LoFP / an rds security group deletion may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. security group deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

Techniques

• T1531

Sample rules

AWS RDS Security Group Deletion

• source: elastic
• technicques:
  • T1531

Description

Identifies the deletion of an Amazon Relational Database Service (RDS) Security group.

Detection logic

event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:DeleteDBSecurityGroup and event.outcome:success