Detects when Amazon RDS Database Activity Streams are stopped via AWS CloudTrail events, which can be an attacker action to impair monitoring before carrying out malicious operations. The rule flags StopActivityStream API calls to rds.amazonaws.com that are marked as management events and reference a database cluster resource ARN. It includes a threat model mapping to MITRE ATT&CK TA0005:T1562.008 (Impair Defenses). The detection leverages the cloud-trail StopActivityStream event as the primary indicator, and uses contextual checks (e.g., user identity, resource ARN) to reduce false positives. Operationally, a dedup window of 60 minutes is applied, and the rule is tested against scenarios of successful stops, failed attempts due to permissions, and non-relevant RDS events. The runbook calls for correlating prior activity by the initiating user, verifying whether the stop was routine maintenance (past 90 days), and looking for sensitive database actions in the 2 hours after the stop to assess potential malicious activity. References include AWS RDS Activity Streams documentation. This rule is labeled Experimental with High severity and aligns with activities that attackers might leverage to avoid detection by disabling log streaming.