<  Back to rules search

AWS RDS Cluster deleted

cloudtrail

Classification:

attack

Tactic:

TA0040-impact

Technique:

T1485-data-destruction

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect when a user deleted a database cluster in RDS.

Strategy

This rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a RDS cluster:

Triage and response

  1. Determine if the API call: {{@evt.name}} should have occurred.
  2. If it shouldn’t have been made:
    • Contact the user: {{@userIdentity.arn}} and see if they made the API call.
  3. If the API call was not made by the user:
    • Rotate the user credentials.
    • Determine what other API calls were made with the old credentials that were not made by the user.

Changelog

6 April 2022 - Updated rule and signal message.