AN1157: Analytic 1157
Unauthorized API or console calls to retrieve or reset password credentials, download key material, or modify SSO settings.
Analyst context for executives and security teams
This analytic points to high-risk identity-provider activity: unauthorized API or console actions involving password credential retrieval or reset, key material download, or SSO setting changes. For leaders, the practical issue is not just account misuse; these actions can undermine trust in authentication, enable broader access, and complicate incident containment if the organization cannot prove who changed identity settings and when.
Executive priority
Prioritize this as an identity control and audit-readiness question: can the organization reliably detect and investigate sensitive administrative activity in the identity provider? Executives should ask whether IdP admin logging is complete, retained, reviewed, and tied to incident response procedures for credential resets, key material handling, and SSO configuration changes. This matters for business continuity because identity provider compromise or misconfiguration can affect access across many dependent applications.
Technical view
SOC, detection engineering, and IR teams should validate monitoring for IdP API and console events involving credential retrieval or reset, key material download, and SSO configuration modification. Because no official detection logic or ATT&CK tactic is supplied, teams should derive local analytics from the IdP audit event model, privileged role assignments, source context, target account or application, and change-management expectations. Investigation workflows should distinguish authorized helpdesk/admin actions from unusual privileged activity, especially when performed outside normal process, from atypical locations, or by accounts without expected responsibility.
Likely telemetry
- Identity provider audit logs for API calls and console actions
- Administrative activity logs for password reset or credential management events
- Key material access or download audit events where supported by the IdP
- SSO configuration change logs, including application, federation, certificate, or policy changes
- Privileged role assignment and administrative session records
Detection direction
- Confirm the IdP emits and retains auditable events for the specific sensitive actions named in the analytic: password credential retrieval/reset, key material download, and SSO setting changes.
- Baseline expected administrators, service accounts, helpdesk workflows, and approved change windows to reduce false positives from legitimate identity operations.
- Alert on sensitive IdP actions by unexpected principals, from unusual access context, or without matching change evidence, while recognizing that the official object does not provide a detection rule.
- Correlate IdP administrative actions with subsequent authentication or application access anomalies during investigation, but avoid assuming compromise from the IdP event alone.
- Check for blind spots in API-based administration, break-glass accounts, service principals, and log retention, since these often determine whether incident responders can reconstruct identity changes.
Mitigation priorities
- Enforce least privilege and role separation for IdP administration, especially for password management, key material access, and SSO configuration changes.
- Require strong authentication and controlled administrative access paths for IdP console and API use.
- Implement approval and change-control evidence for SSO changes and sensitive credential operations.
- Protect and limit access to key material, with periodic review of who can export or download it where the platform permits.
- Retain IdP audit logs long enough to support incident response, compliance evidence, and post-incident reconstruction.
Analyst notes and limits
This is a detection analytic object, not a full ATT&CK technique. The supplied platform is Identity Provider, and the official description is limited to unauthorized API or console calls involving credentials, key material, and SSO settings. No relationships, tactics, or official detection logic were supplied, so this take focuses on validation questions and defensive evidence classes rather than specific rule syntax.
Coverage and severity depend on the local identity provider, available audit events, administrative model, retention, and change-management process. The supplied ATT&CK fields do not identify adversary groups, active exploitation, specific products, or guaranteed detection methods.
Analytic 1157
Unauthorized API or console calls to retrieve or reset password credentials, download key material, or modify SSO settings.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | ecfbab33c85c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1157Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.