VPC Flow

The vpcflow log type records data about the IP traffic flowing to and from the network interfaces within a virtual private cloud (VPC). This data is stored using the VPC Flow Logs feature.

The following code snippet contains all the raw_field, ecs, and ocsf mappings for this log type:

  1.  "mappings": [
  2.     {
  3.       "raw_field":"version",
  4.       "ecs":"netflow.version",
  5.       "ocsf": "metadata.product.version"
  6.     },
  7.     {
  8.       "raw_field":"account_id",
  9.       "ecs":"netflow.account_id",
  10.       "ocsf": "cloud.account_uid"
  11.     },
  12.     {
  13.       "raw_field":"region",
  14.       "ecs":"netflow.region",
  15.       "ocsf": "cloud.region"
  16.     },
  17.     {
  18.       "raw_field":"az_id",
  19.       "ecs":"netflow.az_id",
  20.       "ocsf": "cloud.zone"
  21.     },
  22.     {
  23.       "raw_field":"srcport",
  24.       "ecs":"netflow.srcport",
  25.       "ocsf": "src_endpoint.port"
  26.     },
  27.     {
  28.       "raw_field":"dstport",
  29.       "ecs":"netflow.dstport",
  30.       "ocsf": "dst_endpoint.port"
  31.     },
  32.     {
  33.       "raw_field":"protocol",
  34.       "ecs":"netflow.protocol",
  35.       "ocsf": "connection_info.protocol_num"
  36.     },
  37.     {
  38.       "raw_field":"packets",
  39.       "ecs":"netflow.packets",
  40.       "ocsf": "traffic.packets"
  41.     },
  42.     {
  43.       "raw_field":"bytes",
  44.       "ecs":"netflow.bytes",
  45.       "ocsf": "traffic.bytes"
  46.     },
  47.     {
  48.       "raw_field":"end",
  49.       "ecs":"netflow.end",
  50.       "ocsf": "end_time"
  51.     },
  52.     {
  53.       "raw_field":"tcp_flags",
  54.       "ecs":"netflow.tcp_flags",
  55.       "ocsf": "connection_info.tcp_flags"
  56.     },
  57.     {
  58.       "raw_field":"protocol_ver",
  59.       "ecs":"netflow.protocol_ver",
  60.       "ocsf": "connection_info.protocol_ver"
  61.     },
  62.     {
  63.       "raw_field":"pkt_src_aws_service",
  64.       "ecs":"netflow.pkt_src_aws_service",
  65.       "ocsf": "src_endpoint.svc_name"
  66.     },
  67.     {
  68.       "raw_field":"pkt_dst_aws_service",
  69.       "ecs":"netflow.pkt_dst_aws_service",
  70.       "ocsf": "dst_endpoint.svc_name"
  71.     },
  72.     {
  73.       "raw_field":"log_status",
  74.       "ecs":"netflow.log_status",
  75.       "ocsf": "status_code"
  76.     },
  77.     {
  78.       "raw_field":"action",
  79.       "ecs":"netflow.action",
  80.       "ocsf": "disposition_id"
  81.     },
  82.     {
  83.       "raw_field":"traffic_path",
  84.       "ecs":"netflow.traffic_path",
  85.       "ocsf": "boundary_id"
  86.     },
  87.     {
  88.       "raw_field":"flow_direction",
  89.       "ecs":"netflow.flow_direction",
  90.       "ocsf": "connection_info.direction_id"
  91.     },
  92.     {
  93.       "raw_field":"dstaddr",
  94.       "ecs":"netflow.dstaddr",
  95.       "ocsf": "dst_endpoint.ip"
  96.     },
  97.     {
  98.       "raw_field":"srcaddr",
  99.       "ecs":"netflow.srcaddr",
  100.       "ocsf": "src_endpoint.ip"
  101.     },
  102.     {
  103.       "raw_field":"interface_id",
  104.       "ecs":"netflow.interface_id",
  105.       "ocsf": "dst_endpoint.interface_uid"
  106.     },
  107.     {
  108.       "raw_field":"vpc_id",
  109.       "ecs":"netflow.vpc_id",
  110.       "ocsf": "dst_endpoint.vpc_uid"
  111.     },
  112.     {
  113.       "raw_field":"instance_id",
  114.       "ecs":"netflow.instance_id",
  115.       "ocsf": "dst_endpoint.instance_uid"
  116.     },
  117.     {
  118.       "raw_field":"subnet_id",
  119.       "ecs":"netflow.subnet_id",
  120.       "ocsf": "dst_endpoint.subnet_uid"
  121.     },
  122.     {
  123.       "raw_field":"start",
  124.       "ecs":"timestamp",
  125.       "ocsf": "time"
  126.     }
  127.   ]