Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. AWSCloudTrail - Changes to internet facing AWS RDS Database instances

AWSCloudTrail - Changes to internet facing AWS RDS Database instances

Back
Id8c2ef238-67a0-497d-b1dd-5c8a0f533e25
RulenameAWSCloudTrail - Changes to internet facing AWS RDS Database instances
DescriptionIdentifies AWS CloudTrail events associated with changes to Amazon RDS database security groups and database

security group ingress rules, which may indicate unauthorized modification of internet-facing RDS access. Validate whether

the change was authorized and consistent with change control policy.

RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html
SeverityLow
TacticsPersistence
PrivilegeEscalation
DefenseEvasion
TechniquesT1098.001
T1562.007
Required data connectorsAWS
AWSS3
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_ChangeToRDSDatabase.yaml
Version1.0.5
Arm template8c2ef238-67a0-497d-b1dd-5c8a0f533e25.json
Deploy To Azure
let EventNameList = dynamic(["AuthorizeDBSecurityGroupIngress","CreateDBSecurityGroup","DeleteDBSecurityGroup","RevokeDBSecurityGroupIngress"]);
AWSCloudTrail
| where EventName in~ (EventNameList)
| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
| extend UserName = tostring(split(UserIdentityArn, '/')[-1])
| extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
| extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
  AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, RecipientAccountId, AccountName, AccountUPNSuffix, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements

entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: AccountUPNSuffix
  - identifier: CloudAppAccountId
    columnName: RecipientAccountId
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SourceIpAddress
tactics:
- Persistence
- PrivilegeEscalation
- DefenseEvasion
requiredDataConnectors:
- dataTypes:
  - AWSCloudTrail
  connectorId: AWS
- dataTypes:
  - AWSCloudTrail
  connectorId: AWSS3
alertDetailsOverride:
  alertDisplayNameFormat: AWS RDS database security change by {{AccountName}} in {{AWSRegion}}
  alertDescriptionFormat: Event {{EventName}} change in RDS security settings by {{AccountName}} from {{SourceIpAddress}}.
id: 8c2ef238-67a0-497d-b1dd-5c8a0f533e25
severity: Low
status: Available
customDetails:
  EventName: EventName
  EventSource: EventSource
  AWSRegion: AWSRegion
  EventType: EventTypeName
  UserAgent: UserAgent
query: |
  let EventNameList = dynamic(["AuthorizeDBSecurityGroupIngress","CreateDBSecurityGroup","DeleteDBSecurityGroup","RevokeDBSecurityGroupIngress"]);
  AWSCloudTrail
  | where EventName in~ (EventNameList)
  | extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
  | extend UserName = tostring(split(UserIdentityArn, '/')[-1])
  | extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
  | extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
    AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, RecipientAccountId, AccountName, AccountUPNSuffix, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_ChangeToRDSDatabase.yaml
kind: Scheduled
queryPeriod: 1d
version: 1.0.5
name: AWSCloudTrail - Changes to internet facing AWS RDS Database instances
queryFrequency: 1d
triggerThreshold: 0
relevantTechniques:
- T1098.001
- T1562.007
description: |
  Identifies AWS CloudTrail events associated with changes to Amazon RDS database security groups and database
  security group ingress rules, which may indicate unauthorized modification of internet-facing RDS access. Validate whether
  the change was authorized and consistent with change control policy.
  RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html  
triggerOperator: gt