AN1131: Analytic 1131
Configuration changes to virtual TAP/mirror policies that forward traffic to unapproved destinations. Detection correlates management plane API calls with mirrored traffic observation.
Analyst context for executives and security teams
This analytic matters because virtual TAP or traffic mirroring policies in IaaS environments can expose sensitive network traffic if they are changed to send copies to destinations the organization has not approved. For leaders, the key issue is not just a cloud configuration change; it is whether cloud management-plane activity and observed mirrored traffic can be correlated quickly enough to prove that monitoring paths remain authorized.
Executive priority
Prioritize this as a cloud security, compliance evidence, and incident response readiness issue. Security leaders should ask who is allowed to change virtual TAP or mirror policies, how approved destinations are documented, and whether the organization can produce evidence showing that mirrored traffic is only sent where intended. This is especially important for environments where mirrored traffic may contain regulated, sensitive, or operationally important data.
Technical view
For IaaS platforms, validate that cloud management-plane API calls related to virtual TAP or mirror policy changes are logged and can be correlated with network observations showing where mirrored traffic is actually being forwarded. Because the ATT&CK object does not provide a specific detection rule, SOC and detection teams should focus on the behavioral requirement: identify configuration changes that result in mirroring to destinations outside an approved inventory or baseline.
Likely telemetry
- IaaS management-plane API audit logs for virtual TAP, traffic mirror, or mirror policy configuration changes
- Configuration state or inventory data for approved mirror sessions, policies, sources, and destinations
- Network telemetry showing mirrored traffic flows and destination endpoints
- Change management or authorization records for approved traffic mirroring destinations
- Identity and access context for principals making mirror policy changes
Detection direction
- Build or validate correlation between mirror-policy management API activity and observed mirrored traffic destinations.
- Maintain an approved destination baseline; alert when mirrored traffic is configured or observed to unapproved destinations.
- Tune for legitimate network monitoring, packet capture, troubleshooting, and security tooling changes to reduce false positives.
- Review whether detections fail when only configuration logs are collected but mirrored traffic observation is absent, or vice versa.
- Include identity context so analysts can determine whether the change came from an expected administrator or automation path.
Mitigation priorities
- Restrict who can create or modify virtual TAP and mirror policies in IaaS environments.
- Maintain an approved inventory of traffic mirroring destinations and require change approval for updates.
- Ensure management-plane audit logging and relevant network telemetry are retained and available to SOC and IR teams.
- Periodically review mirror configurations for drift from approved baselines.
- Use compliance and security review processes to verify that mirrored traffic paths remain authorized.
Analyst notes and limits
The supplied object is a detection analytic for IaaS environments. It describes detecting configuration changes to virtual TAP or mirror policies that forward traffic to unapproved destinations by correlating management-plane API calls with mirrored traffic observation. No related ATT&CK techniques, tactics, procedures, groups, software, or mitigations were supplied, so this take focuses on defensive validation and operational decision value rather than attribution or threat activity.
Official detection logic was not provided, and no relationship context was supplied. Local cloud provider terminology, available logging, approved destination inventory, and network visibility will determine how this analytic can be implemented and validated.
Analytic 1131
Configuration changes to virtual TAP/mirror policies that forward traffic to unapproved destinations. Detection correlates management plane API calls with mirrored traffic observation.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | eff739205491… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1131Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.