Name:AWS SAML Update identity provider id:2f0604c6-6030-11eb-ae93-0242ac130002 version:4 date:2024-09-30 author:Rod Soto, Splunk status:production type:TTP Description:The following analytic detects updates to the SAML provider in AWS. It leverages AWS CloudTrail logs to identify the `UpdateSAMLProvider` event, analyzing fields such as `sAMLProviderArn`, `sourceIPAddress`, and `userIdentity` details. Monitoring updates to the SAML provider is crucial as it may indicate a perimeter compromise of federated credentials or unauthorized backdoor access set by an attacker. If confirmed malicious, this activity could allow attackers to manipulate identity federation, potentially leading to unauthorized access to cloud resources and sensitive data. Data_source:
-AWS CloudTrail UpdateSAMLProvider
search:`cloudtrail` eventName=UpdateSAMLProvider | stats count min(_time) as firstTime max(_time) as lastTime by eventType eventName requestParameters.sAMLProviderArn userIdentity.sessionContext.sessionIssuer.arn sourceIPAddress userIdentity.accessKeyId userIdentity.principalId | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`aws_saml_update_identity_provider_filter`
how_to_implement:You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. known_false_positives:Updating a SAML provider or creating a new one may not necessarily be malicious however it needs to be closely monitored. References: -https://www.cisa.gov/uscert/ncas/alerts/aa21-008a -https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html -https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf -https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps drilldown_searches: name:'View the detection results for - "$userIdentity.principalId$"' search:'%original_detection_search% | search userIdentity.principalId = "$userIdentity.principalId$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$userIdentity.principalId$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$userIdentity.principalId$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Cloud Federated Credential Abuse' asset_type:AWS Federated Account confidence:80 impact:80 message:User $userIdentity.principalId$ from IP address $sourceIPAddress$ has trigged an event $eventName$ to update the SAML provider to $requestParameters.sAMLProviderArn$ mitre_attack_id: - 'T1078' observable: name:'sourceIPAddress' type:'IP Address' - role: - 'Attacker' name:'userIdentity.principalId' type:'User' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'eventName' - 'eventType' - 'requestParameters.sAMLProviderArn' - 'userIdentity.sessionContext.sessionIssuer.arn' - 'sourceIPAddress' - 'userIdentity.accessKeyId' - 'userIdentity.principalId' risk_score:64 security_domain:threat
