This documentation contains work-in-progress information for future Elastic Stack and Cloud releases. Use the version selector to view supported release docs. It also contains some Elastic Cloud serverless information. Check out our serverless docs for more details.

« AWS RDS Security Group Deletion AWS RDS Snapshot Restored »

› › ›

AWS RDS Snapshot Export

edit

AWS RDS Snapshot Export

edit

Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot.

Rule type: query

Rule indices:

filebeat-*
logs-aws*

Severity: low

Risk score: 21

Runs every: 10 minutes

Searches indices from: now-60m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StartExportTask.html

Tags:

Elastic
Cloud
AWS
Continuous Monitoring
SecOps
Asset Visibility
Exfiltration

Version: 101 (version history)

Added (Elastic Stack release): 7.16.0

Last modified (Elastic Stack release): 8.6.0

Rule authors: Elastic, Austin Songer

Rule license: Elastic License v2

Potential false positives

edit

Exporting snapshots may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Snapshot exports from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

Investigation guide

edit

Rule query

edit

event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and
event.action:StartExportTask and event.outcome:success

Threat mapping

edit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Exfiltration
- ID: TA0010
- Reference URL: https://attack.mitre.org/tactics/TA0010/

Rule version history

edit

Version 101 (8.6.0 release)

Formatting only

Version 100 (8.5.0 release)

Formatting only

Version 3 (8.4.0 release)

Formatting only

« AWS RDS Security Group Deletion AWS RDS Snapshot Restored »