AN1374: Analytic 1374
Detects disabling AAA, syslog, SNMP traps, ACL logging, or security features on routers/switches/firewalls; correlates privileged login followed by configuration commit reducing visibility.
Analyst context for executives and security teams
This analytic is about spotting when someone with privileged access changes network device configuration in a way that reduces security visibility or enforcement, such as disabling AAA, syslog, SNMP traps, ACL logging, or security features on routers, switches, and firewalls. For leaders, the value is not just detecting a config change; it is preserving the evidence and controls needed to investigate incidents, prove compliance, and keep critical network operations resilient.
Executive priority
Prioritize this as a control-assurance and incident-readiness issue for network infrastructure. If logging, authentication/accounting, or security features can be disabled without rapid detection, the organization may lose visibility at the exact moment it needs it most. Executives should ask whether privileged network-device changes are independently logged, reviewed, and alertable, and whether audit evidence survives if a device’s own logging is reduced.
Technical view
For SOC, detection engineering, and IR teams, validate correlation between privileged login to network devices and subsequent configuration commits that reduce monitoring or enforcement. The supplied platform scope is Network Devices, specifically routers, switches, and firewalls. Because ATT&CK does not provide a separate detection field here, implementation should be based on the official description: identify configuration changes affecting AAA, syslog, SNMP traps, ACL logging, or security features, then correlate those changes with recent privileged authentication or session activity.
Likely telemetry
- Network device authentication and authorization logs, especially privileged logins
- Configuration change or commit logs from routers, switches, and firewalls
- AAA accounting records where available
- Syslog records forwarded to an external collector
- SNMP trap configuration and trap delivery events
Detection direction
- Confirm that network device configuration changes are exported to a system that remains available even if local device logging is disabled.
- Build or validate logic that flags configuration commits reducing AAA, syslog, SNMP traps, ACL logging, or security features after privileged login activity.
- Tune against approved maintenance windows and documented change tickets to reduce false positives while preserving alerts for unplanned visibility reduction.
- Check for blind spots where device logs are only stored locally, where configuration diffs are not retained, or where privileged sessions are not tied to individual identities.
- Because no ATT&CK relationship context or tactic is supplied, avoid over-mapping this analytic to a specific intrusion phase without local evidence.
Mitigation priorities
- Require centralized, tamper-resistant collection of network device logs and configuration change records.
- Enforce individual privileged accountability for network device administration through AAA and change approval workflows.
- Maintain configuration backups or diffs so visibility-reducing changes can be confirmed and reversed quickly.
- Review administrative permissions for routers, switches, and firewalls to ensure only authorized roles can alter logging, AAA, ACL logging, SNMP trap, or security-feature settings.
- Test incident response playbooks for scenarios where a network device’s own telemetry is degraded or disabled.
Analyst notes and limits
This object is a detection analytic, not a technique description. Its practical value is in validating whether privileged network-device configuration changes that reduce visibility are independently observable and actionable. The absence of supplied relationships means local teams should connect this analytic to their own threat models, compliance requirements, and network operations processes.
The official detection field is not provided, tactics are not specified, and no relationship context is supplied. This take uses only the official description, platform, external reference, and object metadata. Local device types, configuration syntax, logging architecture, and change-management data are required to implement and tune the analytic.
Analytic 1374
Detects disabling AAA, syslog, SNMP traps, ACL logging, or security features on routers/switches/firewalls; correlates privileged login followed by configuration commit reducing visibility.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 9d9a1e9ccac5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1374Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.