Detection rules › Panther
AWS RDS Master Password Updated
A sensitive database operation that should be performed carefully or rarely
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1098 Account Manipulation |
Rules detecting the same action
Other rules on this platform that filter on the same API call or operation.
- AWS RDS DB Instance Made Public (Elastic)
- AWS RDS DB Instance or Cluster Deletion Protection Disabled (Elastic)
- AWS RDS DB Instance or Cluster Password Modified (Elastic)
- AWS RDS Deletion Protection Disabled (Panther)
- AWS RDS Instance Modified to be Publicly Accessible (Panther)
- AWS RDS Master Password Change (Sigma)
- AWS RDS Snapshot Deleted (Elastic)
Rule body yaml
AnalysisType: rule
Description: A sensitive database operation that should be performed carefully or rarely
DisplayName: "AWS RDS Master Password Updated"
Enabled: true
Filename: aws_rds_master_pass_updated.py
Reference: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html
Severity: Low
DedupPeriodMinutes: 60
Reports:
MITRE ATT&CK:
- TA0003:T1098
SummaryAttributes:
- awsRegion
- userIdentity:arn
- responseElements:dBInstanceIdentifier
- p_any_aws_arns
- p_any_aws_account_ids
LogTypes:
- AWS.CloudTrail
RuleID: "AWS.RDS.MasterPasswordUpdated"
Threshold: 1
Tests:
- ExpectedResult: false
Name: Allocated storage modified
Log:
awsRegion: us-west-1
eventCategory: Management
eventID: cb82857f-302d-4d6c-b516-589ec39dee7c
eventName: ModifyDBInstance
eventSource: rds.amazonaws.com
eventTime: "2022-09-24 00:38:26"
eventType: AwsApiCall
eventVersion: "1.08"
managementEvent: true
p_any_aws_account_ids:
- "123456789012"
p_any_aws_arns:
- arn:aws:iam::123456789012:role/Admin
- arn:aws:kms:us-west-1:123456789012:key/e2c16323-1c31-45fb-adda-07e5c9f78997
- arn:aws:rds:us-west-1:123456789012:db:my-database
- arn:aws:sts::123456789012:assumed-role/Admin/Jack
p_any_domain_names:
- AWS Internal
p_any_trace_ids:
- ASIASWJRT64ZWCAMGCWI
p_event_time: "2022-09-24 00:38:26"
p_log_type: AWS.CloudTrail
p_parse_time: "2022-09-24 00:42:44.436"
p_row_id: da110a31e6a4cfa7c8a888cb13f59305
p_source_id: 125a8146-e3ea-454b-aed7-9e08e735b670
p_source_label: CloudTrail
readOnly: false
recipientAccountId: "123456789012"
requestID: bd420698-bbb7-4ec3-b109-190e03adc1f4
requestParameters:
allocatedStorage: 22
allowMajorVersionUpgrade: false
applyImmediately: true
dBInstanceIdentifier: my-database
maxAllocatedStorage: 1000
responseElements:
allocatedStorage: 20
associatedRoles: []
autoMinorVersionUpgrade: true
availabilityZone: us-west-1b
backupRetentionPeriod: 0
backupTarget: region
cACertificateIdentifier: rds-ca-2019
copyTagsToSnapshot: true
customerOwnedIpEnabled: false
dBInstanceArn: arn:aws:rds:us-west-1:123456789012:db:my-database
dBInstanceClass: db.t3.micro
dBInstanceIdentifier: my-database
dBInstanceStatus: available
dBName: test
dBParameterGroups:
- dBParameterGroupName: default.mysql8.0
parameterApplyStatus: in-sync
dBSecurityGroups: []
dBSubnetGroup:
dBSubnetGroupDescription: Created from the RDS Management Console
dBSubnetGroupName: default-vpc-f9999999
subnetGroupStatus: Complete
subnets:
- subnetAvailabilityZone:
name: us-west-1c
subnetIdentifier: subnet-8cb458ea
subnetOutpost: {}
subnetStatus: Active
- subnetAvailabilityZone:
name: us-west-1b
subnetIdentifier: subnet-8382bbd8
subnetOutpost: {}
subnetStatus: Active
vpcId: vpc-f9999999
dbInstancePort: 0
dbiResourceId: db-FEVDSUCWJ43PXONVT6ZU2TK4WY
deletionProtection: false
domainMemberships: []
enabledCloudwatchLogsExports:
- audit
- error
- general
endpoint:
address: my-database.cbsugyyyyyyy.us-west-1.rds.amazonaws.com
hostedZoneId: Z10WI91S59XXQN
port: 3306
engine: mysql
engineVersion: 8.0.28
httpEndpointEnabled: false
iAMDatabaseAuthenticationEnabled: false
instanceCreateTime: Sep 23, 2022 11:25:46 PM
kmsKeyId: arn:aws:kms:us-west-1:123456789012:key/e2c16323-1c31-45fb-adda-07e5c9f78997
licenseModel: general-public-license
masterUsername: admin
maxAllocatedStorage: 1000
monitoringInterval: 0
multiAZ: false
networkType: IPV4
optionGroupMemberships:
- optionGroupName: default:mysql-8-0
status: in-sync
pendingModifiedValues:
allocatedStorage: 22
performanceInsightsEnabled: false
preferredBackupWindow: 11:52-12:22
preferredMaintenanceWindow: tue:13:03-tue:13:33
publiclyAccessible: true
readReplicaDBInstanceIdentifiers: []
storageEncrypted: true
storageThroughput: 0
storageType: gp2
tagList: []
vpcSecurityGroups:
- status: active
vpcSecurityGroupId: sg-d963a5a4
sessionCredentialFromConsole: true
sourceIPAddress: AWS Internal
userAgent: AWS Internal
userIdentity:
accessKeyId: ASIASWJRT64ZWCAMGCWI
accountId: "123456789012"
arn: arn:aws:sts::123456789012:assumed-role/Admin/Jack
principalId: AROAJ4ULUNLE6DYF4PCOK:jack
sessionContext:
attributes:
creationDate: "2022-09-23T23:17:13Z"
mfaAuthenticated: "true"
sessionIssuer:
accountId: "123456789012"
arn: arn:aws:iam::123456789012:role/Admin
principalId: AROAJ4ULUNLE6DYF4PCOK
type: Role
userName: Admin
webIdFederationData: {}
type: AssumedRole
- ExpectedResult: true
Name: Master pass modified
Log:
awsRegion: us-west-1
eventCategory: Management
eventID: 09191e37-4632-4722-82bf-50288436cf47
eventName: ModifyDBInstance
eventSource: rds.amazonaws.com
eventTime: "2022-09-24 00:28:15"
eventType: AwsApiCall
eventVersion: "1.08"
managementEvent: true
p_any_aws_account_ids:
- "123456789012"
p_any_aws_arns:
- arn:aws:iam::123456789012:role/Admin
- arn:aws:kms:us-west-1:123456789012:key/e2c16323-1c31-45fb-adda-07e5c9f78997
- arn:aws:rds:us-west-1:123456789012:db:my-database
- arn:aws:sts::123456789012:assumed-role/Admin/Jack
p_any_domain_names:
- AWS Internal
p_any_trace_ids:
- ASIASWJRT64ZWCAMGCWI
p_event_time: "2022-09-24 00:28:15"
p_log_type: AWS.CloudTrail
p_parse_time: "2022-09-24 00:32:43.679"
p_row_id: eea2890fafffb7b88fae80cb138a08
p_source_id: b00eb354-da7a-49dd-9cc6-32535e32096a
p_source_label: CloudTrail
readOnly: false
recipientAccountId: "123456789012"
requestID: 93fba047-0282-4c53-b3a6-1c3bb684f563
requestParameters:
allowMajorVersionUpgrade: false
applyImmediately: true
dBInstanceIdentifier: my-database
masterUserPassword: "****"
maxAllocatedStorage: 1000
responseElements:
allocatedStorage: 20
associatedRoles: []
autoMinorVersionUpgrade: true
availabilityZone: us-west-1b
backupRetentionPeriod: 0
backupTarget: region
cACertificateIdentifier: rds-ca-2019
copyTagsToSnapshot: true
customerOwnedIpEnabled: false
dBInstanceArn: arn:aws:rds:us-west-1:123456789012:db:my-database
dBInstanceClass: db.t3.micro
dBInstanceIdentifier: my-database
dBInstanceStatus: available
dBName: test
dBParameterGroups:
- dBParameterGroupName: default.mysql8.0
parameterApplyStatus: in-sync
dBSecurityGroups: []
dBSubnetGroup:
dBSubnetGroupDescription: Created from the RDS Management Console
dBSubnetGroupName: default-vpc-f9999999
subnetGroupStatus: Complete
subnets:
- subnetAvailabilityZone:
name: us-west-1c
subnetIdentifier: subnet-8cb458ea
subnetOutpost: {}
subnetStatus: Active
- subnetAvailabilityZone:
name: us-west-1b
subnetIdentifier: subnet-8382bbd8
subnetOutpost: {}
subnetStatus: Active
vpcId: vpc-f9999999
dbInstancePort: 0
dbiResourceId: db-FEVDSUCWJ43PXONVT6ZU2TK4WY
deletionProtection: false
domainMemberships: []
enabledCloudwatchLogsExports:
- audit
- error
- general
endpoint:
address: my-database.cbsugyyyyyyy.us-west-1.rds.amazonaws.com
hostedZoneId: Z10WI91S59XXQN
port: 3306
engine: mysql
engineVersion: 8.0.28
httpEndpointEnabled: false
iAMDatabaseAuthenticationEnabled: false
instanceCreateTime: Sep 23, 2022 11:25:46 PM
kmsKeyId: arn:aws:kms:us-west-1:123456789012:key/e2c16323-1c31-45fb-adda-07e5c9f78997
licenseModel: general-public-license
masterUsername: admin
maxAllocatedStorage: 1000
monitoringInterval: 0
multiAZ: false
networkType: IPV4
optionGroupMemberships:
- optionGroupName: default:mysql-8-0
status: in-sync
pendingModifiedValues:
masterUserPassword: "****"
performanceInsightsEnabled: false
preferredBackupWindow: 11:52-12:22
preferredMaintenanceWindow: tue:13:03-tue:13:33
publiclyAccessible: true
readReplicaDBInstanceIdentifiers: []
storageEncrypted: true
storageThroughput: 0
storageType: gp2
tagList: []
vpcSecurityGroups:
- status: active
vpcSecurityGroupId: sg-d963a5a4
sessionCredentialFromConsole: true
sourceIPAddress: AWS Internal
userAgent: AWS Internal
userIdentity:
accessKeyId: ASIASWJRT64ZWCAMGCWI
accountId: "123456789012"
arn: arn:aws:sts::123456789012:assumed-role/Admin/Jack
principalId: AROAJ4ULUNLE6DYF4PCOK:jack
sessionContext:
attributes:
creationDate: "2022-09-23T23:17:13Z"
mfaAuthenticated: "true"
sessionIssuer:
accountId: "123456789012"
arn: arn:aws:iam::123456789012:role/Admin
principalId: AROAJ4ULUNLE6DYF4PCOK
type: Role
userName: Admin
webIdFederationData: {}
type: AssumedRole
Detection logic
Condition
eventName eq "ModifyDBInstance"
eventSource eq "rds.amazonaws.com"
responseElements.pendingModifiedValues.masterUserPassword is_not_null
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
eventName | eq |
|
eventSource | eq |
|
responseElements.pendingModifiedValues.masterUserPassword | is_not_null |
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
dBInstanceArn | responseElements.dBInstanceArn |