Using an Amazon VPC (Virtual Private Cloud), you can logically isolate some of your AWS assets from the rest of your cloud infrastructure. You can actually set up your own networks in the cloud. This is why, it is usually important to monitor changes to your VPCs.
If a VPC is created, the following alert will be shown on Kibana:
If a user without proper permissions attempts to create a VPC, the following alert will be shown on Kibana:
A VPC alert contains data such as dest and source IP address, dst and source port and how many bytes were sent:
These alerts can be easily analyzed using visualizations like the following one:
On that visualization you can look for peaks in your network, once you found a peak you can filter the alerts generated on that time and check which IPs were communicating. Since IP address is a field used in many AWS alerts, you’ll probably found other alerts and find out what happened.