LoFP / saml provider could be updated by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. saml provider updates by unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

• t1078
• t1548
• t1550
• t1550.001

Sample rules

AWS IAM SAML Provider Updated

• source: elastic
• technicques:
  • T1484

Description

Detects when an AWS IAM SAML provider is updated, which manages federated authentication between AWS and external identity providers (IdPs). Adversaries with administrative access may modify a SAML provider’s metadata or certificate to redirect authentication flows, enable unauthorized federation, or escalate privileges through identity trust manipulation. Because SAML providers underpin single sign-on (SSO) access for users and applications, unauthorized modifications may allow persistent or covert access even after credentials are revoked. Monitoring “UpdateSAMLProvider” API activity is critical to detect potential compromise of federated trust relationships.

Detection logic

event.dataset: "aws.cloudtrail"
    and event.provider: "iam.amazonaws.com"
    and event.action: "UpdateSAMLProvider"
    and event.outcome: "success"
    and not (source.address: "sso.amazonaws.com" and user_agent.original: "sso.amazonaws.com")

AWS Suspicious SAML Activity

• source: sigma
• technicques:
  • t1078
  • t1548
  • t1550
  • t1550.001

Description

Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.

Detection logic

condition: 1 of selection_*
selection_iam:
  eventName: UpdateSAMLProvider
  eventSource: iam.amazonaws.com
selection_sts:
  eventName: AssumeRoleWithSAML
  eventSource: sts.amazonaws.com