LoFP LoFP / saml provider being updated from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

Techniques

Sample rules

AWS Suspicious SAML Activity

Description

Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.

Detection logic

condition: 1 of selection_*
selection_iam:
  eventName: UpdateSAMLProvider
  eventSource: iam.amazonaws.com
selection_sts:
  eventName: AssumeRoleWithSAML
  eventSource: sts.amazonaws.com