saml provider could be updated by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. saml provider updates by unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

t1484
aws
elastic

t1078
t1548
t1550
t1550.001

Sample rules

AWS IAM SAML Provider Updated

source: elastic
technicques:
- T1484

Description

Identifies when a user has updated a SAML provider in AWS. SAML providers are used to enable federated access to the AWS Management Console. This activity could be an indication of an attacker attempting to escalate privileges.

Detection logic

event.dataset:aws.cloudtrail
    and event.provider: iam.amazonaws.com
    and event.action: UpdateSAMLProvider
    and event.outcome:success

AWS Suspicious SAML Activity

source: sigma
technicques:
- t1078
- t1548
- t1550
- t1550.001

Description

Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.

Detection logic

condition: 1 of selection_*
selection_iam:
  eventName: UpdateSAMLProvider
  eventSource: iam.amazonaws.com
selection_sts:
  eventName: AssumeRoleWithSAML
  eventSource: sts.amazonaws.com