Amazon Relational Database Service AWS-rds

23 operations, identified by eventName in the audit log.

eventName	Description
_catch_all	Catch-all entry for AWS-rds rules that match the service but not a specific eventName.
AuthorizeDBSecurityGroupIngress	Enables ingress to a DB security group by authorizing an EC2 security group or an IP address range to access the DB security group.
CreateDBSecurityGroup	Creates a new DB security group (EC2-Classic only) and associates it with an Amazon RDS resource.
DeleteDBCluster	Deletes a previously provisioned DB cluster, including all automated backups if automated backups are enabled.
DeleteDBInstance	Deletes a previously provisioned DB instance, with the option to create a final snapshot.
DeleteDBSecurityGroup	Deletes a DB security group after dissociating it from all DB instances.
DeleteGlobalCluster	Deletes a global database cluster and removes the primary and all secondary DB clusters that are part of it.
DescribeDBInstances	Returns information about provisioned RDS DB instances, including their configuration, status, and endpoint details.
DescribeDBSnapshots	Returns information about DB snapshots for a specified DB instance or all snapshots accessible to the account.
ModifyDBCluster	Modifies settings for a DB cluster, including engine version, storage, and backup retention period.
ModifyDBInstance	Modifies settings for a DB instance, including instance class, allocated storage, and multi-AZ configuration.
RestoreDBInstanceFromDBSnapshot	Creates a new DB instance from a DB snapshot.
RestoreDBInstanceFromS3	Creates a new DB instance from a MySQL database backup stored in Amazon S3.
RevokeDBSecurityGroupIngress	Revokes ingress from a DB security group for previously authorized IP ranges or EC2 security groups.
StartExportTask	Starts an export of DB snapshot or DB cluster data to Amazon S3 in Parquet format.
CreateDBCluster	Creates a new Amazon Aurora DB cluster or Multi-AZ DB cluster.
CreateDBClusterSnapshot	Creates a snapshot of a DB cluster.
CreateDBInstance	Creates a new DB instance.
CreateDBSnapshot	Creates a snapshot of a DB instance.
DeleteDBClusterSnapshot	Deletes a DB cluster snapshot; the snapshot must be in the available state to be deleted.
DeleteDBSnapshot	Deletes a DB snapshot; the snapshot must be in the available state to be deleted.
ModifyDBClusterSnapshotAttribute	Adds or removes attributes on a DB cluster snapshot, including cross-account copy and restore permissions.
ModifyDBSnapshotAttribute	Adds or removes attributes on a manual DB snapshot, including cross-account copy and restore permissions.

_catch_all: AWS-rds (catch-all)

Service: AWS-rds

Description

Catch-all entry for AWS-rds rules that match the service but not a specific eventName.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

AuthorizeDBSecurityGroupIngress

Service: AWS-rds

Description

Enables ingress to a DB security group by authorizing an EC2 security group or an IP address range to access the DB security group.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`aws::eventName`	eq	`AuthorizeDBSecurityGroupIngress`	1 rule	panther, sigma
`aws::eventSource`	eq	`rds.amazonaws.com`	1 rule	panther, sigma, splunk

Detection Rules #

View all rules referencing this event →

Sigma #

RDS Database Security Group Modification source medium: Detects changes to the security group entries for RDS databases. This can indicate that a misconfiguration has occurred which potentially exposes the database to the public internet, a wider audience within the VPC or that removal of valid rules has occurred which could impact the availability of the database to legitimate services and users.↳ also matches CreateDBSecurityGroup, DeleteDBSecurityGroup, RevokeDBSecurityGroupIngress

CreateDBSecurityGroup

Service: AWS-rds

Description

Creates a new DB security group (EC2-Classic only) and associates it with an Amazon RDS resource.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`aws::eventName`	eq	`AuthorizeDBSecurityGroupIngress`	1 rule	panther, sigma
`aws::eventSource`	eq	`rds.amazonaws.com`	1 rule	panther, sigma, splunk

Detection Rules #

View all rules referencing this event →

Sigma #

RDS Database Security Group Modification source medium: Detects changes to the security group entries for RDS databases. This can indicate that a misconfiguration has occurred which potentially exposes the database to the public internet, a wider audience within the VPC or that removal of valid rules has occurred which could impact the availability of the database to legitimate services and users.↳ also matches AuthorizeDBSecurityGroupIngress, DeleteDBSecurityGroup, RevokeDBSecurityGroupIngress

DeleteDBCluster

Service: AWS-rds

Description

Deletes a previously provisioned DB cluster, including all automated backups if automated backups are enabled.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Provider_Name`	eq	`rds.amazonaws.com`	1 rule	elastic
`aws::eventName`	eq	`ModifyDBCluster`	1 rule	sigma, splunk
`aws::eventSource`	eq	`rds.amazonaws.com`	1 rule	panther, sigma, splunk

Detection Rules #

View all rules referencing this event →

Sigma #

Modification or Deletion of an AWS RDS Cluster source high: Detects modifications to an RDS cluster or its deletion, which may indicate potential data exfiltration attempts, unauthorized access, or exposure of sensitive information.↳ also matches ModifyDBCluster

Elastic #

AWS RDS DB Instance or Cluster Deleted source medium: Identifies the deletion of an Amazon RDS DB instance, Aurora cluster, or global database cluster. Deleting these resources permanently destroys stored data and can cause major service disruption. Adversaries with sufficient permissions may delete RDS resources to impede recovery, destroy evidence, or inflict operational impact on the environment.↳ also matches DeleteDBInstance, DeleteGlobalCluster

DeleteDBInstance

Service: AWS-rds

Description

Deletes a previously provisioned DB instance, with the option to create a final snapshot.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Detection Rules #

View all rules referencing this event →

Elastic #

AWS RDS DB Instance or Cluster Deleted source medium: Identifies the deletion of an Amazon RDS DB instance, Aurora cluster, or global database cluster. Deleting these resources permanently destroys stored data and can cause major service disruption. Adversaries with sufficient permissions may delete RDS resources to impede recovery, destroy evidence, or inflict operational impact on the environment.↳ also matches DeleteDBCluster, DeleteGlobalCluster

DeleteDBSecurityGroup

Service: AWS-rds

Description

Deletes a DB security group after dissociating it from all DB instances.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`aws::eventName`	eq	`AuthorizeDBSecurityGroupIngress`	1 rule	panther, sigma
`aws::eventSource`	eq	`rds.amazonaws.com`	1 rule	panther, sigma, splunk

Detection Rules #

View all rules referencing this event →

Sigma #

RDS Database Security Group Modification source medium: Detects changes to the security group entries for RDS databases. This can indicate that a misconfiguration has occurred which potentially exposes the database to the public internet, a wider audience within the VPC or that removal of valid rules has occurred which could impact the availability of the database to legitimate services and users.↳ also matches AuthorizeDBSecurityGroupIngress, CreateDBSecurityGroup, RevokeDBSecurityGroupIngress

DeleteGlobalCluster

Service: AWS-rds

Description

Deletes a global database cluster and removes the primary and all secondary DB clusters that are part of it.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Detection Rules #

View all rules referencing this event →

Elastic #

AWS RDS DB Instance or Cluster Deleted source medium: Identifies the deletion of an Amazon RDS DB instance, Aurora cluster, or global database cluster. Deleting these resources permanently destroys stored data and can cause major service disruption. Adversaries with sufficient permissions may delete RDS resources to impede recovery, destroy evidence, or inflict operational impact on the environment.↳ also matches DeleteDBCluster, DeleteDBInstance

DescribeDBInstances

Service: AWS-rds

Description

Returns information about provisioned RDS DB instances, including their configuration, status, and endpoint details.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

DescribeDBSnapshots

Service: AWS-rds

Description

Returns information about DB snapshots for a specified DB instance or all snapshots accessible to the account.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

ModifyDBCluster

Service: AWS-rds

Description

Modifies settings for a DB cluster, including engine version, storage, and backup retention period.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	in	`ModifyDBCluster`	2 rules	elastic
`EventType`	in	`ModifyDBInstance`	2 rules	elastic
`Provider_Name`	eq	`rds.amazonaws.com`	2 rules	elastic
`aws::eventName`	eq	`ModifyDBCluster`	1 rule	sigma, splunk
`aws::eventSource`	eq	`rds.amazonaws.com`	1 rule	panther, sigma, splunk

Detection Rules #

View all rules referencing this event →

Sigma #

Modification or Deletion of an AWS RDS Cluster source high: Detects modifications to an RDS cluster or its deletion, which may indicate potential data exfiltration attempts, unauthorized access, or exposure of sensitive information.↳ also matches DeleteDBCluster

Elastic #

AWS RDS DB Instance or Cluster Deletion Protection Disabled source medium: Identifies the modification of an AWS RDS DB instance or cluster to disable the deletionProtection feature. Deletion protection prevents accidental or unauthorized deletion of RDS resources. Adversaries with sufficient permissions may disable this protection as a precursor to destructive actions, including the deletion of databases containing sensitive or business-critical data. This rule alerts when deletionProtection is explicitly set to false on an RDS DB instance or cluster.↳ also matches ModifyDBInstance
AWS RDS DB Instance or Cluster Password Modified source medium: Identifies the modification of the master password for an AWS RDS DB instance or cluster. Changing the master password is a legitimate recovery action when access is lost, but adversaries with sufficient permissions may modify it to regain access, establish persistence, bypass existing controls, or escalate privileges within a compromised environment. Because RDS does not expose the password in API responses, this operation can meaningfully alter access pathways to sensitive data stores.↳ also matches ModifyDBInstance

ModifyDBInstance

Service: AWS-rds

Description

Modifies settings for a DB instance, including instance class, allocated storage, and multi-AZ configuration.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Provider_Name`	eq	`rds.amazonaws.com`	4 rules	elastic
`event.outcome`	eq	`success`	4 rules	elastic
`EventType`	eq	`ModifyDBInstance`	2 rules	elastic
`EventType`	in	`ModifyDBCluster`	2 rules	elastic
`EventType`	in	`ModifyDBInstance`	2 rules	elastic
`aws::eventName`	eq	`ModifyDBInstance`	1 rule	panther, sigma, splunk
`aws::eventSource`	eq	`rds.amazonaws.com`	1 rule	panther, sigma, splunk

Detection Rules #

View all rules referencing this event →

Sigma #

AWS RDS Master Password Change source medium: Detects the change of database master password. It may be a part of data exfiltration.

Elastic #

AWS RDS DB Instance or Cluster Deletion Protection Disabled source medium: Identifies the modification of an AWS RDS DB instance or cluster to disable the deletionProtection feature. Deletion protection prevents accidental or unauthorized deletion of RDS resources. Adversaries with sufficient permissions may disable this protection as a precursor to destructive actions, including the deletion of databases containing sensitive or business-critical data. This rule alerts when deletionProtection is explicitly set to false on an RDS DB instance or cluster.↳ also matches ModifyDBCluster
AWS RDS Snapshot Deleted source medium: Identifies the deletion of an AWS RDS DB snapshot or configuration changes that effectively remove backup coverage for a DB instance. RDS snapshots contain full backups of database instances, and disabling automated backups by setting "backupRetentionPeriod=0" has a similar impact by preventing future restore points. Adversaries with the appropriate permissions may delete snapshots or disable backups to inhibit recovery, destroy forensic evidence, or prepare for follow-on destructive actions such as instance or cluster deletion.↳ also matches DeleteDBClusterSnapshot, DeleteDBSnapshot
AWS RDS DB Instance or Cluster Password Modified source medium: Identifies the modification of the master password for an AWS RDS DB instance or cluster. Changing the master password is a legitimate recovery action when access is lost, but adversaries with sufficient permissions may modify it to regain access, establish persistence, bypass existing controls, or escalate privileges within a compromised environment. Because RDS does not expose the password in API responses, this operation can meaningfully alter access pathways to sensitive data stores.↳ also matches ModifyDBCluster

Show 1 more (4 total)

AWS RDS DB Instance Made Public source medium: Identifies the creation or modification of an Amazon RDS DB instance or cluster where the "publiclyAccessible" attribute is set to "true". Publicly accessible RDS instances expose a network endpoint on the public internet, which may allow unauthorized access if combined with overly permissive security groups, weak authentication, or misconfigured IAM policies. Adversaries may enable public access on an existing instance, or create a new publicly accessible instance, to establish persistence, move data outside of controlled network boundaries, or bypass internal access controls.↳ also matches CreateDBCluster, CreateDBInstance

RestoreDBInstanceFromDBSnapshot

Service: AWS-rds

Description

Creates a new DB instance from a DB snapshot.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Provider_Name`	eq	`rds.amazonaws.com`	1 rule	elastic
`aws::eventName`	eq	`RestoreDBInstanceFromDBSnapshot`	1 rule	panther, sigma
`aws::eventSource`	eq	`rds.amazonaws.com`	1 rule	panther, sigma, splunk

Detection Rules #

View all rules referencing this event →

Sigma #

Restore Public AWS RDS Instance source high: Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.

Elastic #

AWS RDS DB Instance Restored source medium: Identifies the restoration of an AWS RDS database instance from a snapshot or S3 backup. Adversaries with access to valid credentials may restore copies of existing databases to bypass logging and monitoring controls or to exfiltrate sensitive data from a duplicated environment. This rule detects successful restoration operations using "RestoreDBInstanceFromDBSnapshot" or "RestoreDBInstanceFromS3", which may indicate unauthorized data access or post-compromise defense evasion.↳ also matches RestoreDBInstanceFromS3

RestoreDBInstanceFromS3

Service: AWS-rds

Description

Creates a new DB instance from a MySQL database backup stored in Amazon S3.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Provider_Name`	eq	`rds.amazonaws.com`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

AWS RDS DB Instance Restored source medium: Identifies the restoration of an AWS RDS database instance from a snapshot or S3 backup. Adversaries with access to valid credentials may restore copies of existing databases to bypass logging and monitoring controls or to exfiltrate sensitive data from a duplicated environment. This rule detects successful restoration operations using "RestoreDBInstanceFromDBSnapshot" or "RestoreDBInstanceFromS3", which may indicate unauthorized data access or post-compromise defense evasion.↳ also matches RestoreDBInstanceFromDBSnapshot

RevokeDBSecurityGroupIngress

Service: AWS-rds

Description

Revokes ingress from a DB security group for previously authorized IP ranges or EC2 security groups.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`aws::eventName`	eq	`AuthorizeDBSecurityGroupIngress`	1 rule	panther, sigma
`aws::eventSource`	eq	`rds.amazonaws.com`	1 rule	panther, sigma, splunk

Detection Rules #

View all rules referencing this event →

Sigma #

RDS Database Security Group Modification source medium: Detects changes to the security group entries for RDS databases. This can indicate that a misconfiguration has occurred which potentially exposes the database to the public internet, a wider audience within the VPC or that removal of valid rules has occurred which could impact the availability of the database to legitimate services and users.↳ also matches AuthorizeDBSecurityGroupIngress, CreateDBSecurityGroup, DeleteDBSecurityGroup

StartExportTask

Service: AWS-rds

Description

Starts an export of DB snapshot or DB cluster data to Amazon S3 in Parquet format.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Provider_Name`	eq	`rds.amazonaws.com`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

AWS RDS Snapshot Export source low: Identifies the export of a DB snapshot or DB cluster data to Amazon S3. Snapshot exports can be used for analytics or migration workflows, but adversaries may abuse them to exfiltrate sensitive data outside of RDS-managed storage. Exporting a snapshot creates a portable copy of the database contents, which, if performed without authorization, can indicate data theft, staging for exfiltration, or operator misconfiguration that exposes regulated information.

CreateDBCluster

Service: AWS-rds

Description

Creates a new Amazon Aurora DB cluster or Multi-AZ DB cluster.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	eq	`ModifyDBInstance`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

AWS RDS DB Instance Made Public source medium: Identifies the creation or modification of an Amazon RDS DB instance or cluster where the "publiclyAccessible" attribute is set to "true". Publicly accessible RDS instances expose a network endpoint on the public internet, which may allow unauthorized access if combined with overly permissive security groups, weak authentication, or misconfigured IAM policies. Adversaries may enable public access on an existing instance, or create a new publicly accessible instance, to establish persistence, move data outside of controlled network boundaries, or bypass internal access controls.↳ also matches ModifyDBInstance, CreateDBInstance

CreateDBClusterSnapshot

Service: AWS-rds

Description

Creates a snapshot of a DB cluster.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Detection Rules #

View all rules referencing this event →

Elastic #

AWS RDS DB Snapshot Created source low: Identifies when an AWS RDS DB Snapshot is created. This can be used to evade defenses by allowing an attacker to bypass access controls or cover their tracks by reverting an instance to a previous state. This is a building block rule and does not generate alerts on its own. It is meant to be used for correlation with other rules to detect suspicious activity. To generate alerts, create a rule that uses this signal as a building block.↳ also matches CreateDBSnapshot

CreateDBInstance

Service: AWS-rds

Description

Creates a new DB instance.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	eq	`ModifyDBInstance`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

AWS RDS DB Instance Made Public source medium: Identifies the creation or modification of an Amazon RDS DB instance or cluster where the "publiclyAccessible" attribute is set to "true". Publicly accessible RDS instances expose a network endpoint on the public internet, which may allow unauthorized access if combined with overly permissive security groups, weak authentication, or misconfigured IAM policies. Adversaries may enable public access on an existing instance, or create a new publicly accessible instance, to establish persistence, move data outside of controlled network boundaries, or bypass internal access controls.↳ also matches ModifyDBInstance, CreateDBCluster

CreateDBSnapshot

Service: AWS-rds

Description

Creates a snapshot of a DB instance.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Detection Rules #

View all rules referencing this event →

Elastic #

AWS RDS DB Snapshot Created source low: Identifies when an AWS RDS DB Snapshot is created. This can be used to evade defenses by allowing an attacker to bypass access controls or cover their tracks by reverting an instance to a previous state. This is a building block rule and does not generate alerts on its own. It is meant to be used for correlation with other rules to detect suspicious activity. To generate alerts, create a rule that uses this signal as a building block.↳ also matches CreateDBClusterSnapshot

DeleteDBClusterSnapshot

Service: AWS-rds

Description

Deletes a DB cluster snapshot; the snapshot must be in the available state to be deleted.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	eq	`ModifyDBInstance`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

AWS RDS Snapshot Deleted source medium: Identifies the deletion of an AWS RDS DB snapshot or configuration changes that effectively remove backup coverage for a DB instance. RDS snapshots contain full backups of database instances, and disabling automated backups by setting "backupRetentionPeriod=0" has a similar impact by preventing future restore points. Adversaries with the appropriate permissions may delete snapshots or disable backups to inhibit recovery, destroy forensic evidence, or prepare for follow-on destructive actions such as instance or cluster deletion.↳ also matches ModifyDBInstance, DeleteDBSnapshot

DeleteDBSnapshot

Service: AWS-rds

Description

Deletes a DB snapshot; the snapshot must be in the available state to be deleted.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	eq	`ModifyDBInstance`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

AWS RDS Snapshot Deleted source medium: Identifies the deletion of an AWS RDS DB snapshot or configuration changes that effectively remove backup coverage for a DB instance. RDS snapshots contain full backups of database instances, and disabling automated backups by setting "backupRetentionPeriod=0" has a similar impact by preventing future restore points. Adversaries with the appropriate permissions may delete snapshots or disable backups to inhibit recovery, destroy forensic evidence, or prepare for follow-on destructive actions such as instance or cluster deletion.↳ also matches ModifyDBInstance, DeleteDBClusterSnapshot

ModifyDBClusterSnapshotAttribute

Service: AWS-rds

Description

Adds or removes attributes on a DB cluster snapshot, including cross-account copy and restore permissions.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Provider_Name`	eq	`rds.amazonaws.com`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

AWS RDS DB Snapshot Shared with Another Account source medium: Identifies when an AWS RDS DB snapshot is shared with another AWS account or made public. DB snapshots contain complete backups of database instances, including schemas, table data, and sensitive application content. When shared externally, snapshots can be restored in another AWS environment, enabling unauthorized access, offline analysis, or data exfiltration. Adversaries who obtain valid credentials or exploit misconfigurations may modify snapshot attributes to grant access to accounts they control, bypassing network, IAM, and monitoring controls.↳ also matches ModifyDBSnapshotAttribute

YARA-L #

AWS RDS Snapshot Shared Publicly source: Detects when an Amazon RDS Snapshot is shared publicly.↳ also matches ModifyDBSnapshotAttribute

ModifyDBSnapshotAttribute

Service: AWS-rds

Description

Adds or removes attributes on a manual DB snapshot, including cross-account copy and restore permissions.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Provider_Name`	eq	`rds.amazonaws.com`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

AWS RDS DB Snapshot Shared with Another Account source medium: Identifies when an AWS RDS DB snapshot is shared with another AWS account or made public. DB snapshots contain complete backups of database instances, including schemas, table data, and sensitive application content. When shared externally, snapshots can be restored in another AWS environment, enabling unauthorized access, offline analysis, or data exfiltration. Adversaries who obtain valid credentials or exploit misconfigurations may modify snapshot attributes to grant access to accounts they control, bypassing network, IAM, and monitoring controls.↳ also matches ModifyDBClusterSnapshotAttribute

YARA-L #

AWS RDS Snapshot Shared Publicly source: Detects when an Amazon RDS Snapshot is shared publicly.↳ also matches ModifyDBClusterSnapshotAttribute

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)