detection-rules icon indicating copy to clipboard operation
detection-rules copied to clipboard
verified publisher icon elastic

[Rule Deprecation] AWS Redshift Cluster Creation

Open imays11 opened this issue 2 months ago • 3 comments

Pull Request

Issue link(s):

  • https://github.com/elastic/ia-trade-team/issues/616

Summary - What I changed

CreateCluster is a common Redshift lifecycle operation that occurs frequently in normal workflows. This rule aligns more with cloud infrastructure monitoring or posture management, which is important but not the focus of our detection ruleset. Real world Redshift abuse centers on misuse of existing resources, such as snapshot sharing or copying or exposing the cluster through permissive VPC security group changes. Also follow-up activity abusing privileges of a Redshift cluster's attached role, as highlighted by this research. These threat paths will be covered by future rule dev. However, creation of a cluster by itself is not an obvious indicator of threat behavior. Deprecating this rule reduces noise and keeps the AWS ruleset aligned with real threat surfaces rather than infrastructure management.

imays11 avatar Nov 26 '25 16:11 imays11