or hostname should be making changes in your environment. cluster or instance stoppages from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

source: <a href=https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml>elastic
technicques: T1489

Techniques

Identifies that an Amazon Relational Database Service (RDS) cluster or instance has been stopped.

event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(StopDBCluster or StopDBInstance) and event.outcome:success