AN0674: Analytic 0674
Monitor for abnormal certificate enrollment events in identity platforms, unexpected use of token-signing certificates, and unusual CA configuration modifications.
Analyst context for executives and security teams
This analytic matters because certificate and token-signing activity in an identity provider can affect trust decisions across applications and users. For leaders, the practical question is whether the organization can see when certificates are enrolled unexpectedly, token-signing certificates are used in unusual ways, or certificate authority configuration changes occur in identity platforms.
Executive priority
Prioritize this as an identity assurance and audit-readiness control area. Identity provider certificate changes can become high-consequence events because they affect authentication trust, application access, and incident response decisions. Security leaders should confirm ownership of certificate lifecycle monitoring, change approval evidence, and escalation paths for abnormal enrollment or CA configuration activity.
Technical view
For SOC, detection engineering, and IR teams, validate visibility into identity provider certificate enrollment events, token-signing certificate usage, and CA configuration modification events. Because no ATT&CK tactic or detailed detection logic is supplied, teams should treat AN0674 as a monitoring requirement rather than a complete rule. Baseline expected certificate lifecycle activity, correlate changes with approved administration, and investigate unexpected token-signing certificate behavior or CA configuration changes in the identity platform.
Likely telemetry
- Identity provider audit logs
- Certificate enrollment events
- Token-signing certificate usage records
- Certificate authority configuration change logs
- Administrative change records and approvals
Detection direction
- Confirm the identity platform records certificate enrollment, token-signing certificate usage, and CA configuration modifications with sufficient detail for investigation.
- Baseline normal certificate enrollment and administrative change patterns to reduce false positives from planned rotations or maintenance.
- Correlate certificate and CA changes with approved change tickets or authorized administrator activity.
- Alert on unexpected certificate enrollment, unusual token-signing certificate use, or CA configuration modifications outside expected windows or ownership patterns.
- Review logging retention and access to identity provider audit data, since missing identity telemetry is a likely blind spot.
Mitigation priorities
- Establish clear ownership and change control for identity provider certificates and CA configuration.
- Require review and approval for certificate enrollment, token-signing certificate changes, and CA configuration updates.
- Limit administrative access capable of modifying certificate or CA settings to authorized roles.
- Maintain audit evidence for certificate lifecycle events and administrative changes.
- Prepare incident response procedures for unexpected identity certificate or CA configuration activity.
Analyst notes and limits
AN0674 is a MITRE detection analytic for the Identity Provider platform. The supplied official description is narrow and focuses on abnormal certificate enrollment, unexpected token-signing certificate use, and unusual CA configuration modifications. No relationship context, ATT&CK tactics, or official detection logic were supplied, so local implementation should be based on available identity provider audit telemetry and approved operational baselines.
The object does not include an official detection query, tactic mapping, related techniques, adversary relationships, or vendor-specific event fields. This take therefore cannot assert coverage, exploitation, attribution, or a specific detection outcome. Environment-specific certificate lifecycle processes and identity provider logging capabilities are required to operationalize it.
Analytic 0674
Monitor for abnormal certificate enrollment events in identity platforms, unexpected use of token-signing certificates, and unusual CA configuration modifications.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 588a472b8068… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0674Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.