View traffic originating from the Internet & suspicious IPs to resource with Database role.
Find instances that are accessible over the internet using insecure ports.
Find hosts with Meltdown and Spectre vulnerabilities receiving network traffic.
Check for traffic categorized as malware of type DDoS, HackingTool, or Worm, originating from the Internet & suspicious IPs that are destined to your cloud assets that are not directly accessible over the internet.
Look for traffic from internet to any instance outside of Web servers, NAT Gateways or ELBs.
Look for source entities which are AWS ELBs with connections to more than 10 unique peer IP addresses, but those peer IPs are not endpoints that function as Databases.
Identify any instances with a private IP address (specified in the CIDR format) that are sending traffic to the internet.
You cannot include a public IP address in the CIDR format as a source or destination IP address. Also, do not include an IP address and an IP address in a CIDR format as a comma separated list.
View whether a list of specified IP addresses are sending traffic to the internet.
network from vpc.flow_record where cloud.account=account_name AND source.ip IN(126.96.36.199,10.0.8.0) AND dest.publicnetwork IN 'Internet IPs' AND bytes > 0