How to Analyze AWS VPC Flow Logs
What’s in a VPC Flow Log record
Each record captures srcaddr, dstaddr, srcport, dstport, protocol, the action (ACCEPT or REJECT), and packet/byte counts, with the exact field set depending on which flow log version (v2 through v5) you’ve enabled. There’s no payload — just the metadata of who talked to whom, which is exactly the right granularity for network-layer reconnaissance and lateral movement detection.
What to look at first
REJECTconcentration by source IP. A normal client generates almost entirelyACCEPTed traffic. A scanner generates the inverse.- Destination port breadth from a single source. Many distinct
dstportvalues against onedstaddrin a short window is the core signature of port scanning. - Internal-to-internal traffic that crosses a trust boundary it shouldn’t. This is how you catch lateral movement after an initial single-host compromise — the scan pivots from external-facing to internal-facing.
- The handful of
ACCEPTed records mixed into aREJECT-heavy burst. Those are the open ports the scanner found, and the ones worth checking first. - NODATA/SKIPDATA records — these represent capacity constraints or AWS-internal traffic and should be filtered out before analysis, not treated as signal.
Common patterns and what they mean
| Pattern | Likely meaning |
|---|---|
| One source, many destination ports, mostly REJECT | Port scanning |
| Internal source scanning internal destinations | Lateral movement post-compromise |
| Sudden traffic to a new external IP from a sensitive instance | Possible C2 or exfiltration |
| ACCEPT on a port that shouldn’t be open | Security group misconfiguration found by the attacker first |
| High packet count, single long-lived connection | Possible data transfer, not just a scan |
Where manual log review breaks down
Flow logs are high-volume and low-context by nature — that’s the tradeoff for capturing everything. Spotting “this one IP touched 400 distinct ports in two minutes” among millions of otherwise-ordinary connection records is a pattern-matching problem, not a reading problem, and it doesn’t scale to manual review once you’re past a single small VPC.
LogTriage’s VPC Flow parser handles the dynamic header across flow log versions automatically, filters NODATA/SKIPDATA noise, and normalizes ACCEPT/REJECT into the same risk-scoring pipeline used for every other log format — so a scan shows up as a ranked finding, not a few hundred thousand individual lines.
See this detection run on a real report
Try the live demo with a pre-loaded malicious log set — no signup required — or upload your own log file and get a full AI-reviewed threat report in minutes.