diff --git a/rules/integrations/aws/impact_rds_cluster_deletion.toml b/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml similarity index 69% rename from rules/integrations/aws/impact_rds_cluster_deletion.toml rename to rules/integrations/aws/impact_rds_instance_cluster_deletion.toml index 840fa8b91..f5b692029 100644 --- a/rules/integrations/aws/impact_rds_cluster_deletion.toml +++ b/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml @@ -1,19 +1,19 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/07/20" +updated_date = "2022/04/07" integration = "aws" [rule] author = ["Elastic"] description = """ -Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster or global database -cluster. +Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster, global database +cluster, or database instance. """ false_positives = [ """ - Clusters may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname - should be making changes in your environment. Cluster deletions by unfamiliar users or hosts should be + Clusters or instances may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname + should be making changes in your environment. Cluster or instance deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] @@ -22,7 +22,7 @@ index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License v2" -name = "AWS RDS Cluster Deletion" +name = "AWS Deletion of RDS Instance or Cluster" note = """## Config The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" @@ -31,6 +31,9 @@ references = [ "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-global-cluster.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteGlobalCluster.html", + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-db-instance.html", + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBInstance.html" + ] risk_score = 47 rule_id = "9055ece6-2689-4224-a0e0-b04881e1f8ad" @@ -40,7 +43,8 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(DeleteDBCluster or DeleteGlobalCluster) and event.outcome:success +event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(DeleteDBCluster or DeleteGlobalCluster or DeleteDBInstance) +and event.outcome:success '''