AWS IAM SAML Provider Updated

Identifies when a user has updated a SAML provider in AWS. SAML providers are used to enable federated access to the AWS Management Console. This activity could be an indication of an attacker attempting to escalate privileges.

Rule type: query

Rule indices:

filebeat-*
logs-aws.cloudtrail-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html

Tags:

Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS IAM
Use Case: Identity and Access Audit
Tactic: Privilege Escalation

Version: 207

Rule authors:

Elastic
Austin Songer

Rule license: Elastic License v2

Investigation guide

edit

Setup

edit

The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

Rule query

edit

event.dataset:aws.cloudtrail
    and event.provider: iam.amazonaws.com
    and event.action: UpdateSAMLProvider
    and event.outcome:success

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
Technique:
- Name: Domain or Tenant Policy Modification
- ID: T1484
- Reference URL: https://attack.mitre.org/techniques/T1484/
Sub-technique:
- Name: Trust Modification
- ID: T1484.002
- Reference URL: https://attack.mitre.org/techniques/T1484/002/

« AWS IAM Roles Anywhere Trust Anchor Created with External CA AWS IAM User Addition to Group »