Title:AWS SAML Provider Deletion Activity Status:experimental Description:Detects the deletion of an AWS SAML provider, potentially indicating malicious intent to disrupt administrative or security team access.
An attacker can remove the SAML provider for the information security team or a team of system administrators, to make it difficult for them to work and investigate at the time of the attack and after it.
References: -https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteSAMLProvider.html Author: Ivan Saakov Date: 2024-12-19 modified:None Tags:
-'attack.t1078.004'
-'attack.privilege-escalation'
-'attack.t1531'
Logsource:
product: aws
service: cloudtrail
Detection: selection: eventSource:
'iam.amazonaws.com' eventName:
'DeleteSAMLProvider' status:
'success' condition:selection Falsepositives:
-Automated processes using tools like Terraform may trigger this alert.
-Legitimate administrative actions by authorized system administrators could cause this alert. Verify the user identity, user agent, and hostname to ensure they are expected.
-Deletions by unfamiliar users should be investigated. If the behavior is known and expected, it can be exempted from the rule. Level:medium
