This detection rule monitors AWS RDS (Relational Database Service) clusters for any modification or deletion events that may signify a potential security incident. The rule captures events through AWS CloudTrail logs where the source of the event is identified as 'rds.amazonaws.com' and the specific actions are either 'ModifyDBCluster' or 'DeleteDBCluster'. These actions could indicate malicious activities such as data exfiltration, unauthorized access attempts, or intentional exposure of sensitive information. The rule aims to help identify suspicious changes that might exploit RDS databases by alerting security teams to investigate unauthorized modifications or deletions. Given the critical nature of RDS databases for many applications, this detection rule is considered to have a high severity level and requires prompt attention. False positives might occur; therefore, additional verification steps are recommended, including checking the legitimacy of the administrator who initiated the action or if the changes were planned or part of scheduled maintenance activities.