activity_dashboard_accepted_rejected_trafficactivity_dashboard_top_destination_ips_by_trafficactivity_dashboard_top_enis_by_trafficactivity_dashboard_top_source_destination_pairs_by_packetsactivity_dashboard_top_source_ips_by_rejected_trafficactivity_dashboard_top_source_ips_by_trafficactivity_dashboard_total_accepted_trafficactivity_dashboard_total_recordsactivity_dashboard_total_rejected_trafficactivity_dashboard_traffic_by_log_statusactivity_dashboard_traffic_by_protocolactivity_dashboard_traffic_by_regiondatabase_traffichigh_packet_trafficlarge_data_transferrdp_trafficssh_traffictraffic_with_unusual_protocols
Query: database_traffic
Usage
powerpipe query aws_vpc_flow_log_detections.query.database_trafficTailpipe Tables
SQL
select tp_timestamp as timestamp, action as operation, interface_id as resource, src_addr as source_ip, src_port :: varchar as source_port, dst_addr as destination_ip, dst_port :: varchar as destination_port, case when protocol = 1 then 'ICMP (1)' when protocol = 6 then 'TCP (6)' when protocol = 17 then 'UDP (17)' else 'Other (' || protocol || ')' end as protocol, account_id, region, vpc_id, tp_id as source_id, -- Create new aliases to preserve original row data protocol as protocol_src, * exclude (account_id, protocol, region, vpc_id)from aws_vpc_flow_logwhere dst_port in ( -- AWS Aurora 1150, -- Microsoft SQL Server 1433, 1434, -- Oracle 1521, 1522, 1526, -- MySQL/MariaDB 3306, 3307, -- PostgreSQL 5432, 5433, -- CouchDB 5984, -- Redis/ElastiCache 6379, 6380, 6381, 6382, 6383, -- Cassandra/Keyspaces 7000, 7001, 9042, 9160, -- Caching/Key-Value Stores -- ArangoDB 8529, -- Memcached 11211, -- MongoDB/DocumentDB 27017, 27018, 27019, ) and action = 'ACCEPT'order by tp_timestamp desc;Detections
The query is being used by the following detections: