AN0816: Analytic 0816
Detects API calls registering or updating hybrid identity connectors, modification of cloud-to-on-premises federation trust, and unusual token issuance logs.
Analyst context for executives and security teams
AN0816 is a cloud/IaaS detection analytic focused on high-risk hybrid identity changes: registering or updating hybrid identity connectors, modifying cloud-to-on-premises federation trust, and unusual token issuance. For leaders, this matters because hybrid identity is often a control point between cloud access and on-premises identity; unauthorized or poorly governed changes can undermine access assurance and complicate incident response.
Executive priority
Treat this as an identity and cloud control validation item, not just a SOC rule. Security leaders should ask whether changes to hybrid identity connectors and federation trust are tightly governed, logged, reviewed, and explainable. The business value is in reducing uncertainty during incidents and audits: teams need evidence showing who changed identity trust paths, when, from where, and whether resulting token activity was expected.
Technical view
For SOC, detection engineering, and IR teams, validate coverage across IaaS control-plane API logs, federation trust configuration changes, and token issuance/sign-in logs. Because MITRE provides no detailed detection logic for this analytic, local implementation should focus on detecting new or modified hybrid identity connectors, changes to cloud-to-on-premises federation trust, and token issuance patterns that deviate from expected administrative or operational behavior. Correlate changes with the acting identity, source location, time, approval context, and subsequent token activity.
Likely telemetry
- IaaS control-plane API audit logs for registering or updating hybrid identity connectors
- Cloud identity or federation configuration change logs
- Token issuance logs and sign-in/authentication logs
- Administrative account activity associated with identity or federation changes
- Time, source, and actor metadata for cloud identity control-plane events
Detection direction
- Confirm that the relevant IaaS API events for connector registration and update are actually collected and retained.
- Create or validate alerts for modification of cloud-to-on-premises federation trust configuration.
- Baseline expected token issuance behavior and investigate unusual issuance patterns following connector or federation changes.
- Correlate identity configuration changes with authorized maintenance windows or approved change records where available.
- Tune carefully for legitimate administrative operations to avoid excessive false positives, but do not suppress rare federation or connector changes without review.
Mitigation priorities
- Limit who can register or update hybrid identity connectors and modify federation trust.
- Require strong approval and review processes for hybrid identity and federation configuration changes.
- Maintain sufficient retention for IaaS audit logs, identity configuration logs, and token issuance logs.
- Regularly review connector and federation trust configuration for unexpected changes.
- Prepare incident response procedures for investigating unauthorized identity trust or connector modifications.
Analyst notes and limits
This object is a detection analytic, not a technique, and no ATT&CK tactics or relationship context were supplied. The practical value is highest for organizations using IaaS-connected hybrid identity or cloud-to-on-premises federation. Local architecture will determine which exact APIs, logs, and identities are relevant.
MITRE did not provide detailed detection logic, related techniques, mitigations, or relationships for this object. This take is therefore limited to the supplied description, platform, and external reference. Environment-specific validation is required before assessing coverage or risk.
Analytic 0816
Detects API calls registering or updating hybrid identity connectors, modification of cloud-to-on-premises federation trust, and unusual token issuance logs.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c4b3308eef19… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0816Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.