Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.

Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.

Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.