Spotting Suspicious Traffic in Flow Logs
Find port scans and data exfiltration hidden in the records.
From Records to Threats
Reading individual records is the foundation; the real value is spotting patterns across many records that betray malicious activity. Attackers leave network footprints, and Flow Logs are where those footprints appear. This lesson covers the signatures security teams hunt for in the data.
Detecting Port Scans
A port scan shows up as one source address hitting many destination ports on a host in a short window, usually with many REJECT actions. This pattern reveals reconnaissance, where an attacker maps which services are open. Counting distinct destination ports per source is a reliable way to surface it.
All lessons in this course
- What VPC Flow Logs Capture
- Reading Flow Log Records and Fields
- Flow Logs at VPC, Subnet, and ENI Levels
- Spotting Suspicious Traffic in Flow Logs