Merge pull request #3405 from splunk/risk_message

patel-bhavin · web-flow · commit 7ba4dc0a4d48 · 2025-03-18T15:22:18.000-07:00
update spl
diff --git a/detections/cloud/aws_saml_update_identity_provider.yml b/detections/cloud/aws_saml_update_identity_provider.yml
@@ -17,7 +17,7 @@ data_source:
 - AWS CloudTrail UpdateSAMLProvider
 search: '`cloudtrail` eventName=UpdateSAMLProvider 
   | rename user_name as user
-  | stats count min(_time) as firstTime max(_time) as lastTime values(request_parameters) as request_parameters by signature dest user user_agent src vendor_account vendor_region vendor_product 
+  | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.sAMLProviderArn) as request_parameters by signature dest user user_agent src vendor_account vendor_region vendor_product 
   | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`
   |`aws_saml_update_identity_provider_filter`'
 how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This
