Techniques
Sample rules
AWS SAML Provider Deletion Activity
- source: sigma
- technicques:
- t1078
- t1078.004
- t1531
Description
Detects the deletion of an AWS SAML provider, potentially indicating malicious intent to disrupt administrative or security team access. An attacker can remove the SAML provider for the information security team or a team of system administrators, to make it difficult for them to work and investigate at the time of the attack and after it.
Detection logic
condition: selection
selection:
eventName: DeleteSAMLProvider
eventSource: iam.amazonaws.com
status: success