ID | Technique | Tactic |
---|---|---|
T1078 | Valid Accounts | Defense Evasion |
Detection: AWS SAML Update identity provider
Description
The following analytic detects updates to the SAML provider in AWS. It leverages AWS CloudTrail logs to identify the UpdateSAMLProvider
event, analyzing fields such as sAMLProviderArn
, sourceIPAddress
, and userIdentity
details. Monitoring updates to the SAML provider is crucial as it may indicate a perimeter compromise of federated credentials or unauthorized backdoor access set by an attacker. If confirmed malicious, this activity could allow attackers to manipulate identity federation, potentially leading to unauthorized access to cloud resources and sensitive data.
Search
1`cloudtrail` eventName=UpdateSAMLProvider
2| stats count min(_time) as firstTime max(_time) as lastTime by eventType eventName requestParameters.sAMLProviderArn userIdentity.sessionContext.sessionIssuer.arn sourceIPAddress userIdentity.accessKeyId userIdentity.principalId
3| `security_content_ctime(firstTime)`
4| `security_content_ctime(lastTime)`
5|`aws_saml_update_identity_provider_filter`
Data Source
Name | Platform | Sourcetype | Source |
---|---|---|---|
AWS CloudTrail UpdateSAMLProvider | AWS | 'aws:cloudtrail' |
'aws_cloudtrail' |
Macros Used
Name | Value |
---|---|
cloudtrail | sourcetype=aws:cloudtrail |
aws_saml_update_identity_provider_filter | search * |
aws_saml_update_identity_provider_filter
is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
Setting | Value |
---|---|
Disabled | true |
Cron Schedule | 0 * * * * |
Earliest Time | -70m@m |
Latest Time | -10m@m |
Schedule Window | auto |
Creates Notable | Yes |
Rule Title | %name% |
Rule Description | %description% |
Notable Event Fields | user, dest |
Creates Risk Event | True |
Implementation
You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.
Known False Positives
Updating a SAML provider or creating a new one may not necessarily be malicious however it needs to be closely monitored.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message | Risk Score | Impact | Confidence |
---|---|---|---|
User $userIdentity.principalId$ from IP address $sourceIPAddress$ has trigged an event $eventName$ to update the SAML provider to $requestParameters.sAMLProviderArn$ | 64 | 80 | 80 |
References
-
https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html
-
https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf
Detection Testing
Test Type | Status | Dataset | Source | Sourcetype |
---|---|---|---|---|
Validation | ✅ Passing | N/A | N/A | N/A |
Unit | ✅ Passing | Dataset | aws_cloudtrail |
aws:cloudtrail |
Integration | ✅ Passing | Dataset | aws_cloudtrail |
aws:cloudtrail |
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 4