AWS IAM SAML Provider Updated

  1[metadata]
  2creation_date = "2021/09/22"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic", "Austin Songer"]
  9description = "Identifies when a user has updated a SAML provider in AWS. SAML providers are used to enable federated access to the AWS Management Console. This activity could be an indication of an attacker attempting to escalate privileges."
 10false_positives = [
 11    """
 12    SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or
 13    hostname should be making changes in your environment. SAML Provider updates by unfamiliar users should be
 14    investigated. If known behavior is causing false positives, it can be exempted from the rule.
 15    """,
 16]
 17from = "now-9m"
 18index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 19language = "kuery"
 20license = "Elastic License v2"
 21name = "AWS IAM SAML Provider Updated"
 22note = """## Triage and analysis
 23
 24> **Disclaimer**:
 25> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 26
 27### Investigating AWS IAM SAML Provider Updated
 28
 29AWS IAM SAML providers facilitate federated access, allowing users to authenticate via external identity providers. Adversaries may exploit this by updating SAML providers to gain unauthorized access or escalate privileges. The detection rule monitors successful updates to SAML providers, flagging potential privilege escalation attempts by correlating specific AWS CloudTrail events.
 30
 31### Possible investigation steps
 32
 33- Review the AWS CloudTrail logs to identify the user or role associated with the UpdateSAMLProvider event. Check for any unusual or unauthorized users making changes.
 34- Examine the context of the UpdateSAMLProvider event, including the time of the event and any associated IP addresses or locations, to identify any anomalies or suspicious patterns.
 35- Investigate the history of changes to the specific SAML provider to determine if there have been any recent unauthorized or unexpected modifications.
 36- Check for any other related AWS CloudTrail events around the same timeframe, such as changes to IAM roles or policies, which might indicate a broader privilege escalation attempt.
 37- Assess the permissions and access levels of the user or role that performed the update to ensure they align with expected privileges and responsibilities.
 38- If suspicious activity is confirmed, consider revoking or limiting access for the involved user or role and review the security posture of the AWS environment to prevent future incidents.
 39
 40### False positive analysis
 41
 42- Routine administrative updates to SAML providers by authorized personnel can trigger alerts. To manage this, maintain a list of known administrators and their expected activities, and create exceptions for these users in the detection rule.
 43- Scheduled updates or maintenance activities involving SAML providers may also result in false positives. Document these activities and adjust the detection rule to exclude events occurring during these scheduled times.
 44- Automated scripts or tools used for managing SAML providers can generate alerts if they perform updates. Identify these scripts and their expected behavior, then configure the detection rule to recognize and exclude these specific actions.
 45- Changes made by trusted third-party services integrated with AWS IAM might be flagged. Verify the legitimacy of these services and consider adding them to an allowlist to prevent unnecessary alerts.
 46
 47### Response and remediation
 48
 49- Immediately revoke any unauthorized changes to the SAML provider by restoring the previous configuration from backups or logs.
 50- Conduct a thorough review of recent IAM activity logs to identify any unauthorized access or privilege escalation attempts associated with the updated SAML provider.
 51- Temporarily disable the affected SAML provider to prevent further unauthorized access while the investigation is ongoing.
 52- Notify the security team and relevant stakeholders about the incident for awareness and further investigation.
 53- Implement additional monitoring and alerting for any future changes to SAML providers to ensure rapid detection of unauthorized modifications.
 54- Review and tighten IAM policies and permissions to ensure that only authorized personnel can update SAML providers.
 55- Consider implementing multi-factor authentication (MFA) for all users with permissions to modify IAM configurations to enhance security.
 56
 57## Setup
 58
 59The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 60references = [
 61    "https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html",
 62]
 63risk_score = 47
 64rule_id = "979729e7-0c52-4c4c-b71e-88103304a79f"
 65severity = "medium"
 66tags = [
 67    "Domain: Cloud",
 68    "Data Source: AWS",
 69    "Data Source: Amazon Web Services",
 70    "Data Source: AWS IAM",
 71    "Use Case: Identity and Access Audit",
 72    "Tactic: Privilege Escalation",
 73    "Resources: Investigation Guide",
 74]
 75timestamp_override = "event.ingested"
 76type = "query"
 77
 78query = '''
 79event.dataset:aws.cloudtrail
 80    and event.provider: iam.amazonaws.com
 81    and event.action: UpdateSAMLProvider
 82    and event.outcome:success
 83'''
 84
 85
 86[[rule.threat]]
 87framework = "MITRE ATT&CK"
 88[[rule.threat.technique]]
 89id = "T1484"
 90name = "Domain or Tenant Policy Modification"
 91reference = "https://attack.mitre.org/techniques/T1484/"
 92[[rule.threat.technique.subtechnique]]
 93id = "T1484.002"
 94name = "Trust Modification"
 95reference = "https://attack.mitre.org/techniques/T1484/002/"
 96
 97
 98
 99[rule.threat.tactic]
100id = "TA0004"
101name = "Privilege Escalation"
102reference = "https://attack.mitre.org/tactics/TA0004/"```