IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« AWS RDS DB Instance or Cluster Deletion Protection Disabled AWS IAM Roles Anywhere Profile Creation »

› ›

AWS RDS Snapshot Deleted

edit

AWS RDS Snapshot Deleted

edit

Identifies the deletion of an AWS RDS DB snapshot. Snapshots contain a full backup of an entire DB instance. Unauthorized deletion of snapshots can make it impossible to recover critical or sensitive data. This rule detects deleted snapshots and instances modified so that backupRetentionPeriod is set to 0 which disables automated backups and is functionally similar to deleting the system snapshot.

Rule type: eql

Rule indices:

filebeat-*
logs-aws.cloudtrail-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS RDS
Use Case: Asset Visibility
Tactic: Impact

Version: 2

Rule authors:

Elastic

Rule license: Elastic License v2

Rule query

edit

any where event.dataset == "aws.cloudtrail"
    and event.provider == "rds.amazonaws.com"
    and event.outcome == "success"
    and (
        event.action in ("DeleteDBSnapshot", "DeleteDBClusterSnapshot") or
        (event.action == "ModifyDBInstance" and stringContains(aws.cloudtrail.request_parameters, "backupRetentionPeriod=0"))
    )

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Impact
- ID: TA0040
- Reference URL: https://attack.mitre.org/tactics/TA0040/
Technique:
- Name: Data Destruction
- ID: T1485
- Reference URL: https://attack.mitre.org/techniques/T1485/

« AWS RDS DB Instance or Cluster Deletion Protection Disabled AWS IAM Roles Anywhere Profile Creation »