Detectionhighexperimental
Modification or Deletion of an AWS RDS Cluster
Detects modifications to an RDS cluster or its deletion, which may indicate potential data exfiltration attempts, unauthorized access, or exposure of sensitive information.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
AWScloudtrail
ProductAWS← raw: aws
Servicecloudtrail← raw: cloudtrail
Detection Logic
Detection Logic1 selector
detection:
selection:
eventSource: rds.amazonaws.com
eventName:
- ModifyDBCluster
- DeleteDBCluster
condition: selectionFalse Positives
Verify if the modification or deletion was performed by an authorized administrator.
Confirm if the modification or deletion was part of a planned change or maintenance activity.
MITRE ATT&CK
Tactics
Techniques
Rule Metadata
Rule ID
457cc9ac-d8e6-4d1d-8c0e-251d0f11a74c
Status
experimental
Level
high
Type
Detection
Created
Fri Dec 06
Author
Path
rules/cloud/aws/cloudtrail/aws_rds_dbcluster_actions.yml
Raw Tags
attack.exfiltrationattack.t1020