AN0809: Analytic 0809
Detects successful login to cloud identity portals (e.g., Okta, Azure AD, Google Identity) from atypical geolocations, devices, or user agents immediately followed by dashboard/portal navigation to sensitive pages such as user or app configuration.
Analyst context for executives and security teams
This analytic is about spotting a potentially risky identity-provider login pattern: a successful cloud identity portal login from an unusual location, device, or user agent, followed immediately by navigation to sensitive administrative areas such as user or application configuration pages. For leaders, the value is not just “detect odd logins,” but validating whether the organization can recognize when an identity session becomes operationally important because it reaches configuration surfaces that affect users, apps, and access.
Executive priority
Prioritize this as an identity and cloud security readiness check. If identity-provider telemetry is incomplete or not reviewed in context, teams may miss early signs that a suspicious but successful login is being used to inspect or change sensitive configuration. Executives should ask whether SOC and IAM teams can correlate login risk signals with subsequent portal activity, and whether those records are available for incident response, audit evidence, and access governance decisions.
Technical view
For SOC, detection engineering, and IR teams, the key validation is correlation: successful login to an identity provider from atypical geolocation, device, or user agent, followed closely by dashboard or portal navigation to sensitive pages such as user or app configuration. Because the ATT&CK object provides no formal detection logic and no relationship context, teams should define local baselines for “atypical,” identify which portal pages are sensitive in their environment, and test whether identity-provider logs preserve both authentication events and post-login administrative navigation events.
Likely telemetry
- Identity provider successful authentication logs
- Geolocation or source network enrichment for login events
- Device, browser, and user-agent attributes associated with identity-provider sessions
- Identity-provider dashboard or portal navigation logs
- Administrative page access events for user configuration and application configuration
Detection direction
- Validate that successful cloud identity portal logins can be correlated with subsequent portal navigation in a short time window.
- Tune atypical geolocation, device, and user-agent logic against known travel, VPN, managed device, and automation patterns to reduce false positives.
- Define which identity-provider pages are sensitive enough to raise priority, especially user and application configuration areas.
- Confirm that logs capture post-authentication portal activity, not only the initial login result.
- Review alert triage guidance so analysts distinguish unusual-but-benign access from suspicious access to administrative configuration surfaces.
Mitigation priorities
- Ensure identity-provider logging is enabled and retained for authentication and administrative portal activity.
- Strengthen IAM processes around sensitive user and application configuration access, including review of who can reach those pages.
- Use risk-based investigation workflows that combine login anomaly context with sensitive page access rather than treating all unusual logins equally.
- Maintain response playbooks for suspicious successful identity-provider sessions, including session review and access validation.
- Periodically test whether SOC and IR teams can retrieve the required identity-provider evidence during an investigation.
Analyst notes and limits
This object is a detection analytic for the Identity Provider platform. It does not specify tactics, related ATT&CK objects, or an official detection query. The strongest use is as a control-validation prompt for identity telemetry correlation and triage design around successful but atypical logins followed by sensitive configuration-page access.
The supplied ATT&CK fields do not provide detection logic, supported vendor schemas, thresholds, relationships, attribution, or evidence of active exploitation. Local identity-provider capabilities, log retention, page-level audit detail, and environment-specific baselines are required to operationalize this analytic.
Analytic 0809
Detects successful login to cloud identity portals (e.g., Okta, Azure AD, Google Identity) from atypical geolocations, devices, or user agents immediately followed by dashboard/portal navigation to sensitive pages such as user or app configuration.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 1a3d72a7b202… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0809Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.