[Rule Tuning] AWS Root Login Without MFA (#229)

* Update privilege_escalation_root_login_without_mfa.toml

* Update privilege_escalation_root_login_without_mfa.toml

* update index

* Update privilege_escalation_root_login_without_mfa.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

rules/aws/privilege_escalation_root_login_without_mfa.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/07/06"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/07/28"
+updated_date = "2020/08/31"
 
 [rule]
 author = ["Elastic"]
@@ -12,21 +12,21 @@ practices indicate that the root user should be protected by MFA.
 """
 false_positives = [
     """
-    Some organizations allow login with the root user without MFA, however this is not considered best practice by AWS
+    Some organizations allow login with the root user without MFA, however, this is not considered best practice by AWS
     and increases the risk of compromised credentials.
     """,
 ]
 from = "now-60m"
-index = ["filebeat-*"]
+index = ["filebeat-*", "logs-aws*"]
 interval = "10m"
 language = "kuery"
 license = "Elastic License"
 name = "AWS Root Login Without MFA"
 note = "The AWS Filebeat module must be enabled to use this rule."
 references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"]
-risk_score = 21
+risk_score = 73
 rule_id = "bc0c6f0d-dab0-47a3-b135-0925f0a333bc"
-severity = "low"
+severity = "high"
 tags = ["AWS", "Elastic", "SecOps", "Identity and Access", "Continuous Monitoring"]
 type = "query"