Query: ssh_traffic

select
  tp_timestamp as timestamp,
  action as operation,
  interface_id as resource,
  src_addr as source_ip,
  src_port :: varchar as source_port,
  dst_addr as destination_ip,
  dst_port :: varchar as destination_port,
  case
    when protocol = 1 then 'ICMP (1)'
    when protocol = 6 then 'TCP (6)'
    when protocol = 17 then 'UDP (17)'
    else 'Other (' || protocol || ')'
  end as protocol,
  account_id,
  region,
  vpc_id,
  tp_id as source_id,
  -- Create new aliases to preserve original row data
  protocol as protocol_src,
  * exclude (account_id, protocol, region, vpc_id)
from
  aws_vpc_flow_log
where
  dst_port = 22
order by
  tp_timestamp desc;