or hostname should be making changes in your environment. security group creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

source: <a href=https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/persistence_rds_group_creation.toml>elastic
technicques: T1136

Techniques

Identifies the creation of an Amazon Relational Database Service (RDS) Security group.

event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBSecurityGroup and event.outcome:success