Welcome to the AWSVPCFlow Sentinel Use Cases repository! This GitHub project aims to provide a collection of useful security use cases leveraging the AWSVPCFlow table in Azure Sentinel, along with accompanying Sentinel queries written in KQL (Kusto Query Language).

The AWSVPCFlow table contains valuable network flow data from your AWS Virtual Private Cloud (VPC) environments. By utilizing this data, you can gain insights into network traffic, detect security threats, and monitor network activity within your AWS infrastructure.

In this repository, you will find a curated set of security use cases designed to help you identify and investigate various security scenarios using AWSVPCFlow data. Each use case is accompanied by a detailed explanation and a corresponding KQL query that can be directly used in Azure Sentinel.

The provided use cases cover a range of security scenarios, such as identifying suspicious connections, detecting internal or external IP addresses, analyzing specific protocols or ports, and more. These use cases are designed to assist security analysts and operations teams in leveraging the AWSVPCFlow data effectively to enhance their security monitoring capabilities.

Whether you are new to Sentinel or an experienced user, this repository will serve as a valuable resource to expand your understanding of network security monitoring in AWS using Azure Sentinel and AWSVPCFlow data.

We encourage you to explore the use cases, try out the queries in your Sentinel environment, and customize them to suit your specific security requirements. Contributions to the repository are also welcome, as we aim to continuously enhance the collection of use cases and foster collaboration within the security community.

Get started now and leverage the power of AWSVPCFlow data in Azure Sentinel to strengthen your security posture and gain deeper insights into your AWS network traffic.

Happy querying and secure monitoring!