This alert detects the use of a MySQL update statement. An update statement is used to modify the existing records in a table. This alert can trigger potential false positives. Please consider fine-tuning it according to your specific machines or user groups. Impact After an adversary has access to your RDS MySQL database and has the necessary permissions they can update the database tables to modify the records. They can also escalate their privileges and maintain persistence in the network by modifying the database tables. Mitigation Validate if this action was legitimate. If not, revert the change and investigate it further. Additionally, administrators can consider the following recommendations to better secure MySQL: 1. Require all MySQL accounts to have a strong password. 2. Do not run MySQL with root-level privileges. 3. If the MySQL database is only used by local applications, remote access to the server should be disabled. 4. The MySQL instance should be configured to only allow access to permitted hosts. MITRE Tactic: TA0003 MITRE Technique: T1505 MITRE Sub-Technique: 001

This alert detects the use of a MySQL grant statement. GRANT is a command used to provide access or privileges on the database objects to the users. This alert can trigger potential false positives. Please consider fine-tuning it according to your specific machines or user groups. Impact After an adversary has access to your RDS MySQL database and has the necessary permissions they can grant the access rights to a user on critical database objects. There are two types of privileges. 1) System privileges - This allows the user to CREATE, ALTER, or DROP database objects. 2) Object privileges - This allows the user to EXECUTE, SELECT, INSERT, UPDATE, or DELETE data from database objects to which the privileges apply. Mitigation Validate if this action was legitimate. If not, revert the change and investigate it further. Additionally, administrators can consider the following recommendations to better secure MySQL: 1. Require all MySQL accounts to have a strong password. 2. Do not run MySQL with root-level privileges. 3. If the MySQL database is only used by local applications, remote access to the server should be disabled. 4. The MySQL instance should be configured to only allow access to permitted hosts. MITRE Tactic: TA0003 MITRE Technique: T1505 MITRE Sub-Technique: 001

This alert detects the excessive use of MySQL show statement. The show statement is used to get a list of all the databases and database tables. This alert can trigger potential false positives. Please consider fine-tuning it according to your specific machines or user groups. Impact After an adversary has access to your RDS MySQL database and has the necessary permissions, it can enumerate databases to view a list of tables and databases and gather critical information. Mitigation Validate if this action was legitimate. If not, investigate it further. Additionally, administrators can consider the following recommendations to better secure MySQL: 1. Require all MySQL accounts to have a strong password. 2. Do not run MySQL with root-level privileges. 3. If the MySQL database is only used by local applications, remote access to the server should be disabled. 4. The MySQL instance should be configured to only allow access to permitted hosts. MITRE Tactic: TA0003 MITRE Technique: T1505 MITRE Sub-Technique: 001

This alert triggers when there are more than 3 failed connection attempts to the RDS MySQL database in a 5-minute interval for a specific user. Impact Multiple failed connection/login attempts in a short time frame might indicate a brute-force attack against the relevant account. Mitigation Check if the user is aware of the connection attempts and that these are legit. If not, investigate it further. Additionally, administrators can consider the following recommendations to better secure MySQL: 1. Require all MySQL accounts to have a strong password. 2. Do not run MySQL with root-level privileges. 3. If the MySQL database is only used by local applications, remote access to the server should be disabled. 4. The MySQL instance should be configured to only allow access to permitted hosts. MITRE Tactic: TA0006 MITRE Technique: T1110

This alert triggers when there are more than 10 failed connection attempts to the RDS MySQL database in a 5-minute interval from an IP address. Impact Multiple failed connection/login attempts in a short time frame might indicate a brute-force attack against the relevant account. Mitigation Check if the user/s are aware of the connection attempts and that these attempts are legit. If not, investigate this activity further. Additionally, administrators can consider the following recommendations to better secure MySQL: 1. Require all MySQL accounts to have a strong password. 2. Do not run MySQL with root-level privileges. 3. If the MySQL database is only used by local applications, remote access to the server should be disabled. 4. The MySQL instance should be configured to only allow access to permitted hosts. MITRE Tactic: TA0006 MITRE Technique: T1110

This alert detects the excessive use of MySQL insert statements. Insert statement is used to insert new records in a table. This command throws potential false positives as administrators and power users may use it for administrative activities so it can be fine-tuned according to specific machines or user groups. Impact After an adversary has access to your RDS MySQL database and has the necessary permissions, it can insert new records in highly sensitive database tables. Mitigation Validate if this action was legitimate. If not, revert the change and investigate it further. Additionally, administrators can consider the following recommendations to better secure MySQL: 1. Require all MySQL accounts to have a strong password. 2. Do not run MySQL with root-level privileges. 3. If the MySQL database is only used by local applications, remote access to the server should be disabled. 4. The MySQL instance should be configured to only allow access to permitted hosts. MITRE Tactic: TA0003 MITRE Technique: T1505 MITRE Sub-Technique: 001

This alert detects the excessive use of MySQL select statement. Select statement is used to select data from a database. This alert can trigger potential false positives. Please consider fine-tuning it according to your specific machines or user groups. Impact After an adversary has access to your RDS MySQL database and has the necessary permissions, it can enumerate databases to view tables and records to get an overview of database schemas, and user records. Mitigation Validate if this action was legitimate. If not, investigate it further. Additionally, administrators can consider the following recommendations to better secure MySQL: 1. Require all MySQL accounts to have a strong password. 2. Do not run MySQL with root-level privileges. 3. If the MySQL database is only used by local applications, remote access to the server should be disabled. 4. The MySQL instance should be configured to only allow access to permitted hosts. MITRE Tactic: TA0003 MITRE Technique: T1505 MITRE Sub-Technique: 001

This alert detects the excessive use of the MySQL delete statement in a specific time interval. The delete statement is used to delete existing records in a table. A user can either delete some records or all the records in a table. Impact After an adversary has access to your RDS MySQL database and has the necessary permissions, it can delete database tables and records in order to disrupt an organization's business operations. Mitigation Validate if this action was legitimate. If not, revert the change and investigate it further. Additionally, administrators can consider the following recommendations to better secure MySQL: 1. Require all MySQL accounts to have a strong password. 2. Do not run MySQL with root-level privileges. 3. If the MySQL database is only used by local applications, remote access to the server should be disabled. 4. The MySQL instance should be configured to only allow access to permitted hosts. 5. Check database user accounts for excessive privileges to delete database tables and records. MITRE Tactic: TA0003 MITRE Technique: T1505 MITRE Sub-Technique: 001

This alert detects the use of the MySQL delete statement. The delete statement is used to delete existing records in a table. This alert can trigger potential false positives. Please consider fine-tuning it according to your specific machines or user groups. Impact After an adversary has access to your RDS MySQL database and has the necessary permissions, it can delete database tables and records in order to disrupt an organization's business operations. Mitigation Validate if this action was legitimate. If not, revert the change and investigate it further. Additionally, administrators can consider the following recommendations to better secure MySQL: 1. Require all MySQL accounts to have a strong password. 2. Do not run MySQL with root-level privileges. 3. If the MySQL database is only used by local applications, remote access to the server should be disabled. 4. The MySQL instance should be configured to only allow access to permitted hosts. 5. Check database user accounts for any excessive privileges to delete database tables and records. MITRE Tactic: TA0003 MITRE Technique: T1505 MITRE Sub-Technique: 001

This alert detects the use of MySQL alter statement. The alter statement is used to add, delete, or modify columns in an existing table. This alert can trigger potential false positives. Please consider fine-tuning it according to your specific machines or user groups. Impact After an adversary has access to your RDS MySQL database and has the necessary permissions they can alter the database tables to modify, delete or add the existing records. They can thus escalate their privileges and maintain persistence in the network or disrupt an organization's business operations. Mitigation Validate if this action was legitimate. If not, revert the change and investigate it further. Additionally, administrators can consider the following recommendations to better secure MySQL: 1. Require all MySQL accounts to have a strong password. 2. Do not run MySQL with root-level privileges. 3. If the MySQL database is only used by local applications, remote access to the server should be disabled. 4. The MySQL instance should be configured to only allow access to permitted hosts. MITRE Tactic: TA0003 MITRE Technique: T1505 MITRE Sub-Technique: 001

This alert detects the use of MySQL drop statement. A drop statement is used to either delete an existing table in a database or delete a database itself. This alert can trigger potential false positives. Please consider fine-tuning it according to your specific machines or user groups. Impact After an adversary has access to your RDS MySQL database and has the necessary permissions, it can insert new records in highly sensitive database tables. Mitigation Validate if this action was legitimate. If not, revert the change and investigate it further. Additionally, administrators can consider the following recommendations to better secure MySQL: 1. Require all MySQL accounts to have a strong password. 2. Do not run MySQL with root-level privileges. 3. If the MySQL database is only used by local applications, remote access to the server should be disabled. 4. The MySQL instance should be configured to only allow access to permitted hosts. MITRE Tactic: TA0003 MITRE Technique: T1505 MITRE Sub-Technique: 001