AWS IAM SAML Provider Updated
editAWS IAM SAML Provider Updated
editIdentifies when a user has updated a SAML provider in AWS. SAML providers are used to enable federated access to the AWS Management Console. This activity could be an indication of an attacker attempting to escalate privileges.
Rule type: query
Rule indices:
- filebeat-*
- logs-aws.cloudtrail-*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Cloud
- Data Source: AWS
- Data Source: Amazon Web Services
- Data Source: AWS IAM
- Use Case: Identity and Access Audit
- Tactic: Privilege Escalation
Version: 207
Rule authors:
- Elastic
- Austin Songer
Rule license: Elastic License v2
Investigation guide
editSetup
editThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
Rule query
editevent.dataset:aws.cloudtrail and event.provider: iam.amazonaws.com and event.action: UpdateSAMLProvider and event.outcome:success
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
-
Technique:
- Name: Domain or Tenant Policy Modification
- ID: T1484
- Reference URL: https://attack.mitre.org/techniques/T1484/
-
Sub-technique:
- Name: Trust Modification
- ID: T1484.002
- Reference URL: https://attack.mitre.org/techniques/T1484/002/