AN0419: Analytic 0419
Forged SAML tokens in IaaS environments often manifest as cross-cloud or cross-account authentication without matching STS events. Defenders may see AssumeRole or GetFederationToken API usage without a corresponding SAML assertion log from the trusted IdP.
Analyst context for executives and security teams
This analytic matters because federated identity is often a high-trust path into IaaS environments. If a SAML token is forged or not properly tied back to the trusted identity provider, cloud access may appear as legitimate cross-account or cross-cloud authentication while the expected identity-provider evidence is missing. For leaders, the key question is whether cloud authentication activity can be reconciled end-to-end against IdP logs, not just whether cloud API events are collected.
Executive priority
Prioritize this as an identity and cloud security validation item. It supports business resilience, audit readiness, and incident decision-making by testing whether teams can prove that privileged or federated IaaS access came from the expected trusted IdP flow. The control decision is whether SOC, cloud, and IAM teams have enough shared telemetry to identify AssumeRole or GetFederationToken activity that lacks corresponding SAML assertion evidence.
Technical view
For IaaS environments, validate correlation between cloud authentication/API activity and trusted IdP SAML assertion logs. Focus on cross-account or cross-cloud authentication patterns where AssumeRole or GetFederationToken API usage appears without the expected matching SAML assertion from the trusted IdP. Because ATT&CK provides no separate detection logic and no relationship context for this analytic, teams should treat it as a detection engineering requirement: confirm log availability, timestamp alignment, identity mapping, role/session mapping, and expected federation paths before alerting on absence of evidence.
Likely telemetry
- IaaS cloud API logs containing AssumeRole events
- IaaS cloud API logs containing GetFederationToken events
- Trusted IdP SAML assertion logs
- Federated identity session metadata, including role, account, principal, and session identifiers where available
- Cross-account or cross-cloud authentication records
Detection direction
- Validate that cloud API events can be correlated to IdP SAML assertion logs for normal federated access paths.
- Look for AssumeRole or GetFederationToken activity without a corresponding SAML assertion log from the trusted IdP.
- Tune for known cross-account and cross-cloud access patterns to reduce false positives from approved federation workflows.
- Check for blind spots caused by missing IdP logs, short retention, inconsistent timestamps, incomplete session identifiers, or cloud accounts not onboarded to centralized logging.
- Use this analytic as a coverage test for cloud-IAM correlation rather than as proof of compromise by itself.
Mitigation priorities
- Ensure trusted IdP SAML assertion logging is enabled, retained, and accessible to detection and incident response teams.
- Centralize IaaS authentication and API logs across relevant accounts and cloud environments.
- Maintain an inventory of approved federation paths, trusted IdPs, roles, and cross-account access patterns.
- Implement routine reconciliation between cloud role/session activity and IdP-issued assertions.
- Define IR procedures for investigating federated access that cannot be matched to trusted IdP evidence.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for IaaS environments, external ID AN0419, focused on forged SAML token indicators involving cloud authentication without corresponding trusted IdP assertion evidence. No tactics, relationships, or formal detection pseudocode were supplied, so the strongest defensive value is in validating identity-to-cloud telemetry correlation and known-good federation baselines.
Official detection content is not provided, and no relationship context is supplied. This take does not establish active exploitation, attribution, impact, or guaranteed detection. Local architecture, IdP configuration, logging coverage, and federation design are required to determine practical alert logic and priority.
Analytic 0419
Forged SAML tokens in IaaS environments often manifest as cross-cloud or cross-account authentication without matching STS events. Defenders may see AssumeRole or GetFederationToken API usage without a corresponding SAML assertion log from the trusted IdP.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 9f68223b96bc… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0419Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.