SAML Token Issuer Anomaly
Indicates the SAML token issuer for the associated SAML token is potentially compromised. The claims included in the token are unusual or match known attacker patterns
Sigma rule (View on GitHub)
1title: SAML Token Issuer Anomaly
2id: e3393cba-31f0-4207-831e-aef90ab17a8c
3status: experimental
4description: Indicates the SAML token issuer for the associated SAML token is potentially compromised. The claims included in the token are unusual or match known attacker patterns
5references:
6 - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#token-issuer-anomaly
7 - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins
8author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
9date: 2023/09/03
10tags:
11 - attack.t1606
12 - attack.credential_access
13logsource:
14 product: azure
15 service: riskdetection
16detection:
17 selection:
18 riskEventType: 'tokenIssuerAnomaly'
19 condition: selection
20falsepositives:
21 - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
22level: high
References
Related rules
- Anomalous Token
- Password Spray Activity
- Possible Impacket Secretsdump.py Activity
- HackTool - CrackMapExec Execution
- CVE-2021-31979 CVE-2021-33771 Exploits