This EQL detection rule is designed to identify modifications to the master password of AWS RDS database instances or clusters. Such modifications can represent a significant security risk, as they may allow unauthorized actors to gain access to sensitive data stored within these instances. The rule triggers when the event dataset matches 'aws.cloudtrail', the provider indicates 'rds.amazonaws.com', and the action corresponds to either 'ModifyDBInstance' or 'ModifyDBCluster' with a successful outcome indicating that a modification occurred involving the master password. The ability for adversaries to leverage the password modification functionality poses a threat, as it can be exploited for vehicles of persistence or privilege escalation when they possess adequate permissions. To investigate a triggered alert, the analyst is encouraged to identify the actor responsible for the password change, review the event details, and assess the context surrounding the modification. This includes confirming if the action aligns with legitimate operations and correlating with other CloudTrail events. The false positive considerations include differentiating between authorized changes versus potential malicious intent. Should malicious intent be established, incident response protocols must be initiated to mitigate risks associated with unauthorized access and potential data breaches. Recommendations encompass enhancing monitoring capabilities and reviewing policies concerning access controls in AWS environments.