Techniques
Sample rules
AWS SAML Update identity provider
- source: splunk
- technicques:
- T1078
Description
This search provides detection of updates to SAML provider in AWS. Updates to SAML provider need to be monitored closely as they may indicate possible perimeter compromise of federated credentials, or backdoor access from another cloud provider set by attacker.
Detection logic
`cloudtrail` eventName=UpdateSAMLProvider
| stats count min(_time) as firstTime max(_time) as lastTime by eventType eventName requestParameters.sAMLProviderArn userIdentity.sessionContext.sessionIssuer.arn sourceIPAddress userIdentity.accessKeyId userIdentity.principalId
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_saml_update_identity_provider_filter`