AWS IAM Password Recovery Requested

 1[metadata]
 2creation_date = "2020/07/02"
 3integration = ["aws"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/03/06"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing
13password recovery mechanisms.
14"""
15false_positives = [
16    """
17    Verify whether the user identity, user agent, and/or hostname should be requesting changes in your environment.
18    Password reset attempts from unfamiliar users should be investigated. If known behavior is causing false positives,
19    it can be exempted from the rule.
20    """,
21]
22from = "now-60m"
23index = ["filebeat-*", "logs-aws*"]
24interval = "10m"
25language = "kuery"
26license = "Elastic License v2"
27name = "AWS IAM Password Recovery Requested"
28note = """## Setup
29
30The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
31references = ["https://www.cadosecurity.com/an-ongoing-aws-phishing-campaign/"]
32risk_score = 21
33rule_id = "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c"
34severity = "low"
35tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Identity and Access"]
36timestamp_override = "event.ingested"
37type = "query"
38
39query = '''
40event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:PasswordRecoveryRequested and event.outcome:success
41'''
42
43
44[[rule.threat]]
45framework = "MITRE ATT&CK"
46[[rule.threat.technique]]
47id = "T1078"
48name = "Valid Accounts"
49reference = "https://attack.mitre.org/techniques/T1078/"
50
51
52[rule.threat.tactic]
53id = "TA0001"
54name = "Initial Access"
55reference = "https://attack.mitre.org/tactics/TA0001/"