IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Tampering of Shell Command-Line History Google Workspace Restrictions for Marketplace Modified to Allow Any App »
Elastic Docs Elastic Security Solution [8.11] Downloadable rule update v8.11.21

AWS RDS DB Instance Restored

edit

AWS RDS DB Instance Restored

edit

An adversary with a set of compromised credentials may attempt to make copies of running or deleted RDS databases in order to evade defense mechanisms or access data. This rule identifies successful attempts to restore a DB instance using the RDS RestoreDBInstanceFromDBSnapshot or RestoreDBInstanceFromS3 API operations.

Rule type: eql

Rule indices:

  • filebeat-*
  • logs-aws.cloudtrail-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: None (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Cloud
  • Data Source: AWS
  • Data Source: Amazon Web Services
  • Data Source: AWS RDS
  • Use Case: Asset Visibility
  • Tactic: Defense Evasion

Version: 207

Rule authors:

  • Austin Songer
  • Elastic

Rule license: Elastic License v2

Rule query

edit
any where event.dataset == "aws.cloudtrail"
    and event.provider == "rds.amazonaws.com"
    and event.action in ("RestoreDBInstanceFromDBSnapshot", "RestoreDBInstanceFromS3")
    and event.outcome == "success"

Framework: MITRE ATT&CKTM

« Tampering of Shell Command-Line History Google Workspace Restrictions for Marketplace Modified to Allow Any App »