Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. AWSCloudTrail - SAML update identity provider

AWSCloudTrail - SAML update identity provider

Back
Idbce1dcba-4948-414d-8838-6385afb9d496
RulenameAWSCloudTrail - SAML update identity provider
DescriptionDetects updates to AWS SAML identity provider configuration. Unauthorized changes can allow adversaries to

issue trusted federation tokens and gain persistent or privileged access.
SeverityHigh
TacticsPersistence
TechniquesT1078
Required data connectorsAWS
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_SAMLUpdateIdentity.yaml
Version1.0.2
Arm templatebce1dcba-4948-414d-8838-6385afb9d496.json
Deploy To Azure
AWSCloudTrail
| where EventName == "UpdateSAMLProvider" and isempty(ErrorCode) and isempty(ErrorMessage)
| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
| extend UserName = tostring(split(UserIdentityArn, '/')[-1])
| extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
| extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
  AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")

entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: AccountUPNSuffix
  - identifier: CloudAppAccountId
    columnName: RecipientAccountId
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SourceIpAddress
tactics:
- Persistence
requiredDataConnectors:
- dataTypes:
  - AWSCloudTrail
  connectorId: AWS
alertDetailsOverride:
  alertDisplayNameFormat: AWS SAML identity provider updated by {{AccountName}}
  alertDescriptionFormat: Detected UpdateSAMLProvider from {{SourceIpAddress}} in account {{RecipientAccountId}}.
id: bce1dcba-4948-414d-8838-6385afb9d496
severity: High
status: Available
customDetails:
  AWSRegion: AWSRegion
  UserIdentityArn: UserIdentityArn
  EventSource: EventSource
  EventName: EventName
query: |
  AWSCloudTrail
  | where EventName == "UpdateSAMLProvider" and isempty(ErrorCode) and isempty(ErrorMessage)
  | extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
  | extend UserName = tostring(split(UserIdentityArn, '/')[-1])
  | extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
  | extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
    AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_SAMLUpdateIdentity.yaml
kind: Scheduled
queryPeriod: 1d
version: 1.0.2
name: AWSCloudTrail - SAML update identity provider
queryFrequency: 1d
triggerThreshold: 0
relevantTechniques:
- T1078
description: |
  Detects updates to AWS SAML identity provider configuration. Unauthorized changes can allow adversaries to
  issue trusted federation tokens and gain persistent or privileged access.  
triggerOperator: gt