Techniques
Sample rules
AWS SAML Access by Provider User and Principal
- source: splunk
- technicques:
- T1078
Description
This search provides specific SAML access from specific Service Provider, user and targeted principal at AWS. This search provides specific information to detect abnormal access or potential credential hijack or forgery, specially in federated environments using SAML protocol inside the perimeter or cloud provider.
Detection logic
`cloudtrail` eventName=Assumerolewithsaml
| stats count min(_time) as firstTime max(_time) as lastTime by eventName requestParameters.principalArn requestParameters.roleArn requestParameters.roleSessionName recipientAccountId responseElements.issuer sourceIPAddress userAgent
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_saml_access_by_provider_user_and_principal_filter`