Rules Contributing to Suspicious AWS RDS Event
The following rules are used to identify suspicious activity related to AWS RDS events. Any one or more of these will trigger Suspicious AWS RDS Event Alert. Details for each rule can be viewed by clicking the More Details link in the description.
Title |
Description |
||||||||
---|---|---|---|---|---|---|---|---|---|
Restore Public AWS RDS Instance |
Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration. More details
Rule IDQuery{'selection_source': {'eventSource': 'rds.amazonaws.com', 'responseElements_publiclyAccessible': True, 'eventName': 'RestoreDBInstanceFromDBSnapshot'}, 'condition': 'selection_source'} Log SourceStellar Cyber AWS configured for:
Rule SourceSigmaHQ,c3f265c7-ff03-4056-8ab2-d486227b4599 Author: faloker Tactics, Techniques, and ProceduresReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
AWS RDS Master Password Change |
Detects the change of database master password. It may be a part of data exfiltration. More details
Rule IDQuery{'selection_source': {'eventSource': 'rds.amazonaws.com', 'responseElements_pendingModifiedValues_masterUserPassword|contains': '*', 'eventName': 'ModifyDBInstance'}, 'condition': 'selection_source'} Log SourceStellar Cyber AWS configured for:
Rule SourceSigmaHQ,8a63cdd4-6207-414a-85bc-7e032bd3c1a2 Author: faloker Tactics, Techniques, and ProceduresReferencesSeverity50 Suppression Logic Based On
Additional Information
|
||||||||
AWS RDS Snapshot Export |
Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot. More details
Rule IDQuery{'selection1': {'eventSource': 'rds.amazonaws.com'}, 'selection2': {'eventName': 'StartExportTask'}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity25 Suppression Logic Based On
Additional Information
|
||||||||
AWS RDS Cluster Creation |
Identifies the creation of a new Amazon Relational Database Service (RDS) Aurora DB cluster or global database spread across multiple regions. More details
Rule IDQuery{'selection1': {'eventSource': 'rds.amazonaws.com'}, 'selection2': {'eventName': ['CreateDBCluster', 'CreateGlobalCluster']}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity25 Suppression Logic Based On
Additional Information
|
||||||||
AWS RDS Snapshot Restored |
Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data or evade detection after performing malicious activities. If the permissions were modified, verify if the snapshot was shared with an unauthorized or unexpected AWS account. More details
Rule IDQuery{'selection1': {'eventSource': 'rds.amazonaws.com'}, 'selection2': {'eventName': 'RestoreDBInstanceFromDBSnapshot', 'responseElements_publiclyAccessible': False}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
AWS RDS Instance/Cluster Stoppage |
Identifies that an Amazon Relational Database Service (RDS) cluster or instance has been stopped. More details
Rule IDQuery{'selection1': {'eventSource': 'rds.amazonaws.com'}, 'selection2': {'eventName': ['StopDBCluster', 'StopDBInstance']}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
AWS Deletion of RDS Instance or Cluster |
Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster, global database cluster, or database instance. More details
Rule IDQuery{'selection1': {'eventSource': 'rds.amazonaws.com'}, 'selection2': {'eventName': ['DeleteDBCluster', 'DeleteGlobalCluster', 'DeleteDBInstance']}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
AWS RDS Security Group Deletion |
Identifies the deletion of an Amazon Relational Database Service (RDS) Security group. More details
Rule IDQuery{'selection1': {'eventSource': 'rds.amazonaws.com'}, 'selection2': {'eventName': 'DeleteDBSecurityGroup'}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity25 Suppression Logic Based On
Additional Information
|
||||||||
AWS RDS Instance Creation |
Identifies the creation of an Amazon Relational Database Service (RDS) Aurora database instance. More details
Rule IDQuery{'selection1': {'eventSource': 'rds.amazonaws.com'}, 'selection2': {'eventName': 'CreateDBInstance'}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity25 Suppression Logic Based On
Additional Information
|
||||||||
AWS RDS Snapshot Created |
A copy of an AWS RDS database has been created. More details
Rule IDQuery{'selection1': {'eventSource': 'rds.amazonaws.com'}, 'selection2': {'eventName': 'CreateDBSnapshot'}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
AWS RDS Security Group Modified |
A RDS security group has been modified. More details
Rule IDQuery{'selection1': {'eventSource': 'ec2.amazonaws.com'}, 'selection2': {'eventName': 'AuthorizeDBSecurityGroupIngress'}, 'selection3': {'eventName': 'RevokeDBSecurityGroupIngress'}, 'selection4': {'eventName': 'AuthorizeDBSecurityGroupEgress'}, 'selection5': {'eventName': 'RevokeDBSecurityGroupEgress'}, 'selection6': {'userAgent': 'cloudformation.amazonaws.com'}, 'condition': 'selection1 and (selection2 or selection3 or selection4 or selection5) and not selection6'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|