AN0815: Analytic 0815
Detects registration of new PTA agents, conditional access changes disabling hybrid MFA enforcement, or suspicious updates to AD FS token-signing configurations.
Analyst context for executives and security teams
This analytic matters because it focuses on identity-provider changes that can weaken or redirect authentication trust: new PTA agents, conditional access changes that disable hybrid MFA enforcement, and suspicious AD FS token-signing configuration updates. For leaders, the decision value is whether identity control-plane changes are monitored with enough fidelity to support rapid incident decisions, audit evidence, and resilience of access to critical systems.
Executive priority
Treat this as an identity security control validation item. If these changes are not logged, reviewed, and investigated quickly, the organization may lack evidence that MFA enforcement and federation trust settings remain intact. Security leaders should ask who is authorized to make these changes, how quickly the SOC is alerted, and whether incident response can determine whether authentication policy or token-signing trust was altered.
Technical view
Validate monitoring for the Identity Provider platform around three change classes named by the ATT&CK analytic: registration of new PTA agents, conditional access changes disabling hybrid MFA enforcement, and updates to AD FS token-signing configurations. Because no official detection logic is supplied, SOC and detection engineering teams should map these events to local identity-provider audit logs, administrative change logs, and federation configuration records, then tune alerting around unauthorized, unexpected, or high-risk administrative modifications.
Likely telemetry
- Identity provider audit logs
- Administrative change logs
- PTA agent registration events
- Conditional access policy change events
- Hybrid MFA enforcement configuration changes
Detection direction
- Confirm that identity-provider audit logging captures the specific change types named in the analytic.
- Alert on new PTA agent registration, especially when performed by unexpected administrators or from unusual administrative contexts.
- Monitor conditional access changes that disable or weaken hybrid MFA enforcement, and require review of expected change tickets where applicable.
- Monitor AD FS token-signing configuration updates and investigate changes that are not tied to approved maintenance.
- Tune for administrative false positives by correlating alerts with approved change windows, known identity administrators, and documented configuration baselines.
Mitigation priorities
- Establish an approved baseline for PTA agents, conditional access hybrid MFA enforcement, and AD FS token-signing configuration.
- Restrict administrative permissions for identity-provider and federation configuration changes to authorized personnel only.
- Require change control and review for MFA enforcement, PTA agent registration, and token-signing configuration updates.
- Ensure identity-provider and AD FS administrative audit logs are retained and available to SOC and incident response teams.
- Test incident response procedures for unauthorized identity-provider configuration changes, including rollback and evidence preservation.
Analyst notes and limits
The ATT&CK object is a detection analytic for the enterprise domain with platform scope limited to Identity Provider. No tactics, relationships, aliases, or detailed detection logic are supplied, so this take focuses on defensive validation of the official description rather than adversary attribution or technique chaining.
MITRE did not provide executable detection logic, relationship context, or tactic mapping for this object. Local identity architecture, logging configuration, administrative model, and change-management evidence are required to determine actual coverage and risk.
Analytic 0815
Detects registration of new PTA agents, conditional access changes disabling hybrid MFA enforcement, or suspicious updates to AD FS token-signing configurations.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 5dde8da68e93… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0815Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.