VPC Flow Log Anomaly Detection

VPC flow logs reveal security events. The detection patterns that surface the meaningful anomalies.

Patterns

Outbound to new external IPs. Could be compromise.

Sudden traffic spike between unusual service pairs.

Failed connection attempts at unusual rate.

Tools

GuardDuty for AWS-native detection.

Custom: SIEM ingesting flow logs with detection rules.

Act

Alert sec ops on confirmed patterns. Investigate within minutes.

False positives are real; tune the detection.