Detectionhightest

SAML Token Issuer Anomaly

Indicates the SAML token issuer for the associated SAML token is potentially compromised. The claims included in the token are unusual or match known attacker patterns

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Mark Morowczynski, Gloria LeeCreated Sun Sep 03e3393cba-31f0-4207-831e-aef90ab17a8ccloud

Log Source

Azureriskdetection

ProductAzure← raw: azure

Serviceriskdetection← raw: riskdetection

Detection Logic

detection:
    selection:
        riskEventType: 'tokenIssuerAnomaly'
    condition: selection

False Positives

We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.

References

MITRE ATT&CK

Tactics

TA0006 · Credential Access

Techniques

T1606 · Forge Web Credentials

Rule Metadata

Rule ID

e3393cba-31f0-4207-831e-aef90ab17a8c

Status

test

Level

high

Type

Detection

Created

Sun Sep 03

Author

Mark Morowczynski, Gloria Lee

Path

rules/cloud/azure/identity_protection/azure_identity_protection_token_issuer_anomaly.yml

Raw Tags

attack.t1606attack.credential-access

View on GitHub