AWS SAML Provider Deletion Activity
Detects the deletion of an AWS SAML provider, potentially indicating malicious intent to disrupt administrative or security team access. An attacker can remove the SAML provider for the information security team or a team of system administrators, to make it difficult for them to work and investigate at the time of the attack and after it.
Sigma rule (View on GitHub)
1title: AWS SAML Provider Deletion Activity
2id: ccd6a6c8-bb4e-4a91-9d2a-07e632819374
3status: experimental
4description: |
5 Detects the deletion of an AWS SAML provider, potentially indicating malicious intent to disrupt administrative or security team access.
6 An attacker can remove the SAML provider for the information security team or a team of system administrators, to make it difficult for them to work and investigate at the time of the attack and after it.
7references:
8 - https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteSAMLProvider.html
9author: Ivan Saakov
10date: 2024-12-19
11tags:
12 - attack.t1078.004
13 - attack.privilege-escalation
14 - attack.defense-evasion
15 - attack.initial-access
16 - attack.persistence
17 - attack.t1531
18 - attack.impact
19logsource:
20 product: aws
21 service: cloudtrail
22detection:
23 selection:
24 eventSource: 'iam.amazonaws.com'
25 eventName: 'DeleteSAMLProvider'
26 status: 'success'
27 condition: selection
28falsepositives:
29 - Automated processes using tools like Terraform may trigger this alert.
30 - Legitimate administrative actions by authorized system administrators could cause this alert. Verify the user identity, user agent, and hostname to ensure they are expected.
31 - Deletions by unfamiliar users should be investigated. If the behavior is known and expected, it can be exempted from the rule.
32level: medium
References
Related rules
- AWS IAM S3Browser LoginProfile Creation
- AWS IAM S3Browser Templated S3 Bucket Policy Creation
- AWS IAM S3Browser User or AccessKey Creation
- AWS Root Credentials
- AWS Successful Console Login Without MFA