initial_access_password_recovery.toml

[metadata]
creation_date = "2020/07/02"
integration = ["aws"]
maturity = "production"
updated_date = "2024/05/21"

[rule]
author = ["Elastic"]
description = """
Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing
password recovery mechanisms.
"""
false_positives = [
    """
    Verify whether the user identity, user agent, and/or hostname should be requesting changes in your environment.
    Password reset attempts from unfamiliar users should be investigated. If known behavior is causing false positives,
    it can be exempted from the rule.
    """,
]
from = "now-60m"
index = ["filebeat-*", "logs-aws.cloudtrail-*"]
interval = "10m"
language = "kuery"
license = "Elastic License v2"
name = "AWS IAM Password Recovery Requested"
note = """## Setup

The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = ["https://www.cadosecurity.com/an-ongoing-aws-phishing-campaign/"]
risk_score = 21
rule_id = "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c"
severity = "low"
tags = [
    "Domain: Cloud",
    "Data Source: AWS",
    "Data Source: Amazon Web Services",
    "Data Source: AWS Signin",
    "Use Case: Identity and Access Audit",
    "Tactic: Initial Access",
]
timestamp_override = "event.ingested"
type = "query"

query = '''
event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:PasswordRecoveryRequested and event.outcome:success
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"


[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"