This rule identifies potentially malicious behavior in AWS environments where a user or automated process could exploit the SAML (Security Assertion Markup Language) framework to gain unauthorized access to resources. Attackers may leverage the 'AssumeRoleWithSAML' API call to assume a role in your AWS account by providing SAML assertions from a trusted identity provider. The rule monitors AWS CloudTrail logs for specific events related to SAML usage, specifically focusing on the 'AssumeRoleWithSAML' and 'UpdateSAMLProvider' API calls, indicating that a change has been made to the SAML provider or that a role has been assumed with SAML authentication. To effectively manage this detection, users should be aware of their organization's SAML configuration and the expected behavior surrounding any actions pertaining to SAML providers. Proper investigations should be carried out for any unexpected SAML activity, and known benign automation tools that interact with these APIs should be accounted for to reduce false positives.