diff --git a/rules/integrations/aws/impact_rds_group_deletion.toml b/rules/integrations/aws/impact_rds_group_deletion.toml index b63bdb156..e32c3721b 100644 --- a/rules/integrations/aws/impact_rds_group_deletion.toml +++ b/rules/integrations/aws/impact_rds_group_deletion.toml @@ -2,11 +2,16 @@ creation_date = "2021/06/05" integration = ["aws"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/11/21" [rule] author = ["Elastic", "Austin Songer"] -description = "Identifies the deletion of an Amazon Relational Database Service (RDS) Security group." +description = """ +Identifies the deletion of an Amazon Relational Database Service (RDS) Security group. Modern RDS deployments run in a +VPC and use standard EC2 security groups instead. This rule should be retained only for historical log analysis on +legacy CloudTrail data. We recommend relying on "AWS EC2 Security Group Configuration Change" rule for network-control +changes impacting RDS in VPC-based deployments. +""" false_positives = [ """ An RDS security group deletion may be done by a system or network administrator. Verify whether the user identity, @@ -20,13 +25,13 @@ index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" -name = "AWS RDS Security Group Deletion" +name = "Deprecated - AWS RDS Security Group Deletion" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating AWS RDS Security Group Deletion +### Investigating Deprecated - AWS RDS Security Group Deletion Amazon RDS Security Groups control access to RDS instances, acting as a virtual firewall. Adversaries may delete these groups to disrupt database access or cover their tracks. The detection rule monitors AWS CloudTrail logs for successful deletion events of RDS Security Groups, signaling potential unauthorized activity. This helps security analysts quickly identify and respond to suspicious deletions. diff --git a/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml b/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml index 796a6969e..912b8d40b 100644 --- a/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml +++ b/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/20" integration = ["aws"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/11/21" [rule] author = ["Elastic"] @@ -19,13 +19,13 @@ index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" -name = "AWS RDS Instance/Cluster Stoppage" +name = "Deprecated - AWS RDS Instance/Cluster Stoppage" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating AWS RDS Instance/Cluster Stoppage +### Investigating Deprecated - AWS RDS Instance/Cluster Stoppage Amazon RDS is a managed database service that simplifies database setup, operation, and scaling. Adversaries may stop RDS instances or clusters to disrupt services, potentially causing data unavailability or loss. The detection rule monitors AWS CloudTrail logs for successful stop actions on RDS resources, alerting analysts to potential unauthorized disruptions aligned with impact tactics. diff --git a/rules/integrations/aws/persistence_rds_cluster_creation.toml b/rules/integrations/aws/persistence_rds_cluster_creation.toml index 91b44dbdd..d9c4f287d 100644 --- a/rules/integrations/aws/persistence_rds_cluster_creation.toml +++ b/rules/integrations/aws/persistence_rds_cluster_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/20" integration = ["aws"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/11/21" [rule] author = ["Elastic"] @@ -22,13 +22,13 @@ index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" -name = "AWS RDS Cluster Creation" +name = "Deprecated - AWS RDS Cluster Creation" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating AWS RDS Cluster Creation +### Investigating Deprecated - AWS RDS Cluster Creation Amazon RDS facilitates database management by automating tasks like hardware provisioning and backups. Adversaries may exploit RDS by creating unauthorized clusters to exfiltrate data or establish persistence. The detection rule monitors successful creation events of RDS clusters, flagging potential misuse by correlating specific actions and outcomes, thus aiding in identifying unauthorized activities. diff --git a/rules/integrations/aws/persistence_rds_group_creation.toml b/rules/integrations/aws/persistence_rds_group_creation.toml index e5ae9ccb5..a0c4e0017 100644 --- a/rules/integrations/aws/persistence_rds_group_creation.toml +++ b/rules/integrations/aws/persistence_rds_group_creation.toml @@ -2,11 +2,16 @@ creation_date = "2021/06/05" integration = ["aws"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/11/21" [rule] author = ["Elastic", "Austin Songer"] -description = "Identifies the creation of an Amazon Relational Database Service (RDS) Security group." +description = """ +Identifies the creation of an Amazon Relational Database Service (RDS) Security group. Modern RDS deployments run in a +VPC and use standard EC2 security groups instead. This rule should be retained only for historical log analysis on +legacy CloudTrail data. We recommend relying on "AWS EC2 Security Group Configuration Change" rule for network-control +changes impacting RDS in VPC-based deployments. +""" false_positives = [ """ An RDS security group may be created by a system or network administrator. Verify whether the user identity, user @@ -19,13 +24,13 @@ index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" -name = "AWS RDS Security Group Creation" +name = "Deprecated - AWS RDS Security Group Creation" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating AWS RDS Security Group Creation +### Investigating Deprecated - AWS RDS Security Group Creation Amazon RDS Security Groups control access to RDS instances, acting as virtual firewalls. Adversaries may exploit this by creating unauthorized security groups to maintain persistence or exfiltrate data. The detection rule monitors successful creation events of RDS security groups, flagging potential misuse by correlating specific AWS CloudTrail logs, thus aiding in identifying unauthorized access attempts. diff --git a/rules/integrations/aws/persistence_rds_instance_creation.toml b/rules/integrations/aws/persistence_rds_instance_creation.toml index 1d1e330a0..e16598f30 100644 --- a/rules/integrations/aws/persistence_rds_instance_creation.toml +++ b/rules/integrations/aws/persistence_rds_instance_creation.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/06" integration = ["aws"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/11/21" [rule] author = ["Elastic", "Austin Songer"] @@ -19,13 +19,13 @@ index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" -name = "AWS RDS Instance Creation" +name = "Deprecated - AWS RDS Instance Creation" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating AWS RDS Instance Creation +### Investigating Deprecated - AWS RDS Instance Creation Amazon RDS simplifies database management by automating tasks like provisioning and scaling. However, adversaries may exploit this by creating unauthorized instances to exfiltrate data or establish persistence. The detection rule monitors successful RDS instance creations, focusing on specific AWS CloudTrail events, to identify potential misuse and ensure asset visibility.