Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1347: Analytic 1347

Behavioral chain: (1) delegated admin or external identity establishes session (e.g., partner/reseller DAP, B2B guest, SAML/OAuth trust); (2) role elevation or app consent/permission grant; (3) downstream privileged actions in the tenant. Correlate IdP sign-in, admin/role assignment, and consent/admin-on-behalf events.

EnterpriseAN1347AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because it focuses on a high-risk identity-provider pattern: an external or delegated identity establishes access, gains elevated rights or app consent, and then performs privileged actions in the tenant. For leaders, the issue is not just sign-in monitoring; it is whether the organization can prove that partner, reseller, guest, SAML/OAuth trust, and delegated admin activity is correlated through to downstream administrative impact.

Executive priority

Prioritize this as an identity governance and incident-readiness validation item. If external identity sessions, role elevation, consent grants, and privileged tenant actions are reviewed in separate tools or by separate teams, a material escalation path may be missed. Security leaders should ask whether delegated administration and external trust activity is logged, correlated, retained, and reviewable as audit evidence.

Technical view

For SOC, detection engineering, and IR teams, validate correlation across Identity Provider telemetry: external or delegated admin sign-ins, role assignment or elevation events, app consent or permission grants, admin-on-behalf activity, and subsequent privileged actions in the tenant. Because ATT&CK provides no separate detection text and no tactics for this analytic, implementation should be treated as a behavioral correlation use case rather than a single-event alert.

Likely telemetry

  • Identity Provider sign-in logs for delegated admins, external identities, B2B guests, and trusted SAML/OAuth sessions
  • Administrative role assignment and role elevation events
  • Application consent, permission grant, and admin-on-behalf consent events
  • Privileged tenant activity following the session or permission change
  • Audit logs linking actor identity, source session, target application or role, and downstream administrative action

Detection direction

  • Correlate the full chain: external/delegated session establishment, privilege or consent change, then downstream privileged action.
  • Tune for context around expected partner, reseller, guest, and delegated admin workflows to reduce false positives while preserving visibility into unusual privilege paths.
  • Validate that consent and role events are not monitored in isolation from sign-in and downstream admin activity.
  • Check blind spots where external identity activity, OAuth/SAML trust activity, or privileged tenant actions are logged but not joined by actor, session, application, or time window.
  • Use this analytic as a detection validation exercise for Identity Provider coverage, since no official standalone detection logic is supplied.

Mitigation priorities

  • Inventory delegated admin, partner/reseller, B2B guest, SAML, and OAuth trust paths that can affect tenant administration.
  • Review who can grant app consent, assign roles, or perform admin-on-behalf actions, and ensure these events are auditable.
  • Prioritize least-privilege access and periodic review for external and delegated administrative relationships.
  • Ensure incident response playbooks include investigation of consent grants, role changes, and downstream privileged actions tied to external sessions.
  • Confirm log retention and correlation capability for Identity Provider audit evidence needed during investigations and compliance reviews.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for the Identity Provider platform. Its main value is the behavioral chain described in the official description: external or delegated access, elevation or consent, and privileged tenant activity. No relationship context, tactics, aliases, or formal detection text were supplied.

This take is limited to the official STIX fields, external reference, and empty relationship context provided. It does not establish active exploitation, attribution, specific product coverage, or guaranteed detection. Local identity architecture, logging configuration, delegated administration model, and consent governance must be reviewed to determine actual exposure and coverage.

Official MITRE ATT&CK definition

Analytic 1347

Behavioral chain: (1) delegated admin or external identity establishes session (e.g., partner/reseller DAP, B2B guest, SAML/OAuth trust); (2) role elevation or app consent/permission grant; (3) downstream privileged actions in the tenant. Correlate IdP sign-in, admin/role assignment, and consent/admin-on-behalf events.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
ac0bfee3d801c063...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle ac0bfee3d801…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1347
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use