Hi Can any one point me to some rules for detecting malicious or suspicious VPC flow log entry? I Have a few rules like malicious IP scan, large data transfer, transfer from cloud to external IP over ssh, or too many entries for IP over a small period of time. I was wondering if there is some repo or some rule list which I can use to flag suspicious or malicious VPC log entries.
Thanks
