SAML Token Issuer Anomaly

Rule Info

Name
SAML Token Issuer Anomaly
Author
Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
Description
Indicates the SAML token issuer for the associated SAML token is potentially compromised. The claims included in the token are unusual or match known attacker patterns
Date
2023-09-03 00:00:00
Modified
None
Id
e3393cba-31f0-4207-831e-aef90ab17a8c
Tags
attack.t1606 attack.credential-access DEMO
Type
Community Rule

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
Ryan Plas
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02
github-actions[bot]
Merge PR #4891 from @nasbench - Promote older rules status from `experimental` to `test`
2024-07-01
Mark Morowczynski
Merge PR #4423 from @MarkMorow - Add Azure AD Identity Protection Rules
2023-09-06
frack113
Change field name in detection
2023-08-10
Nasreddine Bencherchali
chore: change service name to lowercase
2023-08-08
frack113
Fix to pass the tests
2023-08-08
Mark Morowczynski
Update azure_identity_protectection_anomalous_token.yml
2023-08-07
Mark Morowczynski
Create azure_identity_protectection_anomalous_token.yml
2023-08-07