updating a saml provider or creating a new one may not necessarily be malicious however it needs to be closely monitored.

t1078
aws federated account
splunk

Techniques

T1078

Sample rules

AWS SAML Update identity provider

source: splunk
technicques:
- T1078

Description

This search provides detection of updates to SAML provider in AWS. Updates to SAML provider need to be monitored closely as they may indicate possible perimeter compromise of federated credentials, or backdoor access from another cloud provider set by attacker.

Detection logic

`cloudtrail` eventName=UpdateSAMLProvider 
| stats count min(_time) as firstTime max(_time) as lastTime by eventType eventName requestParameters.sAMLProviderArn userIdentity.sessionContext.sessionIssuer.arn sourceIPAddress userIdentity.accessKeyId userIdentity.principalId 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
|`aws_saml_update_identity_provider_filter`