AWS IAM Password Recovery Requested | Elastic Security Solution [7.10]

IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

› › ›

« AWS IAM Group Deletion AWS IAM User Addition to Group »

AWS IAM Password Recovery Requestededit

Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing password recovery mechanisms.

Rule type: query

Rule indices:

filebeat-*
logs-aws*

Severity: low

Risk score: 21

Runs every: 10 minutes

Searches indices from: now-60m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://www.cadosecurity.com/2020/06/11/an-ongoing-aws-phishing-campaign/

Tags:

Elastic
Cloud
AWS
Continuous Monitoring
SecOps
Identity and Access

Version: 2 (version history)

Added (Elastic Stack release): 7.9.0

Last modified (Elastic Stack release): 7.10.0

Rule authors: Elastic

Rule license: Elastic License

Potential false positivesedit

Verify whether the user identity, user agent, and/or hostname should be requesting changes in your environment. Password reset attempts from unfamiliar users should be investigated. If a known behavior is causing false positives, it can be excluded from the rule.

Investigation guideedit

The AWS Filebeat module must be enabled to use this rule.

Rule queryedit

event.action:PasswordRecoveryRequested and
event.provider:signin.amazonaws.com and event.outcome:success

Threat mappingedit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/

Rule version historyedit

Version 2 (7.10.0 release)

Formatting only

« AWS IAM Group Deletion AWS IAM User Addition to Group »