Forged SAML tokens can be observed as authentication attempts with valid signatures but missing expected preceding Kerberos or authentication events. Defenders may correlate SAML assertions with absent Event IDs 4769, 1200, or 1202, or tokens issued with abnormal lifetimes, issuers, or claims compared to baseline.
| Data Component | Name | Channel |
|---|---|---|
| Logon Session Metadata (DC0088) | azure:signinLogs | SAML-based login with anomalous issuer or NotOnOrAfter lifetime |
| User Account Authentication (DC0002) | WinEventLog:Security | EventCode=4769,1200,1202 |
| Field | Description |
|---|---|
| TokenLifetimeThreshold | Defines the maximum expected lifetime of a SAML token (e.g., >1 hour considered anomalous). |
| TrustedIssuerList | List of approved SAML issuers and certificate thumbprints. |
Forged SAML tokens in IaaS environments often manifest as cross-cloud or cross-account authentication without matching STS events. Defenders may see AssumeRole or GetFederationToken API usage without a corresponding SAML assertion log from the trusted IdP.
| Data Component | Name | Channel |
|---|---|---|
| Web Credential Usage (DC0007) | AWS:CloudTrail | AssumeRoleWithSAML |
| Logon Session Creation (DC0067) | CloudTrail:Signin | SAML login without corresponding IdP authentication log |
| Field | Description |
|---|---|
| CrossAccountUsage | Flag SAML tokens used across unexpected accounts or cloud tenants. |
Forged SAML tokens may be used on Windows systems to authenticate to federated apps without normal Kerberos activity. Defenders may detect anomalous event correlation, where access to SaaS/O365 via SAML occurs without prior TGT requests or user logons.
| Data Component | Name | Channel |
|---|---|---|
| Logon Session Creation (DC0067) | WinEventLog:Security | EventCode=4624 |
| Web Credential Creation (DC0006) | WinEventLog:ADFS | Token issuance events showing anomalous claims or issuers |
| Field | Description |
|---|---|
| ClaimAnomalyThreshold | Number of unusual claims in a SAML token (e.g., excessive privileges). |
Forged SAML tokens can appear as SaaS logins where authentication succeeded without MFA, or where tokens contain claims inconsistent with the user profile. Look for concurrent sessions across different geographies with the same SAML assertion ID.
| Data Component | Name | Channel |
|---|---|---|
| Web Credential Usage (DC0007) | saas:access | SAML token accepted without preceding login challenge |
| Logon Session Metadata (DC0088) | m365:unified | Abnormal user claims or unexpected elevated role assignment in SAML assertion |
| Field | Description |
|---|---|
| GeoVelocityThreshold | Triggers when same SAML token used in different geographies within short timeframe. |
Forged SAML tokens may be leveraged to access O365 apps such as Outlook or SharePoint. Defenders should monitor for token replay across multiple clients or access attempts to privileged mailboxes without prior interactive login.
| Data Component | Name | Channel |
|---|---|---|
| Web Credential Usage (DC0007) | m365:exchange | Mailbox access using SAML token without corresponding MFA event |
| Logon Session Creation (DC0067) | m365:sharepoint | File access with forged or anomalous SAML claims |
| Field | Description |
|---|---|
| ReplayDetectionThreshold | Number of times a token is reused within short timeframe. |