Powerpipe MCP Server →
Powerpipe Hub 
Hub
Mods
turbot/tailpipe-mod-aws-vpc-flow-log-detections
Overview
4Dashboards
6Benchmarks
18Queries
1Variables
GitHub

Detection: SSH Traffic

Overview

Detect SSH connections in VPC Flow Logs. SSH connections, while commonly used for legitimate administrative purposes, can also be leveraged for unauthorized access to resources, lateral movement within networks, or command and control activities by attackers. Monitoring SSH connections helps identify potentially suspicious remote access patterns, especially from unexpected sources, to sensitive resources or across security boundaries within your AWS environment.

This detection monitors only accepted traffic on port 22 (SSH).

References:

Usage

Run the detection in your terminal:

powerpipe detection run aws_vpc_flow_log_detections.detection.ssh_traffic

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run aws_vpc_flow_log_detections.detection.ssh_traffic --share

SQL

This detection uses a named query:

select
  tp_timestamp as timestamp,
action as operation,
interface_id as resource,
src_addr as source_ip,
src_port::varchar as source_port,
dst_addr as destination_ip,
dst_port::varchar as destination_port,
case
  when protocol = 1 then 'ICMP (1)'
  when protocol = 6 then 'TCP (6)'
  when protocol = 17 then 'UDP (17)'
  else 'Other (' || protocol || ')'
end as protocol,
account_id,
region,
vpc_id,
tp_id as source_id,
 -- Create new aliases to preserve original row data
protocol as protocol_src,
*
exclude (account_id, protocol, region, vpc_id)


from
  aws_vpc_flow_log
where
  dst_port = 22
order by
  tp_timestamp desc;

Tags

category = Detections
mitre_attack_ids = TA0008:T1021.004
plugin = aws
service = AWS/VPC