AWS RDS DB Snapshot Created

Elastic Stack Serverless Security

Identifies when an AWS RDS DB Snapshot is created. This can be used to evade defenses by allowing an attacker to bypass access controls or cover their tracks by reverting an instance to a previous state. This is a building block rule and does not generate alerts on its own. It is meant to be used for correlation with other rules to detect suspicious activity. To generate alerts, create a rule that uses this signal as a building block.

Rule type: query

Rule indices:

• filebeat-*
• logs-aws.cloudtrail-*

Severity: low

Risk score: 21

Runs every: 10m

Searches indices from: now-60m (https://www.elastic.co/guide/en/elasticsearch/reference/current/common-options.html#date-math[Date Math format], see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

• Domain: Cloud
• Data Source: AWS
• Data Source: Amazon Web Services
• Data Source: AWS RDS
• Use Case: Asset Visibility
• Tactic: Defense Evasion
• Rule Type: BBR

Version: 1

Rule authors:

• Elastic

Rule license: Elastic License v2

event.dataset: "aws.cloudtrail" and event.provider: "rds.amazonaws.com"
    and event.action: ("CreateDBSnapshot" or "CreateDBClusterSnapshot") and event.outcome: "success"

Framework: MITRE ATT&CKTM

• Tactic:

  • Name: Defense Evasion
  • ID: TA0005
  • Reference URL: https://attack.mitre.org/tactics/TA0005/

• Technique:

  • Name: Modify Cloud Compute Infrastructure
  • ID: T1578
  • Reference URL: https://attack.mitre.org/techniques/T1578/

• Sub-technique:

  • Name: Create Snapshot
  • ID: T1578.001
  • Reference URL: https://attack.mitre.org/techniques/T1578/001/