From 8b3d4f66910d9eb4c8209c2da2d10532ea4e3567 Mon Sep 17 00:00:00 2001 From: Isai <59296946+imays11@users.noreply.github.com> Date: Sun, 10 Apr 2022 15:33:33 -0400 Subject: [PATCH] [Rule Tuning] AWS RDS Instance/Cluster Deletion (#1916) * add RDS instance deletion to aws rule I've added to this rule to improve coverage. Currently we detect creation and stopping of RDS clusters and instances. But, we only detect for the deletion of clusters, not instances. This adds the deletion of RDS instances to the detection. * Update rules/integrations/aws/impact_rds_instance_cluster_deletion.toml Co-authored-by: Justin Ibarra Co-authored-by: Justin Ibarra (cherry picked from commit 9640ecb3fe060f43db12ae702bd2754f928c47ce) --- ... impact_rds_instance_cluster_deletion.toml} | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) rename rules/integrations/aws/{impact_rds_cluster_deletion.toml => impact_rds_instance_cluster_deletion.toml} (69%) diff --git a/rules/integrations/aws/impact_rds_cluster_deletion.toml b/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml similarity index 69% rename from rules/integrations/aws/impact_rds_cluster_deletion.toml rename to rules/integrations/aws/impact_rds_instance_cluster_deletion.toml index 840fa8b91..f5b692029 100644 --- a/rules/integrations/aws/impact_rds_cluster_deletion.toml +++ b/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml @@ -1,19 +1,19 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/07/20" +updated_date = "2022/04/07" integration = "aws" [rule] author = ["Elastic"] description = """ -Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster or global database -cluster. +Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster, global database +cluster, or database instance. """ false_positives = [ """ - Clusters may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname - should be making changes in your environment. Cluster deletions by unfamiliar users or hosts should be + Clusters or instances may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname + should be making changes in your environment. Cluster or instance deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] @@ -22,7 +22,7 @@ index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License v2" -name = "AWS RDS Cluster Deletion" +name = "AWS Deletion of RDS Instance or Cluster" note = """## Config The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" @@ -31,6 +31,9 @@ references = [ "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-global-cluster.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteGlobalCluster.html", + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-db-instance.html", + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBInstance.html" + ] risk_score = 47 rule_id = "9055ece6-2689-4224-a0e0-b04881e1f8ad" @@ -40,7 +43,8 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(DeleteDBCluster or DeleteGlobalCluster) and event.outcome:success +event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(DeleteDBCluster or DeleteGlobalCluster or DeleteDBInstance) +and event.outcome:success '''