AWS IAM Password Recovery Requested

 1[metadata]
 2creation_date = "2020/07/02"
 3integration = ["aws"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing
11password recovery mechanisms.
12"""
13false_positives = [
14    """
15    Verify whether the user identity, user agent, and/or hostname should be requesting changes in your environment.
16    Password reset attempts from unfamiliar users should be investigated. If known behavior is causing false positives,
17    it can be exempted from the rule.
18    """,
19]
20from = "now-60m"
21index = ["filebeat-*", "logs-aws.cloudtrail-*"]
22interval = "10m"
23language = "kuery"
24license = "Elastic License v2"
25name = "AWS IAM Password Recovery Requested"
26note = """## Setup
27
28The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
29references = ["https://www.cadosecurity.com/an-ongoing-aws-phishing-campaign/"]
30risk_score = 21
31rule_id = "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c"
32severity = "low"
33tags = [
34    "Domain: Cloud",
35    "Data Source: AWS",
36    "Data Source: Amazon Web Services",
37    "Data Source: AWS Signin",
38    "Use Case: Identity and Access Audit",
39    "Tactic: Initial Access",
40]
41timestamp_override = "event.ingested"
42type = "query"
43
44query = '''
45event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:PasswordRecoveryRequested and event.outcome:success
46'''
47
48
49[[rule.threat]]
50framework = "MITRE ATT&CK"
51[[rule.threat.technique]]
52id = "T1078"
53name = "Valid Accounts"
54reference = "https://attack.mitre.org/techniques/T1078/"
55
56
57[rule.threat.tactic]
58id = "TA0001"
59name = "Initial Access"
60reference = "https://attack.mitre.org/tactics/TA0001/"