SAML Token Issuer Anomaly

Rule Info

Name
SAML Token Issuer Anomaly
Author
Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
Description
Indicates the SAML token issuer for the associated SAML token is potentially compromised. The claims included in the token are unusual or match known attacker patterns
Reference
https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#token-issuer-anomaly
Date
2023-09-03 00:00:00
Modified
None
Id
e3393cba-31f0-4207-831e-aef90ab17a8c
Tags
attack.t1606 attack.credential_access DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=e3393cba-31f0-4207-831e-aef90ab17a8c

Rule History

Author
Title
Date
Commit
Mark Morowczynski
Merge PR #4423 from @MarkMorow - Add Azure AD Identity Protection Rules
2023-09-06
efe2c9bbc
frack113
Change field name in detection
2023-08-10
450b619c1
Nasreddine Bencherchali
chore: change service name to lowercase
2023-08-08
67d0d2aff
frack113
Fix to pass the tests
2023-08-08
a66b38d3d
Mark Morowczynski
Update azure_identity_protectection_anomalous_token.yml
2023-08-07
fa780ec7b
Mark Morowczynski
Create azure_identity_protectection_anomalous_token.yml
2023-08-07
ef2d8b4c9
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022