updating a saml provider or creating a new one may not necessarily be malicious however it needs to be closely monitored.

Techniques

T1078

Sample rules

AWS SAML Update identity provider

source: splunk
technicques:
- T1078

Description

The following analytic detects updates to the SAML provider in AWS. It leverages AWS CloudTrail logs to identify the UpdateSAMLProvider event, analyzing fields such as sAMLProviderArn, sourceIPAddress, and userIdentity details. Monitoring updates to the SAML provider is crucial as it may indicate a perimeter compromise of federated credentials or unauthorized backdoor access set by an attacker. If confirmed malicious, this activity could allow attackers to manipulate identity federation, potentially leading to unauthorized access to cloud resources and sensitive data.

Detection logic

`cloudtrail` eventName=UpdateSAMLProvider 
| rename user_name as user 
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.sAMLProviderArn) as request_parameters by signature dest user user_agent src vendor_account vendor_region vendor_product 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
|`aws_saml_update_identity_provider_filter`

ASL AWS SAML Update identity provider

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=UpdateSAMLProvider 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region 
| rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `asl_aws_saml_update_identity_provider_filter`