AWSCloudTrail
| where EventName == "UpdateSAMLProvider" and isempty(ErrorCode) and isempty(ErrorMessage)
| extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,'/')[-1]))
| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName
severity: High
queryFrequency: 1d
relevantTechniques:
- T1078
tactics:
- Persistence
kind: Scheduled
query: |
AWSCloudTrail
| where EventName == "UpdateSAMLProvider" and isempty(ErrorCode) and isempty(ErrorMessage)
| extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,'/')[-1]))
| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_SAMLUpdateIdentity.yaml
queryPeriod: 1d
status: Available
version: 1.0.0
name: SAML update identity provider
requiredDataConnectors:
- dataTypes:
- AWSCloudTrail
connectorId: AWS
triggerOperator: gt
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
id: bce1dcba-4948-414d-8838-6385afb9d496
description: |
'Attackers could update the SAML provider in order to create unauthorized but valid tokens and represent them to services that trust SAML tokens from the environment. These tokens can then be used to access resources. More about this API at https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html '
triggerThreshold: 0
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bce1dcba-4948-414d-8838-6385afb9d496')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bce1dcba-4948-414d-8838-6385afb9d496')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01-preview",
"properties": {
"displayName": "SAML update identity provider",
"description": "'Attackers could update the SAML provider in order to create unauthorized but valid tokens and represent them to services that trust SAML tokens from the environment. These tokens can then be used to access resources. More about this API at https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html '\n",
"severity": "High",
"enabled": true,
"query": "AWSCloudTrail\n| where EventName == \"UpdateSAMLProvider\" and isempty(ErrorCode) and isempty(ErrorMessage)\n| extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,'/')[-1]))\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Persistence"
],
"techniques": [
"T1078"
],
"alertRuleTemplateName": "bce1dcba-4948-414d-8838-6385afb9d496",
"customDetails": null,
"entityMappings": [
{
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
],
"entityType": "Account"
},
{
"fieldMappings": [
{
"columnName": "IPCustomEntity",
"identifier": "Address"
}
],
"entityType": "IP"
}
],
"templateVersion": "1.0.0",
"status": "Available",
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_SAMLUpdateIdentity.yaml"
}
}
]
}