Is there a query to show SSH attempts from a Windows Workstation To A Internal Core/IP?

Question

Hello, 
 I am scratching my head to identify a SSH attempt from one of our workstations to our CORE switch. I wondering if it has a specific job/task that is running or what? So I'm reaching out if you guys have query to identify this SSH attempt from a Windows machine and not on a Linux? 
 
 This is what I see in my logs: 
 DevIP=192.168.X.X; Authentication failed for user root from 172.16.X.X port 52270 because of invalid username or wrong password. 
 DevIP=192.168.X.X; SSH user root (IP: 172.16.X.X) disconnected from the server.

AzRoN · Answer

REVIEWED by Sophos 
 So this would only return results where a Sophos protected client initiated the communication. 
 And rather than just hard coding this to SSH, i've added two variables: 
 ProtectedHost = the device that you want to see who is talking to. 
 ProtectedPort = the port that you expect inbound requests to be serviced on, eg: SSH is port 22 on your device. 
 I've made the default time review period 5 days. It not only returns the devices that initiated communication but will also return the Sophos PID, which we could JOIN with another table and get the image name of that process; which would be the application that spawned the traffic. 
 Hope this helps. 
 
 EDIT: couldn't resist, added the join to include the Image path and Sophos Application Control (AppID) fields.

SELECT sophos_network_journal.startTime as 'Network Event Time', sophos_network_journal.sophosPID as 'Sophos PID', sophos_network_journal.source as 'Origin IP', sophos_network_journal.sourcePort as 'S.Port', sophos_network_journal.destination as 'Remote IP', sophos_network_journal.destinationPort as 'D.Port', sophos_process_properties.pathname as 'Path', sophos_process_properties.appId as 'App ID' FROM sophos_network_journal LEFT JOIN sophos_process_properties ON sophos_process_properties.SophosPID = sophos_network_journal.SophosPID 
 WHERE sophos_network_journal.destination = '$$ProtectedHost$$' AND sophos_network_journal.destinationPort = '$$ProtectedPort$$' AND time > STRFTIME('%s','NOW','-5 days')