Merge PR #5015 from @saakovv - Add AWS SAML Provider Deletion Activity

new: AWS SAML Provider Deletion Activity --------- Co-authored-by: Ivan.Saakov <[email protected]> Co-authored-by: Nasreddine Bencherchali <[email protected]>
SigmaHQ · Dec 19, 2024 · a8d8dcf · a8d8dcf
1 parent 3449958
commit a8d8dcf
Showing 1 changed file with 28 additions and 0 deletions.
diff --git a/rules/cloud/aws/cloudtrail/aws_delete_saml_provider.yml b/rules/cloud/aws/cloudtrail/aws_delete_saml_provider.yml
@@ -0,0 +1,28 @@
+title: AWS SAML Provider Deletion Activity
+id: ccd6a6c8-bb4e-4a91-9d2a-07e632819374
+status: experimental
+description: |
+    Detects the deletion of an AWS SAML provider, potentially indicating malicious intent to disrupt administrative or security team access.
+    An attacker can remove the SAML provider for the information security team or a team of system administrators, to make it difficult for them to work and investigate at the time of the attack and after it.
+references:
+    - https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteSAMLProvider.html
+author: Ivan Saakov
+date: 2024-12-19
+tags:
+    - attack.t1078.004
+    - attack.privilege-escalation
+    - attack.t1531
+logsource:
+    product: aws
+    service: cloudtrail
+detection:
+    selection:
+        eventSource: 'iam.amazonaws.com'
+        eventName: 'DeleteSAMLProvider'
+        status: 'success'
+    condition: selection
+falsepositives:
+    - Automated processes using tools like Terraform may trigger this alert.
+    - Legitimate administrative actions by authorized system administrators could cause this alert. Verify the user identity, user agent, and hostname to ensure they are expected.
+    - Deletions by unfamiliar users should be investigated. If the behavior is known and expected, it can be exempted from the rule.
+level: medium