LogForge Logo LogForge
Home Vendors Search Download Login
Vendors Amazon Web Services AWS GuardDuty GuardDuty RDS Protection Finding Types
Amazon Web Services Logo

GuardDuty RDS Protection Finding Types

Threat detection for Amazon RDS and Aurora databases

AWS GuardDuty RDS Protection finding types detecting anomalous login behavior, malicious IP access, and Tor network usage on Amazon Aurora, Amazon RDS, and Aurora Limitless databases through RDS login activity monitoring, including successful logins, failed logins, brute force attacks, and database probing

rds database aurora credential-access threat-detection
JSON Format 15 Fields Medium Frequency Generator
Preview Sample View Schema

Overview

RDS Protection detects anomalous login behavior on Amazon Aurora, Amazon RDS, and Aurora Limitless databases through RDS login activity monitoring. Uses ML anomaly detection and threat intelligence to identify suspicious database access patterns including anomalous logins, brute force attacks, malicious IP access, and Tor network usage.

When Generated:

  • Anomalous successful login detected on RDS database (ML-detected)
  • Anomalous failed login attempts detected on RDS database (ML-detected)
  • Successful brute force login detected after pattern of failed attempts (ML-detected)
  • Successful login from known malicious IP address
  • Failed login attempt from known malicious IP address
  • Malicious IP address probed RDS database (no login attempt)
  • Successful login from Tor exit node IP address
  • Failed login attempt from Tor exit node IP address
  • Tor exit node probed RDS database (no login attempt)

Security Relevance:

Critical

Compliance:

PCI-DSS 8.2, 10.2 HIPAA 164.308(a)(5), 164.312(b) SOC 2 CC6.1, CC6.6 ISO 27001 A.9.2, A.9.4 NIST CSF PR.AC-1, DE.CM-1 CIS AWS Foundations 4.1-4.16

Frequency Notes:

RDS Protection findings frequency depends on database access patterns and threat landscape. Production environments typically see 10-50 findings per day. Anomalous behavior findings use ML and require training period - frequency varies (5-30 per day). Malicious IP and Tor findings indicate active attacks (5-20 per day during attacks). Brute force findings are high-severity but lower frequency (1-10 per day). Discovery findings (probing without login) are medium-severity (5-15 per day).

Resources

Tools

Generation Configuration

Base Frequency: 25 events/hour
Time Patterns:
business_hours night_hours weekend
Business Hours Multiplier: 2.5x
Night Hours Multiplier: 2.0x
Weekend Multiplier: 1.0x

Field Definitions

Complete field reference for this event type with data types, descriptions, and example values.

Field Name Type Required Format Description Example Possible Values
detail.type
Source: random_choice() of 9 RDS Protection finding types
 String Required RDS Protection finding type indicating attack tactic and detection method CredentialAccess:RDS/AnomalousBehavior.SuccessfulLogin
CredentialAccess:RDS/AnomalousBehavior.SuccessfulLogin — Anomalous successful login detected (severity: Variable - Low/Medium/High based on behavior)
CredentialAccess:RDS/AnomalousBehavior.FailedLogin — Anomalous failed login attempts detected (severity: Low)
CredentialAccess:RDS/AnomalousBehavior.SuccessfulBruteForce — Successful brute force login after pattern of failed attempts (severity: High)
CredentialAccess:RDS/MaliciousIPCaller.SuccessfulLogin — Successful login from known malicious IP address (severity: High)
CredentialAccess:RDS/MaliciousIPCaller.FailedLogin — Failed login attempt from known malicious IP address (severity: Medium)
Discovery:RDS/MaliciousIPCaller — Malicious IP address probed database (no login attempt) (severity: Medium)
CredentialAccess:RDS/TorIPCaller.SuccessfulLogin — Successful login from Tor exit node IP address (severity: High)
CredentialAccess:RDS/TorIPCaller.FailedLogin — Failed login attempt from Tor exit node IP address (severity: Medium)
Discovery:RDS/TorIPCaller — Tor exit node probed database (no login attempt) (severity: Medium)
detail.resource.resourceType
Source: random_choice(['RDSDBInstance', 'RDSLimitlessDB'])
 String Required Type of RDS resource where activity was detected RDSDBInstance
RDSDBInstance — Amazon RDS or Aurora database instance
RDSLimitlessDB — Aurora Limitless database
detail.resource.rdsDbInstanceDetails
Source: RDS instance metadata from GuardDuty
 Object Required Details about the RDS database instance {dbInstanceIdentifier, engine, engineVersion, dbClusterIdentifier, dbInstanceArn, tags}
detail.resource.rdsDbInstanceDetails.engine
Source: random_choice() of supported RDS engines
 String Required Database engine identifier Database engine type aurora-mysql
aurora-mysql — Amazon Aurora MySQL
aurora-postgresql — Amazon Aurora PostgreSQL
mysql — MySQL
postgres — PostgreSQL
mariadb — MariaDB
oracle-ee — Oracle Enterprise Edition
sqlserver-ee — SQL Server Enterprise Edition
detail.service.action.rdsLoginActivity
Source: RDS login activity metadata from GuardDuty
 Object Required RDS login activity details that triggered the finding {applicationProtocol, remoteIpDetails, localPortDetails, loginAttributes, blocked}
detail.service.action.rdsLoginActivity.applicationProtocol
Source: random_choice(['mysql', 'postgresql', 'sqlserver', 'oracle'])
 String Required Protocol name Database protocol used for the connection mysql
mysql — MySQL protocol
postgresql — PostgreSQL protocol
sqlserver — SQL Server protocol
oracle — Oracle protocol
detail.service.action.rdsLoginActivity.loginAttributes.user
Source: random_choice() from registry users or common database usernames
 String Required Username Database user that attempted or successfully logged in admin
detail.service.action.rdsLoginActivity.loginAttributes.database
Source: random_choice() of common database names
 String Required Database name Database name that was accessed production
detail.service.action.rdsLoginActivity.loginAttributes.applicationName
Source: random_choice() of common database client tools
 String Optional Application name Application or client tool name used for the connection psql
detail.service.action.rdsLoginActivity.localPortDetails.port
Source: random_choice([3306, 5432, 1433, 1521, 6379])
 Integer Required Integer (common database ports) Database port number 3306
3306 — MySQL/MariaDB default port
5432 — PostgreSQL default port
1433 — SQL Server default port
1521 — Oracle default port
6379 — Redis default port
detail.service.action.rdsLoginActivity.remoteIpDetails.ipAddressV4
Source: random_public_ip()
 String Required IPv4 address Source IP address of the database login attempt 203.0.113.42
detail.service.action.rdsLoginActivity.blocked
Source: random_choice(['true', 'false'])
 Boolean Required Boolean Whether the login attempt was blocked false
detail.service.additionalInfo.unusual
Source: Object with unusual behavior flags for ML-detected anomalies
 Object Optional ML model analysis of unusual behaviors for anomalous findings {"userIdentity": {"userName": "anomalous", "asnOrg": "not historical"}}
detail.service.additionalInfo.threatListName
Source: random_choice() of threat intelligence list names
 String Optional Threat list name Name of threat intelligence list that matched (for malicious IP findings) ProofPoint
detail.severity
Source: random_choice([2, 2, 5, 5, 5, 8, 8]) - varies by finding type
 Integer Required Finding severity level (varies by finding type) 5
2 — Low severity (1.0-3.9) - e.g., AnomalousBehavior.FailedLogin, Discovery findings
5 — Medium severity (4.0-6.9) - e.g., MaliciousIPCaller.FailedLogin, TorIPCaller.FailedLogin, Discovery findings
8 — High severity (7.0-8.9) - e.g., AnomalousBehavior.SuccessfulBruteForce, MaliciousIPCaller.SuccessfulLogin, TorIPCaller.SuccessfulLogin

Details

15
Fields
Medium
Frequency
5
Tags
rds_protecti...
Event Type
Tags:
rds database aurora credential-access threat-detection

Feedback

No ratings yet