AWS SAML Provider Deletion Activity
Detects the deletion of an AWS SAML provider, potentially indicating malicious intent to disrupt administrative or security team access. An attacker can remove the SAML provider for the information security team or a team of system administrators, to make it difficult for them to work and investigate at the time of the attack and after it.
Sigma rule (View on GitHub)
1title: AWS SAML Provider Deletion Activity
2id: ccd6a6c8-bb4e-4a91-9d2a-07e632819374
3status: experimental
4description: |
5 Detects the deletion of an AWS SAML provider, potentially indicating malicious intent to disrupt administrative or security team access.
6 An attacker can remove the SAML provider for the information security team or a team of system administrators, to make it difficult for them to work and investigate at the time of the attack and after it.
7references:
8 - https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteSAMLProvider.html
9author: Ivan Saakov
10date: 2024-12-19
11tags:
12 - attack.t1078.004
13 - attack.privilege-escalation
14 - attack.t1531
15logsource:
16 product: aws
17 service: cloudtrail
18detection:
19 selection:
20 eventSource: 'iam.amazonaws.com'
21 eventName: 'DeleteSAMLProvider'
22 status: 'success'
23 condition: selection
24falsepositives:
25 - Automated processes using tools like Terraform may trigger this alert.
26 - Legitimate administrative actions by authorized system administrators could cause this alert. Verify the user identity, user agent, and hostname to ensure they are expected.
27 - Deletions by unfamiliar users should be investigated. If the behavior is known and expected, it can be exempted from the rule.
28level: medium
References
Related rules
- AWS Root Credentials
- Application AppID Uri Configuration Changes
- Application URI Configuration Changes
- Changes To PIM Settings
- Github New Secret Created