IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« AWS RDS DB Instance or Cluster Password Modified AWS RDS DB Snapshot Shared with Another Account »

› › ›

AWS RDS DB Snapshot Created

edit

AWS RDS DB Snapshot Created

edit

Identifies when an AWS RDS DB Snapshot is created. This can be used to evade defenses by allowing an attacker to bypass access controls or cover their tracks by reverting an instance to a previous state. This is a [building block rule](https://www.elastic.co/guide/en/security/current/building-block-rule.html) and does not generate alerts on its own. It is meant to be used for correlation with other rules to detect suspicious activity. To generate alerts, create a rule that uses this signal as a building block.

Rule type: query

Rule indices:

filebeat-*
logs-aws.cloudtrail-*

Severity: low

Risk score: 21

Runs every: 10m

Searches indices from: now-60m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS RDS
Use Case: Asset Visibility
Tactic: Defense Evasion
Rule Type: BBR

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Rule query

edit

event.dataset: "aws.cloudtrail" and event.provider: "rds.amazonaws.com"
    and event.action: ("CreateDBSnapshot" or "CreateDBClusterSnapshot") and event.outcome: "success"

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Modify Cloud Compute Infrastructure
- ID: T1578
- Reference URL: https://attack.mitre.org/techniques/T1578/
Sub-technique:
- Name: Create Snapshot
- ID: T1578.001
- Reference URL: https://attack.mitre.org/techniques/T1578/001/

« AWS RDS DB Instance or Cluster Password Modified AWS RDS DB Snapshot Shared with Another Account »