Files

T

Isai f62026e378 [New Rules] AWS IAM new identity federation provider rules (#5691 )

* [New Rules] AWS IAM new identity federation provider rules

AWS IAM SAML Provider Created and AWS IAM OIDC Provider Created by Rare User detect the creation of new identity federation providers in AWS IAM. SAML and OIDC providers establish trust relationships with external identity providers, enabling federated access to AWS resources. Adversaries who gain administrative access may create rogue providers to establish persistent access that survives credential rotation, allowing them to assume roles using tokens from an IdP they control. These rules map to MITRE ATT&CK T1484.002 (Trust Modification), which is referenced in the CISA Scattered Spider advisory (AA23-320A) under the Privilege Escalation tactic.

Existing Related Coverage: We already detect `UpdateSAMLProvider` via privilege_escalation_iam_saml_provider_updated.toml. These new rules close the gap by detecting the creation of federation providers, the initial step required to establish rogue trust relationships.

* Update rules/integrations/aws/persistence_iam_oidc_provider_created.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/integrations/aws/persistence_iam_oidc_provider_created.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Apply suggestion from @imays11

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

2026-02-18 15:17:13 -05:00

_deprecated

[Rule Tuning] Dormant & Deprecated Rule Clean-Up (#5672 )

2026-02-05 13:24:21 +01:00

apm

[FR] Generate investigation guides (#4358 )

2025-01-22 11:17:38 -06:00

cross-platform

[Tuning] Adds host metadata to the setup requirements (#5719 )

2026-02-18 17:04:40 +00:00

integrations

[New Rules] AWS IAM new identity federation provider rules (#5691 )

2026-02-18 15:17:13 -05:00

linux

[Rule Tuning] System Information Discovery via dmidecode from Parent Shell (#5732 )

2026-02-17 17:49:56 +01:00

macos

Monthly Manifest and Schema Updation (#5697 )

2026-02-10 09:17:04 +05:30

add mitre attack rules for ML job rules, bump dates (#5333 )

2025-12-01 15:48:59 -06:00

network

[New Rule] Fortigate (FG-IR-26-060) Detections (#5641 )

2026-01-30 10:16:34 -05:00

promotions

[New] Multiple Vulnerabilities by Asset via Wiz (#5598 )

2026-01-26 17:26:17 +00:00

threat_intel

[Rule Tuning] Reduce Severity from Critical to High (#4637 )

2025-05-06 21:37:47 +05:30

windows

[New] Potential Notepad Markdown RCE Exploitation (#5729 )

2026-02-18 16:19:56 +00:00

README.md

[New Rule] Endpoint Security Behavior Protection (#1440 )

2021-08-25 09:56:59 -06:00

README.md

rules/

Rules within this folder are organized by solution or platform. The structure is flattened out, because nested file hierarchies are hard to navigate and find what you're looking for. Each directory contains several .toml files, and the primary ATT&CK tactic is included in the file name when it's relevant (i.e. windows/execution_via_compiled_html_file.toml)

folder	description
`.`	Root directory where rules are stored
`apm/`	Rules that use Application Performance Monitoring (APM) data sources
`cross-platform/`	Rules that apply to multiple platforms, such as Windows and Linux
`integrations/`	Rules organized by Fleet integration
`linux/`	Rules for Linux or other Unix based operating systems
`macos/`	Rules for macOS
`ml/`	Rules that use machine learning jobs (ML)
`network/`	Rules that use network data sources
`promotions/`	Rules that promote external alerts into detection engine alerts
`windows/`	Rules for the Microsoft Windows Operating System

Integration specific rules are stored in the integrations/ directory:

folder	integration
`aws/`	Amazon Web Services (AWS)
`azure/`	Microsoft Azure
`cyberarkpas/`	Cyber Ark Privileged Access Security
`endpoint/`	Elastic Endpoint Security
`gcp/`	Google Cloud Platform (GCP)
`google_workspace/`	Google Workspace (formerly GSuite)
`o365/`	Microsoft Office
`okta/`	Oka