AWSCloudTrail - RDS instance publicly exposed
| Id | 8f1630c2-2e45-4df2-be43-50fba90f601d |
| Rulename | AWSCloudTrail - RDS instance publicly exposed |
| Description | Detects RDS instance creation or modification events where the database is configured as publicly accessible. Public exposure of database instances can increase the risk of unauthorized access and data leakage. |
| Severity | Medium |
| Tactics | Exfiltration |
| Techniques | T1537 |
| Required data connectors | AWS |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_RDSInstancePubliclyExposed.yaml |
| Version | 1.0.3 |
| Arm template | 8f1630c2-2e45-4df2-be43-50fba90f601d.json |
AWSCloudTrail
| where EventName in ("CreateDBInstance", "ModifyDBInstance") and isempty(ErrorCode) and isempty(ErrorMessage)
| where tostring(parse_json(RequestParameters).publiclyAccessible) == "true"
| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
| extend UserName = tostring(split(UserIdentityArn, '/')[-1])
| extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
| extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
- identifier: CloudAppAccountId
columnName: RecipientAccountId
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SourceIpAddress
tactics:
- Exfiltration
requiredDataConnectors:
- dataTypes:
- AWSCloudTrail
connectorId: AWS
alertDetailsOverride:
alertDisplayNameFormat: AWS RDS instance publicly exposed by {{AccountName}}
alertDescriptionFormat: Detected {{EventName}} event from {{SourceIpAddress}} setting RDS publicly accessible in account {{RecipientAccountId}}.
id: 8f1630c2-2e45-4df2-be43-50fba90f601d
severity: Medium
status: Available
customDetails:
RecipientAccountId: RecipientAccountId
AWSRegion: AWSRegion
UserIdentityArn: UserIdentityArn
EventName: EventName
query: |
AWSCloudTrail
| where EventName in ("CreateDBInstance", "ModifyDBInstance") and isempty(ErrorCode) and isempty(ErrorMessage)
| where tostring(parse_json(RequestParameters).publiclyAccessible) == "true"
| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
| extend UserName = tostring(split(UserIdentityArn, '/')[-1])
| extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
| extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_RDSInstancePubliclyExposed.yaml
kind: Scheduled
queryPeriod: 1h
version: 1.0.3
name: AWSCloudTrail - RDS instance publicly exposed
queryFrequency: 1h
triggerThreshold: 0
relevantTechniques:
- T1537
description: |
Detects RDS instance creation or modification events where the database is configured as publicly accessible.
Public exposure of database instances can increase the risk of unauthorized access and data leakage.
triggerOperator: gt