AWS IAM SAML Provider Updated

calendar Aug 20, 2024 · Domain: Cloud Data Source: AWS Data Source: Amazon Web Services Data Source: AWS IAM Use Case: Identity and Access Audit Tactic: Privilege Escalation  ·
Share on: linkedin copy

Identifies when a user has updated a SAML provider in AWS. SAML providers are used to enable federated access to the AWS Management Console. This activity could be an indication of an attacker attempting to escalate privileges.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/09/22"
 3integration = ["aws"]
 4maturity = "production"
 5updated_date = "2024/07/16"
 6
 7[rule]
 8author = ["Elastic", "Austin Songer"]
 9description = "Identifies when a user has updated a SAML provider in AWS. SAML providers are used to enable federated access to the AWS Management Console. This activity could be an indication of an attacker attempting to escalate privileges."
10false_positives = [
11    """
12    SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or
13    hostname should be making changes in your environment. SAML Provider updates by unfamiliar users should be
14    investigated. If known behavior is causing false positives, it can be exempted from the rule.
15    """,
16]
17from = "now-9m"
18index = ["filebeat-*", "logs-aws.cloudtrail-*"]
19language = "kuery"
20license = "Elastic License v2"
21name = "AWS IAM SAML Provider Updated"
22note = """## Setup
23
24The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
25references = [
26    "https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html",
27]
28risk_score = 47
29rule_id = "979729e7-0c52-4c4c-b71e-88103304a79f"
30severity = "medium"
31tags = [
32    "Domain: Cloud",
33    "Data Source: AWS",
34    "Data Source: Amazon Web Services",
35    "Data Source: AWS IAM",
36    "Use Case: Identity and Access Audit",
37    "Tactic: Privilege Escalation",
38]
39timestamp_override = "event.ingested"
40type = "query"
41
42query = '''
43event.dataset:aws.cloudtrail
44    and event.provider: iam.amazonaws.com
45    and event.action: UpdateSAMLProvider
46    and event.outcome:success
47'''
48
49
50[[rule.threat]]
51framework = "MITRE ATT&CK"
52[[rule.threat.technique]]
53id = "T1484"
54name = "Domain or Tenant Policy Modification"
55reference = "https://attack.mitre.org/techniques/T1484/"
56[[rule.threat.technique.subtechnique]]
57id = "T1484.002"
58name = "Trust Modification"
59reference = "https://attack.mitre.org/techniques/T1484/002/"
60
61
62
63[rule.threat.tactic]
64id = "TA0004"
65name = "Privilege Escalation"
66reference = "https://attack.mitre.org/tactics/TA0004/"```

Setup

The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top