New

The executive guide to generative AI

Read more

AWS SAML Activity

edit

Identifies when SAML activity has occurred in AWS. An adversary could manipulate SAML to maintain access to the target.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-aws*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Cloud
  • AWS
  • Amazon Web Services
  • Continuous Monitoring
  • SecOps
  • Identity and Access

Version: 102

Rule authors:

  • Austin Songer

Rule license: Elastic License v2

Investigation guide

edit

Rule query

edit
event.dataset:aws.cloudtrail and event.provider:(iam.amazonaws.com or sts.amazonaws.com) and event.action:(Assumerolewithsaml or
UpdateSAMLProvider) and event.outcome:success

Framework: MITRE ATT&CKTM

Was this helpful?
Feedback