AWS Identity Center Identity Provider Change (d3adb3ef-b7e7-4003-9092-1924c797db35)
Detects a change in the AWS Identity Center (FKA AWS SSO) identity provider. A change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) | Attack Pattern | AWS Identity Center Identity Provider Change (d3adb3ef-b7e7-4003-9092-1924c797db35) | Sigma-Rules | 1 |