sigma-rules/rules/integrations/aws/initial_access_password_recovery.toml

[metadata]
creation_date = "2020/07/02"
maturity = "production"
updated_date = "2021/07/20"
integration = "aws"

[rule]
author = ["Elastic"]
description = """
Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing
password recovery mechanisms.
"""
false_positives = [
    """
    Verify whether the user identity, user agent, and/or hostname should be requesting changes in your environment.
    Password reset attempts from unfamiliar users should be investigated. If known behavior is causing false positives,
    it can be exempted from the rule.
    """,
]
from = "now-60m"
index = ["filebeat-*", "logs-aws*"]
interval = "10m"
language = "kuery"
license = "Elastic License v2"
name = "AWS IAM Password Recovery Requested"
note = """## Config

The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = ["https://www.cadosecurity.com/2020/06/11/an-ongoing-aws-phishing-campaign/"]
risk_score = 21
rule_id = "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c"
severity = "low"
tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access"]
timestamp_override = "event.ingested"
type = "query"

query = '''
event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:PasswordRecoveryRequested and event.outcome:success
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"


[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"