AN0818: Analytic 0818
Detects suspicious changes to SAML/OAuth federation configurations, such as new signing certificates, altered endpoints, or claims issuance rules granting elevated privileges.
Analyst context for executives and security teams
This analytic matters because SAML/OAuth federation settings are part of the trust fabric for SaaS access. Suspicious changes such as new signing certificates, altered endpoints, or claims rules that grant elevated privileges can change who is trusted, how tokens are issued, and what access users receive. For leaders, the practical question is whether identity federation changes are visible, reviewed, and explainable before they become an incident-response problem.
Executive priority
Prioritize this as an identity and SaaS control-validation issue. The business risk is not tied to a specific adversary in the supplied data, but to loss of confidence in federated authentication and authorization. Security leaders should ask whether SaaS federation configuration changes are logged, monitored, approved through change control, and retained as audit evidence. This is especially relevant for compliance readiness, incident decision-making, and resilience of SaaS-dependent operations.
Technical view
For SOC, detection engineering, and IR teams, validate monitoring for SaaS SAML/OAuth federation configuration changes. The supplied analytic focuses on new signing certificates, altered federation endpoints, and claims issuance rules that grant elevated privileges. Because no official detection logic is provided, teams should build environment-specific detections around administrative configuration-change events and compare them against approved change records, known identity-provider metadata, expected certificate rotations, and authorized privilege-claim mappings.
Likely telemetry
- SaaS administrative audit logs for federation or single sign-on configuration changes
- Identity provider logs showing SAML/OAuth application or federation metadata updates
- Change-management records for approved certificate rotations, endpoint changes, and claims-rule modifications
- Administrative account activity associated with federation configuration changes
- Configuration snapshots or exports of SAML/OAuth settings for comparison over time
Detection direction
- Alert on new or replaced signing certificates in SaaS federation configurations, then validate against approved rotation windows.
- Monitor changes to federation endpoints or identity-provider metadata and compare with expected provider URLs and documented changes.
- Review claims issuance or mapping changes that could grant elevated privileges, especially when made outside normal change windows.
- Tune for legitimate administrative maintenance, certificate lifecycle events, and planned identity-provider migrations to reduce false positives.
- Account for blind spots where SaaS admin logs are not collected, are retained for too short a period, or do not capture before-and-after configuration values.
Mitigation priorities
- Establish formal approval and documentation for SAML/OAuth federation changes, including certificates, endpoints, and claims rules.
- Restrict federation administration to authorized personnel and require strong administrative access controls.
- Retain SaaS and identity-provider audit logs long enough to support investigation and compliance evidence needs.
- Maintain baseline configuration records for federation settings so responders can quickly identify unauthorized or unexpected changes.
- Periodically review privileged claims and federation trust settings for alignment with business need.
Analyst notes and limits
The ATT&CK object is a detection analytic for SaaS platforms and describes suspicious changes to SAML/OAuth federation configuration. No tactics, relationships, aliases, labels, or official detection logic were supplied, so this take focuses on defensive validation and operational control questions rather than a specific ATT&CK tactic or adversary pattern.
This assessment is limited to the supplied official description, platform value, external reference, and absence of relationship context. It does not establish active exploitation, attribution, prevalence, impact, or guaranteed detectability. Local SaaS products, logging capabilities, identity architecture, and change-management practices are required to determine actual coverage.
Analytic 0818
Detects suspicious changes to SAML/OAuth federation configurations, such as new signing certificates, altered endpoints, or claims issuance rules granting elevated privileges.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 414e7fa461bc… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0818Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.