sigma-rules/rules/aws/initial_access_console_login_root.toml

[metadata]
creation_date = "2020/06/11"
maturity = "production"
updated_date = "2021/05/10"

[rule]
author = ["Elastic"]
description = "Identifies a successful login to the AWS Management Console by the Root user."
false_positives = [
    """
    It's strongly recommended that the root user is not used for everyday tasks, including the administrative ones.
    Verify whether the IP address, location, and/or hostname should be logging in as root in your environment.
    Unfamiliar root logins should be investigated immediately. If known behavior is causing false positives, it can be
    exempted from the rule.
    """,
]
from = "now-60m"
index = ["filebeat-*", "logs-aws*"]
interval = "10m"
language = "kuery"
license = "Elastic License v2"
name = "AWS Management Console Root Login"
note = """## Config

The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"]
risk_score = 73
rule_id = "e2a67480-3b79-403d-96e3-fdd2992c50ef"
severity = "high"
tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access"]
timestamp_override = "event.ingested"
type = "query"

query = '''
event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:success
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"


[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"


[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"