Powerpipe MCP Server →
Powerpipe Hub 
Hub
Mods
turbot/tailpipe-mod-aws-vpc-flow-log-detections
Overview
4Dashboards
6Benchmarks
18Queries
1Variables
GitHub

Detection: Database Traffic

Overview

Detect database traffic in VPC Flow Logs. Database connections from unexpected or unauthorized sources could indicate potential unauthorized access attempts, data exfiltration, or lateral movement activities within your cloud environment. Monitoring database access patterns helps identify suspicious connections that bypass application tiers, originate from unusual locations, or occur during abnormal time periods, which may signal compromise of database resources.

This detection monitors only accepted traffic.

Monitored Ports:

  • AWS Aurora: 1150
  • Microsoft SQL Server: 1433, 1434
  • Oracle: 1521, 1522, 1526
  • MySQL/MariaDB: 3306, 3307
  • PostgreSQL: 5432, 5433
  • CouchDB: 5984
  • Redis/ElastiCache: 6379-6383
  • Cassandra/Keyspaces: 7000, 7001, 9042, 9160
  • ArangoDB: 8529
  • Memcached: 11211
  • MongoDB/DocumentDB: 27017-27019

References:

Usage

Run the detection in your terminal:

powerpipe detection run aws_vpc_flow_log_detections.detection.database_traffic

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run aws_vpc_flow_log_detections.detection.database_traffic --share

SQL

This detection uses a named query:

select
  tp_timestamp as timestamp,
action as operation,
interface_id as resource,
src_addr as source_ip,
src_port::varchar as source_port,
dst_addr as destination_ip,
dst_port::varchar as destination_port,
case
  when protocol = 1 then 'ICMP (1)'
  when protocol = 6 then 'TCP (6)'
  when protocol = 17 then 'UDP (17)'
  else 'Other (' || protocol || ')'
end as protocol,
account_id,
region,
vpc_id,
tp_id as source_id,
 -- Create new aliases to preserve original row data
protocol as protocol_src,
*
exclude (account_id, protocol, region, vpc_id)


from
  aws_vpc_flow_log
where
  dst_port in (
    -- AWS Aurora
    1150,
    -- Microsoft SQL Server
    1433,
    1434,
    -- Oracle
    1521,
    1522,
    1526,
    -- MySQL/MariaDB
    3306,
    3307,
    -- PostgreSQL
    5432,
    5433,
    -- CouchDB
    5984,
    -- Redis/ElastiCache
    6379,
    6380,
    6381,
    6382,
    6383,
    -- Cassandra/Keyspaces
    7000,
    7001,
    9042,
    9160,
    -- Caching/Key-Value Stores
    -- ArangoDB
    8529,
    -- Memcached
    11211,
    -- MongoDB/DocumentDB
    27017,
    27018,
    27019,
  )
  and action = 'ACCEPT'
order by
  tp_timestamp desc;

Tags

category = Detections
mitre_attack_ids = TA0008:T1210
plugin = aws
service = AWS/VPC