AWS Management Console Brute Force of Root User Identity

 1[metadata]
 2creation_date = "2020/07/21"
 3integration = ["aws"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/03/06"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An
13adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services
14and resources for the AWS account.
15"""
16false_positives = [
17    """
18    Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false
19    positives.
20    """,
21]
22from = "now-20m"
23index = ["filebeat-*", "logs-aws*"]
24language = "kuery"
25license = "Elastic License v2"
26name = "AWS Management Console Brute Force of Root User Identity"
27note = """## Setup
28
29The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
30references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"]
31risk_score = 73
32rule_id = "4d50a94f-2844-43fa-8395-6afbd5e1c5ef"
33severity = "high"
34tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Identity and Access"]
35type = "threshold"
36
37query = '''
38event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:failure
39'''
40
41
42[[rule.threat]]
43framework = "MITRE ATT&CK"
44[[rule.threat.technique]]
45id = "T1110"
46name = "Brute Force"
47reference = "https://attack.mitre.org/techniques/T1110/"
48
49
50[rule.threat.tactic]
51id = "TA0006"
52name = "Credential Access"
53reference = "https://attack.mitre.org/tactics/TA0006/"
54
55[rule.threshold]
56field = ["cloud.account.id"]
57value = 10