Detectionmediumexperimental

AWS SAML Provider Deletion Activity

Detects the deletion of an AWS SAML provider, potentially indicating malicious intent to disrupt administrative or security team access. An attacker can remove the SAML provider for the information security team or a team of system administrators, to make it difficult for them to work and investigate at the time of the attack and after it.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Ivan SaakovCreated Thu Dec 19ccd6a6c8-bb4e-4a91-9d2a-07e632819374cloud

Log Source

AWScloudtrail

ProductAWS← raw: aws

Servicecloudtrail← raw: cloudtrail

Detection Logic

detection:
    selection:
        eventSource: 'iam.amazonaws.com'
        eventName: 'DeleteSAMLProvider'
        status: 'success'
    condition: selection

False Positives

Automated processes using tools like Terraform may trigger this alert.

Legitimate administrative actions by authorized system administrators could cause this alert. Verify the user identity, user agent, and hostname to ensure they are expected.

Deletions by unfamiliar users should be investigated. If the behavior is known and expected, it can be exempted from the rule.

References

Resolving title…

docs.aws.amazon.com

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0005 · Defense Evasion TA0001 · Initial Access TA0003 · Persistence TA0040 · Impact

Techniques

T1531 · Account Access Removal

Sub-techniques

T1078.004 · Cloud Accounts

Rule Metadata