deletions by unfamiliar users should be investigated. if the behavior is known and expected, it can be exempted from the rule.

t1078
t1078.004
t1531
aws
sigma

Techniques

t1078
t1078.004
t1531

Sample rules

AWS SAML Provider Deletion Activity

source: sigma
technicques:
- t1078
- t1078.004
- t1531

Description

Detects the deletion of an AWS SAML provider, potentially indicating malicious intent to disrupt administrative or security team access. An attacker can remove the SAML provider for the information security team or a team of system administrators, to make it difficult for them to work and investigate at the time of the attack and after it.

Detection logic

condition: selection
selection:
  eventName: DeleteSAMLProvider
  eventSource: iam.amazonaws.com
  status: success