AN1479: Analytic 1479

Detects rogue or suspicious wireless access attempts by monitoring firewall, WIDS/WIPS, and controller logs. Focus is on firewall rule changes, rogue AP detection, and anomalous MAC addresses connecting to access points.

EnterpriseAN1479AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

This analytic matters because unauthorized or suspicious wireless access can bypass expected network entry points and create unmanaged paths into the business. For leaders, the key decision is whether wireless infrastructure, firewall changes, and controller activity are visible enough for the SOC to distinguish normal access from rogue access points or anomalous devices.

Executive priority

Prioritize this where wireless networks support business operations, guest access, branch connectivity, or sensitive environments. The executive question is not just whether wireless controls exist, but whether firewall, WIDS/WIPS, and controller evidence can support timely investigation, audit evidence, and incident decisions when a suspicious access point or unknown MAC address appears.

Technical view

Validate monitoring across Network Devices with emphasis on firewall rule changes, WIDS/WIPS rogue AP detections, wireless controller logs, and anomalous MAC addresses connecting to access points. Because ATT&CK provides no separate detection logic or relationship context for this analytic, teams should define local baselines for approved access points, expected MAC address patterns, authorized controller changes, and normal wireless-to-firewall behavior.

Likely telemetry

Firewall configuration and rule change logs
WIDS/WIPS alerts for rogue or suspicious access points
Wireless LAN controller association and authentication logs
Access point connection logs showing MAC addresses and connection metadata
Network device administrative change logs

Detection direction

Confirm that firewall, WIDS/WIPS, and wireless controller logs are actually collected, time-synchronized, and retained for investigation.
Tune detections around unauthorized firewall rule changes, rogue AP alerts, and anomalous MAC addresses connecting to access points.
Maintain an approved inventory of access points, controllers, and expected administrative change windows to reduce false positives.
Correlate wireless events with network device administration events so suspicious wireless access is not reviewed in isolation.
Watch for blind spots in unmanaged branch sites, guest wireless, temporary access points, or locations where WIDS/WIPS coverage is incomplete.

Mitigation priorities

Establish and maintain an authorized inventory of wireless access points and controllers.
Require controlled change management for firewall and wireless configuration changes.
Deploy and operationalize WIDS/WIPS or equivalent monitoring where wireless risk is material.
Ensure SOC runbooks define escalation paths for rogue AP detection, anomalous MAC activity, and unexpected firewall rule changes.
Periodically test whether wireless and network device telemetry supports incident response and compliance evidence needs.

Analyst notes and limits

The supplied ATT&CK object is a detection analytic for Network Devices focused on suspicious wireless access attempts. It identifies relevant evidence sources but does not provide detailed detection logic, tactics, linked techniques, or relationship context. Local asset inventory and wireless architecture are required to make this actionable.

Official detection content was not provided, and no relationships were supplied. This take should not be interpreted as proof of coverage or exposure; validation depends on the organization’s wireless deployment, logging configuration, retention, and SOC correlation rules.

Official MITRE ATT&CK definition

Analytic 1479

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: 004dca44a3eb711d...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`004dca44a3eb…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1479
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use