Detects when AWS RDS instances, clusters, or shard groups are rebooted by parsing CloudTrail logs (e.g., RebootDBInstance, RebootDBCluster). A single matching event triggers the rule (Threshold: 1) with a 60-minute dedup window to balance sensitivity and noise reduction. The rule flags reboot operations initiated by a user/role (as shown by userIdentity) and links the reboot to the corresponding resource via requestParameters (dBInstanceIdentifier or dBClusterIdentifier). It aims to surface unexpected reboots that could cause service disruption, potential DoS testing, or operational issues requiring investigation. MITRE ATT&CK mapping TA0040:T1499 (Endpoint Denial of Service) is associated. Detection relies on CloudTrail AwsApiCall events and examines eventName and related fields to distinguish legitimate admin activity from anomalous reboots. The rule supports both instance and cluster reboots, including failover scenarios (e.g., forceFailover). The Runbook recommends validating reboot activity within the past 24 hours for bulk patterns, checking prior reboot history in 90 days, and inspecting related DB modification events in the 30 minutes preceding the reboot. Data sources are Cloud Service logs, and the rule targets Cloud/AWS Database assets. Samples illustrate positive detections (RebootDBInstance and RebootDBCluster with failover) and negative cases (Failed reboot and unrelated StartDBInstance events).