AWS IAM Password Recovery Requested

 1[metadata]
 2creation_date = "2020/07/02"
 3integration = ["aws"]
 4maturity = "production"
 5min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
 6min_stack_version = "8.9.0"
 7updated_date = "2024/04/14"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing
13password recovery mechanisms.
14"""
15false_positives = [
16    """
17    Verify whether the user identity, user agent, and/or hostname should be requesting changes in your environment.
18    Password reset attempts from unfamiliar users should be investigated. If known behavior is causing false positives,
19    it can be exempted from the rule.
20    """,
21]
22from = "now-60m"
23index = ["filebeat-*", "logs-aws.cloudtrail-*"]
24interval = "10m"
25language = "kuery"
26license = "Elastic License v2"
27name = "AWS IAM Password Recovery Requested"
28note = """## Setup
29
30The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
31references = ["https://www.cadosecurity.com/an-ongoing-aws-phishing-campaign/"]
32risk_score = 21
33rule_id = "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c"
34severity = "low"
35tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Signin", "Use Case: Identity and Access Audit", "Tactic: Initial Access"]
36timestamp_override = "event.ingested"
37type = "query"
38
39query = '''
40event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:PasswordRecoveryRequested and event.outcome:success
41'''
42
43
44[[rule.threat]]
45framework = "MITRE ATT&CK"
46[[rule.threat.technique]]
47id = "T1078"
48name = "Valid Accounts"
49reference = "https://attack.mitre.org/techniques/T1078/"
50
51
52[rule.threat.tactic]
53id = "TA0001"
54name = "Initial Access"
55reference = "https://attack.mitre.org/tactics/TA0001/"