saml provider could be updated by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. saml provider updates by unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

t1078
t1550
aws
elastic

t1078
t1548
t1550
t1550.001

Sample rules

AWS SAML Activity

source: elastic
technicques:
- T1078
- T1550

Description

Identifies when SAML activity has occurred in AWS. An adversary could manipulate SAML to maintain access to the target.

Detection logic

event.dataset:aws.cloudtrail and event.provider:(iam.amazonaws.com or sts.amazonaws.com) and event.action:(Assumerolewithsaml or
UpdateSAMLProvider) and event.outcome:success

AWS Suspicious SAML Activity

source: sigma
technicques:
- t1078
- t1548
- t1550
- t1550.001

Description

Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.

Detection logic

condition: 1 of selection_*
selection_iam:
  eventName: UpdateSAMLProvider
  eventSource: iam.amazonaws.com
selection_sts:
  eventName: AssumeRoleWithSAML
  eventSource: sts.amazonaws.com