LoFP / saml provider being updated from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

Techniques

• t1078
• t1548
• t1550
• t1550.001

Sample rules

AWS Suspicious SAML Activity

• source: sigma
• technicques:
  • t1078
  • t1548
  • t1550
  • t1550.001

Description

Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.

Detection logic

condition: 1 of selection_*
selection_iam:
  eventName: UpdateSAMLProvider
  eventSource: iam.amazonaws.com
selection_sts:
  eventName: AssumeRoleWithSAML
  eventSource: sts.amazonaws.com