SAML Token Issuer Anomaly

Indicates the SAML token issuer for the associated SAML token is potentially compromised. The claims included in the token are unusual or match known attacker patterns

Sigma rule (View on GitHub)

 1title: SAML Token Issuer Anomaly
 2id: e3393cba-31f0-4207-831e-aef90ab17a8c
 3status: test
 4description: Indicates the SAML token issuer for the associated SAML token is potentially compromised. The claims included in the token are unusual or match known attacker patterns
 5references:
 6    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#token-issuer-anomaly
 7    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
 8author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
 9date: 2023-09-03
10tags:
11    - attack.t1606
12    - attack.credential-access
13logsource:
14    product: azure
15    service: riskdetection
16detection:
17    selection:
18        riskEventType: 'tokenIssuerAnomaly'
19    condition: selection
20falsepositives:
21    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
22level: high

References

Related rules

to-top