AN0892: Analytic 0892
Changes to security configurations such as disabling MFA requirements, reducing session token lifetimes, or turning off risk-based policies. Correlate admin logins with sudden policy downgrades.
Analyst context for executives and security teams
This analytic is about watching for identity-provider security policy downgrades, such as disabling MFA requirements, shortening or weakening session controls, or turning off risk-based policies. For leaders, the practical issue is control integrity: if identity safeguards can be reduced without timely detection and review, downstream cloud, SaaS, and administrative access risk can increase even when the original control program looked strong on paper.
Executive priority
Prioritize this as an identity governance and operational resilience validation. Executives should ask whether changes to MFA, session token, and risk-based access policies are logged, reviewed, and correlated with administrator sign-ins. This supports incident decision-making, audit evidence, and control assurance because the key risk is not only whether strong identity policies exist, but whether unauthorized or inappropriate downgrades are visible quickly enough to respond.
Technical view
For SOC, detection engineering, and IR teams, validate monitoring in the Identity Provider platform for security configuration changes and the administrator activity immediately before and after those changes. The supplied analytic specifically calls for correlating admin logins with sudden policy downgrades. Detection logic should focus on high-risk configuration-change events involving MFA requirements, session token lifetimes, and risk-based policies, then enrich with the actor, admin role, source context, timing, and whether the change aligns with an approved change window.
Likely telemetry
- Identity Provider administrative audit logs
- Administrator sign-in and authentication logs
- Security policy change events for MFA requirements
- Session token or session lifetime configuration change records
- Risk-based policy enablement, disablement, or modification records
Detection direction
- Confirm the Identity Provider produces audit events for the specific policy areas named in the analytic: MFA requirements, session token lifetimes, and risk-based policies.
- Correlate policy downgrade events with recent administrator logins rather than alerting on configuration changes in isolation.
- Tune for expected administrative maintenance and approved change windows to reduce false positives.
- Treat sudden downgrades, especially disabling requirements or reducing protective policy strength, as higher-priority review items.
- Validate blind spots where policy changes are made through administrative portals, APIs, automation, or delegated identity roles but are not normalized into SOC telemetry.
Mitigation priorities
- Require formal approval and documentation for changes to identity security policies.
- Limit who can modify MFA, session, and risk-based access policies in the Identity Provider.
- Maintain reliable administrative audit logging and retention for identity policy changes and admin logins.
- Periodically review identity-provider configuration baselines so downgrades are easier to identify.
- Ensure incident response playbooks include steps to verify, reverse, and document unauthorized or inappropriate identity policy changes.
Analyst notes and limits
The ATT&CK object is a detection analytic for an Identity Provider platform and provides a concise description but no separate official detection logic and no relationship context. The most valuable defensive use is to turn the described behavior into a control validation: can the organization see policy downgrades, identify the administrator session tied to them, and prove whether the change was authorized?
No tactics, relationships, detailed detection pseudocode, data components, or vendor-specific event names were supplied. Local Identity Provider logging capabilities, policy model, admin role design, and change-management records are required to implement and validate this analytic accurately.
Analytic 0892
Changes to security configurations such as disabling MFA requirements, reducing session token lifetimes, or turning off risk-based policies. Correlate admin logins with sudden policy downgrades.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 900c864b1146… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0892Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.