verify whether the user identity, user agent, and/or hostname should be requesting changes in your environment. password reset attempts from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

source: <a href=https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/initial_access_password_recovery.toml>elastic
technicques: T1078

Techniques

Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing password recovery mechanisms.

event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:PasswordRecoveryRequested and event.outcome:success