security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Deprecations] AWS RDS Lifecycle Rules and Outdated APIs (#5350)

Browse Source 
#### Deprecate RDS DB Instance/Cluster lifecycle detections

`CreateDBInstance`, `CreateDBCluster`, `StopDBInstance`, `StopDBCluster`. These events occur frequently in normal workflows and do not reflect known attacker techniques. They are simply RDS lifecycle operations, with no real impact from an attacker-target perspective. These actions don't have a meaningful benefit for an attacker or cause a meaningful impact for a target. Threat activity around RDS is typically centered around snapshot sharing, export, and public exposure, which is already covered by other rules. There is also a theoretical case to be made for detecting destructive actions against RDS resources like `instance|cluster|snapshot Deletion`, this is covered by other rules. Removing these creation and stoppage rules reduces noise and keeps the AWS ruleset more aligned with real threat surfaces rather than infrastructure management.

#### Deprecate Outdated DBSecurityGroup API rules

`CreateDBSecurityGroup` and `DeleteDBSecurityGroup` were only used by RDS deployments on EC2-Classic, which AWS has fully retired. Modern RDS uses VPC Security Groups, making these APIs obsolete. These rules can no longer trigger and provide no threat-detection value.
Network-permission manipulation is fully covered by our existing VPC Security Group rule - "AWS EC2 Security Group Configuration Change".
This commit is contained in:
Isai
2025-11-24 10:14:48 -05:00
committed by GitHub
parent 497642d528
commit d6ed1cd811
5 changed files with 27 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/aws/impact_rds_group_deletion.toml
+9 -4
View File
@@ -2,11 +2,16 @@
creation_date = "2021/06/05"
integration = ["aws"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/11/21"
[rule]
author = ["Elastic", "Austin Songer"]
description = "Identifies the deletion of an Amazon Relational Database Service (RDS) Security group."
description = """
Identifies the deletion of an Amazon Relational Database Service (RDS) Security group. Modern RDS deployments run in a
VPC and use standard EC2 security groups instead. This rule should be retained only for historical log analysis on
legacy CloudTrail data. We recommend relying on "AWS EC2 Security Group Configuration Change" rule for network-control
changes impacting RDS in VPC-based deployments.
"""
false_positives = [
"""
An RDS security group deletion may be done by a system or network administrator. Verify whether the user identity,
@@ -20,13 +25,13 @@ index = ["filebeat-*", "logs-aws.cloudtrail-*"]
interval = "10m"
language = "kuery"
license = "Elastic License v2"
name = "AWS RDS Security Group Deletion"
name = "Deprecated - AWS RDS Security Group Deletion"
note = """## Triage and analysis
> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
### Investigating AWS RDS Security Group Deletion
### Investigating Deprecated - AWS RDS Security Group Deletion
Amazon RDS Security Groups control access to RDS instances, acting as a virtual firewall. Adversaries may delete these groups to disrupt database access or cover their tracks. The detection rule monitors AWS CloudTrail logs for successful deletion events of RDS Security Groups, signaling potential unauthorized activity. This helps security analysts quickly identify and respond to suspicious deletions.
rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml
+3 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/20"
integration = ["aws"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/11/21"
[rule]
author = ["Elastic"]
@@ -19,13 +19,13 @@ index = ["filebeat-*", "logs-aws.cloudtrail-*"]
interval = "10m"
language = "kuery"
license = "Elastic License v2"
name = "AWS RDS Instance/Cluster Stoppage"
name = "Deprecated - AWS RDS Instance/Cluster Stoppage"
note = """## Triage and analysis
> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
### Investigating AWS RDS Instance/Cluster Stoppage
### Investigating Deprecated - AWS RDS Instance/Cluster Stoppage
Amazon RDS is a managed database service that simplifies database setup, operation, and scaling. Adversaries may stop RDS instances or clusters to disrupt services, potentially causing data unavailability or loss. The detection rule monitors AWS CloudTrail logs for successful stop actions on RDS resources, alerting analysts to potential unauthorized disruptions aligned with impact tactics.
rules/integrations/aws/persistence_rds_cluster_creation.toml
+3 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/20"
integration = ["aws"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/11/21"
[rule]
author = ["Elastic"]
@@ -22,13 +22,13 @@ index = ["filebeat-*", "logs-aws.cloudtrail-*"]
interval = "10m"
language = "kuery"
license = "Elastic License v2"
name = "AWS RDS Cluster Creation"
name = "Deprecated - AWS RDS Cluster Creation"
note = """## Triage and analysis
> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
### Investigating AWS RDS Cluster Creation
### Investigating Deprecated - AWS RDS Cluster Creation
Amazon RDS facilitates database management by automating tasks like hardware provisioning and backups. Adversaries may exploit RDS by creating unauthorized clusters to exfiltrate data or establish persistence. The detection rule monitors successful creation events of RDS clusters, flagging potential misuse by correlating specific actions and outcomes, thus aiding in identifying unauthorized activities.
rules/integrations/aws/persistence_rds_group_creation.toml
+9 -4
View File
@@ -2,11 +2,16 @@
creation_date = "2021/06/05"
integration = ["aws"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/11/21"
[rule]
author = ["Elastic", "Austin Songer"]
description = "Identifies the creation of an Amazon Relational Database Service (RDS) Security group."
description = """
Identifies the creation of an Amazon Relational Database Service (RDS) Security group. Modern RDS deployments run in a
VPC and use standard EC2 security groups instead. This rule should be retained only for historical log analysis on
legacy CloudTrail data. We recommend relying on "AWS EC2 Security Group Configuration Change" rule for network-control
changes impacting RDS in VPC-based deployments.
"""
false_positives = [
"""
An RDS security group may be created by a system or network administrator. Verify whether the user identity, user
@@ -19,13 +24,13 @@ index = ["filebeat-*", "logs-aws.cloudtrail-*"]
interval = "10m"
language = "kuery"
license = "Elastic License v2"
name = "AWS RDS Security Group Creation"
name = "Deprecated - AWS RDS Security Group Creation"
note = """## Triage and analysis
> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
### Investigating AWS RDS Security Group Creation
### Investigating Deprecated - AWS RDS Security Group Creation
Amazon RDS Security Groups control access to RDS instances, acting as virtual firewalls. Adversaries may exploit this by creating unauthorized security groups to maintain persistence or exfiltrate data. The detection rule monitors successful creation events of RDS security groups, flagging potential misuse by correlating specific AWS CloudTrail logs, thus aiding in identifying unauthorized access attempts.
rules/integrations/aws/persistence_rds_instance_creation.toml
+3 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2021/06/06"
integration = ["aws"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/11/21"
[rule]
author = ["Elastic", "Austin Songer"]
@@ -19,13 +19,13 @@ index = ["filebeat-*", "logs-aws.cloudtrail-*"]
interval = "10m"
language = "kuery"
license = "Elastic License v2"
name = "AWS RDS Instance Creation"
name = "Deprecated - AWS RDS Instance Creation"
note = """## Triage and analysis
> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
### Investigating AWS RDS Instance Creation
### Investigating Deprecated - AWS RDS Instance Creation
Amazon RDS simplifies database management by automating tasks like provisioning and scaling. However, adversaries may exploit this by creating unauthorized instances to exfiltrate data or establish persistence. The detection rule monitors successful RDS instance creations, focusing on specific AWS CloudTrail events, to identify potential misuse and ensure asset visibility.