Sample rules
AWS SAML Activity
- source: elastic
- technicques:
- T1078
- T1550
Description
Identifies when SAML activity has occurred in AWS. An adversary could manipulate SAML to maintain access to the target.
Detection logic
event.dataset:aws.cloudtrail and event.provider:(iam.amazonaws.com or sts.amazonaws.com) and event.action:(Assumerolewithsaml or
UpdateSAMLProvider) and event.outcome:success
AWS Suspicious SAML Activity
- source: sigma
- technicques:
- t1078
- t1548
- t1550
- t1550.001
Description
Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.
Detection logic
condition: 1 of selection_*
selection_iam:
eventName: UpdateSAMLProvider
eventSource: iam.amazonaws.com
selection_sts:
eventName: AssumeRoleWithSAML
eventSource: sts.amazonaws.com