updating a saml provider or creating a new one may not necessarily be malicious however it needs to be closely monitored.

Techniques

T1078

Sample rules

AWS SAML Update identity provider

source: splunk
technicques:
- T1078

Description

The following analytic detects updates to the SAML provider in AWS. It leverages AWS CloudTrail logs to identify the UpdateSAMLProvider event, analyzing fields such as sAMLProviderArn, sourceIPAddress, and userIdentity details. Monitoring updates to the SAML provider is crucial as it may indicate a perimeter compromise of federated credentials or unauthorized backdoor access set by an attacker. If confirmed malicious, this activity could allow attackers to manipulate identity federation, potentially leading to unauthorized access to cloud resources and sensitive data.

Detection logic

`cloudtrail` eventName=UpdateSAMLProvider 
| stats count min(_time) as firstTime max(_time) as lastTime by eventType eventName requestParameters.sAMLProviderArn userIdentity.sessionContext.sessionIssuer.arn sourceIPAddress userIdentity.accessKeyId userIdentity.principalId 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
|`aws_saml_update_identity_provider_filter`

ASL AWS SAML Update identity provider

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=UpdateSAMLProvider 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region 
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `asl_aws_saml_update_identity_provider_filter`