This detection rule is designed to identify when an Amazon RDS (Relational Database Service) cluster or instance has been stopped. The rule monitors AWS CloudTrail logs, particularly looking for successful stop actions (StopDBCluster or StopDBInstance) initiated on RDS resources. The detection is important as adversaries may stop these instances or clusters with malicious intent, potentially resulting in service disruptions or data loss. When a stoppage occurs, analysts are prompted to investigate several areas to determine the legitimacy of the action. The suggested steps include reviewing the CloudTrail logs to ascertain the identity of the user or role responsible, correlating the event time with any known operational activities (such as planned maintenance), and checking for anomalies in source IPs or access patterns. If the stop action appears unauthorized, immediate remedial steps are put in place, including isolating the RDS instance from further access and restoring from backups as necessary. An understanding of potential false positives is included in the rule description; legitimate maintenance and testing processes often cause routine stoppages that should be exempt from alerts. Therefore, the rule allows for customization based on operational context, such as excluding certain user-initiated stop actions or scheduled maintenance events. The response and remediation section emphasizes the need for preemptive security measures post-incident, including an evaluation of IAM policies and user access controls to prevent future unauthorized actions.