heroui logo

AWS SAML Provider Deletion Activity

Sigma Rules

View Source
Summary
This rule detects the deletion of an AWS SAML provider via the AWS CloudTrail logs. The deletion of a SAML provider can be indicative of potential malicious activities, as it may obstruct the access of administrative and security teams, impeding their ability to investigate incidents effectively. The detection condition focuses on specific API calls made within AWS, specifically looking for a successful operation of the `DeleteSAMLProvider`, which is initiated through the IAM service. It is crucial to monitor these events as they could signify unauthorized attempts to alter the security posture of an AWS environment by eliminating mechanisms for federated login used by administrators and security personnel. Proper investigation is required for any alert generated by this rule, to distinguish between malicious actions and legitimate deletions performed by authorized personnel. Automated tools such as Terraform might generate legitimate deletions that should not trigger alerts unless they come from unexpected sources.
Categories
  • Cloud
  • AWS
Data Sources
  • Cloud Service
  • Cloud Storage
  • Logon Session
Created: 2024-12-19