Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1128: Analytic 1128

Enumeration of directories, applications, or service principals through APIs such as Microsoft Graph or Okta API. Defender perspective includes unexpected listing of users, roles, applications, and abnormal access to identity management endpoints.

EnterpriseAN1128AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AN1128 focuses on identity-provider enumeration: activity where an account or application lists directories, users, roles, applications, or service principals through APIs such as Microsoft Graph or the Okta API. For leaders, the significance is that this behavior can expose the map of an identity environment, helping an intruder understand who has access, which apps matter, and where privileged paths may exist. Even without a specified ATT&CK tactic or supplied relationship context, this analytic is important because identity provider visibility is often central to cloud access, incident scoping, and audit evidence.

Executive priority

Prioritize confirming whether identity-provider API activity is logged, retained, and reviewable. This behavior matters to business resilience because identity directories and application/service-principal inventories often define access to critical systems. Security leaders should ask whether the SOC can distinguish normal administrative or integration-driven enumeration from unexpected listing activity, and whether incident responders can quickly determine which account, app, or token accessed identity-management endpoints.

Technical view

Validate coverage for Identity Provider platforms where APIs can enumerate users, roles, applications, directories, or service principals. The supplied ATT&CK description specifically references Microsoft Graph and Okta API as examples, so detection engineering should focus on identity-management API audit events showing listing or directory-read activity, especially when performed by unusual users, applications, service principals, source locations, or at abnormal volumes. Because no official detection logic is provided, local baselining and environment-specific allowlisting are required.

Likely telemetry

  • Identity provider audit logs
  • API access logs for identity-management endpoints
  • Microsoft Graph activity logs where available
  • Okta API activity logs where available
  • User, role, application, and service-principal listing events

Detection direction

  • Inventory which identity-provider APIs can enumerate users, roles, applications, directories, and service principals in the environment.
  • Baseline expected enumeration by administrators, automation, governance tools, and approved integrations before alerting on volume alone.
  • Tune for unexpected listing activity from new accounts, unusual service principals, abnormal source locations, unusual times, or callers without a normal operational need.
  • Correlate enumeration with authentication context, token issuance, privilege level, and recent identity or application changes.
  • Account for false positives from legitimate directory synchronization, identity governance, asset inventory, security tooling, and help desk workflows.

Mitigation priorities

  • Ensure identity-provider audit and API activity logging is enabled and retained long enough to support investigations.
  • Apply least privilege to directory-read permissions for users, applications, and service principals.
  • Review and govern application/API permissions that allow broad directory, user, role, application, or service-principal listing.
  • Separate and monitor administrative identities and automation identities that legitimately perform enumeration.
  • Document approved identity-management integrations so SOC teams can distinguish expected API inventory activity from abnormal access.
Analyst notes and limits

This take is based only on the supplied ATT&CK analytic description. The object has no supplied tactic, no relationships, and no official detection logic, so the practical value is in validating telemetry and baselines around identity-provider enumeration rather than implementing a specific MITRE-provided rule.

No active exploitation, attribution, impact, or detection efficacy is implied. Microsoft Graph and Okta API are examples present in the official description; other platforms should only be assessed if they exist in the local environment. Local logging capabilities, retention, API schemas, and normal administrative workflows determine usable detection coverage.

Official MITRE ATT&CK definition

Analytic 1128

Enumeration of directories, applications, or service principals through APIs such as Microsoft Graph or Okta API. Defender perspective includes unexpected listing of users, roles, applications, and abnormal access to identity management endpoints.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
149e8658fc6fe2de...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 149e8658fc6f…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1128
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use