srcAddr != "private-IP") |
stats count(*) as records by srcAddr,srcPort |
sort records desc |
limit 5Show me vulnerability scanners. There are some other interesting ones I found:
fields srcAddr,dstAddr,bytes
| filter interfaceId = "eni-<nat-eni-id>"
| stats sum(bytes)/1024/1024 as totalMBytes by srcAddr,dstAddr
| sort totalMBytes desc
Show me the top spenders on my nat gateways.
filter (action="REJECT") |
stats count_distinct(dstPort) as portcount by srcAddr |
sort portcount desc |
limit 5Show me a particular host receiving traffic:
filter dstPort in [514,515,516,517,518,520] and action = "ACCEPT" and dstAddr in ['1.1.1.1'] |
stats count(*) as records by srcAddr |
sort records descShow me the portscanners