[Rule Tuning] AWS IAM SAML Provider Updated (#5284)

* [Rule Tuning] AWS IAM SAML Provider Updated

Rule is performing well in telemetry, low volume as expected. The only obvious false positives are from AWS SSO service so that internal behavior has been excluded from the rule.

- added AWS SSO exclusion to query
- updated description and IG
- added highlighted fields

* Update rules/integrations/aws/privilege_escalation_iam_saml_provider_updated.toml

Co-authored-by: Ruben Groenewoud <[email protected]>

---------

Co-authored-by: Ruben Groenewoud <[email protected]>

(cherry picked from commit 9925a39)

Author: imays11

rules/integrations/aws/privilege_escalation_iam_saml_provider_updated.toml

@@ -2,19 +2,26 @@
 creation_date = "2021/09/22"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/11/05"
 
 [rule]
 author = ["Elastic", "Austin Songer"]
-description = "Identifies when a user has updated a SAML provider in AWS. SAML providers are used to enable federated access to the AWS Management Console. This activity could be an indication of an attacker attempting to escalate privileges."
+description = """
+Detects when an AWS IAM SAML provider is updated, which manages federated authentication between AWS and external
+identity providers (IdPs). Adversaries with administrative access may modify a SAML provider’s metadata or certificate
+to redirect authentication flows, enable unauthorized federation, or escalate privileges through identity trust
+manipulation. Because SAML providers underpin single sign-on (SSO) access for users and applications, unauthorized
+modifications may allow persistent or covert access even after credentials are revoked. Monitoring  "UpdateSAMLProvider"
+API activity is critical to detect potential compromise of federated trust relationships.
+"""
 false_positives = [
     """
     SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or
     hostname should be making changes in your environment. SAML Provider updates by unfamiliar users should be
     investigated. If known behavior is causing false positives, it can be exempted from the rule.
     """,
 ]
-from = "now-9m"
+from = "now-6m"
 index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 language = "kuery"
 license = "Elastic License v2"
@@ -26,40 +33,75 @@ note = """## Triage and analysis
 
 ### Investigating AWS IAM SAML Provider Updated
 
-AWS IAM SAML providers facilitate federated access, allowing users to authenticate via external identity providers. Adversaries may exploit this by updating SAML providers to gain unauthorized access or escalate privileges. The detection rule monitors successful updates to SAML providers, flagging potential privilege escalation attempts by correlating specific AWS CloudTrail events.
+AWS IAM SAML providers enable federated authentication between AWS and external identity providers (IdPs), 
+allowing users from trusted domains to access AWS resources without separate credentials. 
+Updating a SAML provider can modify the trust relationship — including the signing certificate or metadata document — 
+and, if abused, may allow an attacker to redirect authentication flows or gain access through a malicious or compromised IdP.
+
+This rule detects successful `UpdateSAMLProvider` API calls that do not originate from AWS Single Sign-On (SSO), 
+as normal SSO operations are filtered out. These changes can be significant because a single unauthorized update 
+can affect all federated authentication in the account.
 
 ### Possible investigation steps
 
-- Review the AWS CloudTrail logs to identify the user or role associated with the UpdateSAMLProvider event. Check for any unusual or unauthorized users making changes.
-- Examine the context of the UpdateSAMLProvider event, including the time of the event and any associated IP addresses or locations, to identify any anomalies or suspicious patterns.
-- Investigate the history of changes to the specific SAML provider to determine if there have been any recent unauthorized or unexpected modifications.
-- Check for any other related AWS CloudTrail events around the same timeframe, such as changes to IAM roles or policies, which might indicate a broader privilege escalation attempt.
-- Assess the permissions and access levels of the user or role that performed the update to ensure they align with expected privileges and responsibilities.
-- If suspicious activity is confirmed, consider revoking or limiting access for the involved user or role and review the security posture of the AWS environment to prevent future incidents.
+- **Validate the actor and context**
+  - Review `aws.cloudtrail.user_identity.arn`, `user.name`, and `user_agent.original` to determine who performed the update.
+  - Confirm if the actor is part of an authorized identity management or platform engineering group.
+  - Review `source.ip` and `cloud.region` fields for unexpected geolocations, IP ranges, or service origins.
 
-### False positive analysis
+- **Assess the scope of the modification**
+  - Parse the `aws.cloudtrail.request_parameters` for updates to `SAMLMetadataDocument` or `Certificate` attributes.
+  - Compare the new metadata with previous versions (available via AWS CLI or AWS Config) to detect unauthorized IdP URLs, 
+    certificates, or assertion endpoints.
+  - Identify whether the change replaced a valid trusted certificate with an unknown or self-signed one.
 
-- Routine administrative updates to SAML providers by authorized personnel can trigger alerts. To manage this, maintain a list of known administrators and their expected activities, and create exceptions for these users in the detection rule.
-- Scheduled updates or maintenance activities involving SAML providers may also result in false positives. Document these activities and adjust the detection rule to exclude events occurring during these scheduled times.
-- Automated scripts or tools used for managing SAML providers can generate alerts if they perform updates. Identify these scripts and their expected behavior, then configure the detection rule to recognize and exclude these specific actions.
-- Changes made by trusted third-party services integrated with AWS IAM might be flagged. Verify the legitimacy of these services and consider adding them to an allowlist to prevent unnecessary alerts.
+- **Correlate related IAM and authentication events**
+  - Look for preceding `CreateSAMLProvider` or `DeleteSAMLProvider` activity, as attackers may replace existing trust entities.
+  - Search for follow-up logins (`AssumeRoleWithSAML`) or STS tokens issued shortly after the update — this could indicate 
+    immediate exploitation of the new configuration.
+  - Check for concurrent changes to IAM roles associated with SAML federated access.
 
-### Response and remediation
+- **Confirm authorization**
+  - Coordinate with your identity management team to confirm whether the SAML provider update aligns with 
+    planned IdP maintenance or certificate rotation.
 
-- Immediately revoke any unauthorized changes to the SAML provider by restoring the previous configuration from backups or logs.
-- Conduct a thorough review of recent IAM activity logs to identify any unauthorized access or privilege escalation attempts associated with the updated SAML provider.
-- Temporarily disable the affected SAML provider to prevent further unauthorized access while the investigation is ongoing.
-- Notify the security team and relevant stakeholders about the incident for awareness and further investigation.
-- Implement additional monitoring and alerting for any future changes to SAML providers to ensure rapid detection of unauthorized modifications.
-- Review and tighten IAM policies and permissions to ensure that only authorized personnel can update SAML providers.
-- Consider implementing multi-factor authentication (MFA) for all users with permissions to modify IAM configurations to enhance security.
+### False positive analysis
 
-## Setup
+- **Planned SSO certificate rotation**
+  - Most legitimate SAML provider updates occur during routine certificate renewals by authorized IdP admins. 
+    Validate that the update timing aligns with planned identity provider operations.
+- **Automated infrastructure processes**
+  - CI/CD or configuration-as-code pipelines may automatically update SAML metadata as part of deployment. 
+    Verify whether this activity matches known automation patterns.
+- **Third-party IdP integrations**
+  - Some integrated SaaS applications update SAML providers programmatically. Confirm the vendor and the originating credentials before closing as benign.
 
-The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
-references = [
-    "https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html",
-]
+### Response and remediation
+
+- **Immediate review and containment**
+  - Retrieve the current SAML provider configuration using the AWS CLI (`aws iam get-saml-provider`) 
+    and compare it with the previous known-good state.
+  - If unauthorized changes are confirmed, restore the previous configuration or delete the compromised provider.
+  - Temporarily disable federated login access for affected roles or accounts until validation is complete.
+
+- **Investigation and scoping**
+  - Review CloudTrail logs for related IAM configuration changes, including `CreateRole`, `AttachRolePolicy`, or 
+    `UpdateAssumeRolePolicy` events that may expand federated trust scope.
+  - Identify any `AssumeRoleWithSAML` or `GetFederationToken` events following the update, indicating possible exploitation.
+  - Cross-check logs from your external IdP to verify if unauthorized assertions or logins were attempted post-update.
+
+- **Recovery and hardening**
+  - Limit permissions to modify SAML providers (`iam:UpdateSAMLProvider`) to a dedicated identity management role.
+  - Enforce change control documentation and peer review for all federation configuration changes.
+  - Enable AWS Config to monitor and record SAML provider resource configuration history.
+
+### Additional information
+- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
+- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
+- **Security Best Practices:** [AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).
+
+"""
+references = ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html"]
 risk_score = 47
 rule_id = "979729e7-0c52-4c4c-b71e-88103304a79f"
 severity = "medium"
@@ -76,10 +118,11 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.dataset:aws.cloudtrail
-    and event.provider: iam.amazonaws.com
-    and event.action: UpdateSAMLProvider
-    and event.outcome:success
+event.dataset: "aws.cloudtrail"
+    and event.provider: "iam.amazonaws.com"
+    and event.action: "UpdateSAMLProvider"
+    and event.outcome: "success"
+    and not (source.address: "sso.amazonaws.com" and user_agent.original: "sso.amazonaws.com")
 '''
 
 
@@ -99,4 +142,22 @@ reference = "https://attack.mitre.org/techniques/T1484/002/"
 [rule.threat.tactic]
 id = "TA0004"
 name = "Privilege Escalation"
-reference = "https://attack.mitre.org/tactics/TA0004/"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "user.name",
+    "user_agent.original",
+    "source.ip",
+    "aws.cloudtrail.user_identity.arn",
+    "aws.cloudtrail.user_identity.type",
+    "aws.cloudtrail.user_identity.access_key_id",
+    "event.action",
+    "event.outcome",
+    "cloud.account.id",
+    "cloud.region",
+    "aws.cloudtrail.request_parameters",
+    "aws.cloudtrail.response_elements",
+]
+