Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. AWSCloudTrail - Changes to internet facing AWS RDS Database instances

AWSCloudTrail - Changes to internet facing AWS RDS Database instances

Back
Id8c2ef238-67a0-497d-b1dd-5c8a0f533e25
RulenameAWSCloudTrail - Changes to internet facing AWS RDS Database instances
DescriptionIdentifies AWS CloudTrail events associated with changes to Amazon RDS database security groups and database

security group ingress rules, which may indicate unauthorized modification of internet-facing RDS access. Validate whether

the change was authorized and consistent with change control policy.

RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html
SeverityLow
TacticsPersistence
PrivilegeEscalation
DefenseEvasion
TechniquesT1098.001
T1562.007
Required data connectorsAWS
AWSS3
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_ChangeToRDSDatabase.yaml
Version1.0.5
Arm template8c2ef238-67a0-497d-b1dd-5c8a0f533e25.json
Deploy To Azure
let EventNameList = dynamic(["AuthorizeDBSecurityGroupIngress","CreateDBSecurityGroup","DeleteDBSecurityGroup","RevokeDBSecurityGroupIngress"]);
AWSCloudTrail
| where EventName in~ (EventNameList)
| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
| extend UserName = tostring(split(UserIdentityArn, '/')[-1])
| extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
| extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
  AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, RecipientAccountId, AccountName, AccountUPNSuffix, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements

entityMappings:
- fieldMappings:
  - columnName: AccountName
    identifier: Name
  - columnName: AccountUPNSuffix
    identifier: UPNSuffix
  - columnName: RecipientAccountId
    identifier: CloudAppAccountId
  entityType: Account
- fieldMappings:
  - columnName: SourceIpAddress
    identifier: Address
  entityType: IP
triggerOperator: gt
tactics:
- Persistence
- PrivilegeEscalation
- DefenseEvasion
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_ChangeToRDSDatabase.yaml
alertDetailsOverride:
  alertDescriptionFormat: Event {{EventName}} change in RDS security settings by {{AccountName}} from {{SourceIpAddress}}.
  alertDisplayNameFormat: AWS RDS database security change by {{AccountName}} in {{AWSRegion}}
version: 1.0.5
query: |
  let EventNameList = dynamic(["AuthorizeDBSecurityGroupIngress","CreateDBSecurityGroup","DeleteDBSecurityGroup","RevokeDBSecurityGroupIngress"]);
  AWSCloudTrail
  | where EventName in~ (EventNameList)
  | extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
  | extend UserName = tostring(split(UserIdentityArn, '/')[-1])
  | extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
  | extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
    AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, RecipientAccountId, AccountName, AccountUPNSuffix, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements  
triggerThreshold: 0
relevantTechniques:
- T1098.001
- T1562.007
queryPeriod: 1d
status: Available
severity: Low
kind: Scheduled
customDetails:
  EventSource: EventSource
  UserAgent: UserAgent
  EventType: EventTypeName
  AWSRegion: AWSRegion
  EventName: EventName
name: AWSCloudTrail - Changes to internet facing AWS RDS Database instances
queryFrequency: 1d
id: 8c2ef238-67a0-497d-b1dd-5c8a0f533e25
description: |
  Identifies AWS CloudTrail events associated with changes to Amazon RDS database security groups and database
  security group ingress rules, which may indicate unauthorized modification of internet-facing RDS access. Validate whether
  the change was authorized and consistent with change control policy.
  RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html  
requiredDataConnectors:
- dataTypes:
  - AWSCloudTrail
  connectorId: AWS
- dataTypes:
  - AWSCloudTrail
  connectorId: AWSS3