Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1607: Analytic 1607

Adversary creates users via IAM/IdP API or portal (e.g., Azure AD, Okta). Detection involves monitoring API calls, admin action logs, and correlation with role assignments.

EnterpriseAN1607AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because unauthorized user creation in an identity provider can become a durable access path into business systems. For leaders, the key issue is not just whether the organization has an IAM or IdP platform, but whether user-creation events are visible, reviewed, and correlated with follow-on privilege or role assignments.

Executive priority

Prioritize this as an identity governance and incident-readiness control point. Executives should ask whether new account creation in the IdP is logged, monitored, retained, and explainable for audit and incident response. The business risk is that a newly created identity may bypass normal onboarding controls and later receive access to sensitive applications if role assignment monitoring is weak.

Technical view

For SOC, detection engineering, and IR teams, validate visibility into IAM/IdP API and portal-driven user creation events on Identity Provider platforms. Because the supplied ATT&CK object does not include a formal detection section or tactics, teams should treat this as a detection validation requirement: confirm collection of API calls, administrative action logs, and correlation between account creation and subsequent role or group assignments. Investigations should distinguish expected provisioning workflows from unusual administrative activity.

Likely telemetry

  • Identity provider administrative audit logs
  • IAM/IdP API call logs for user creation
  • Portal-based admin action logs
  • User lifecycle/provisioning records
  • Role, group, or application assignment events following account creation

Detection direction

  • Validate that all user creation paths are logged, including API-based and portal-based workflows.
  • Correlate new user creation with near-term role, group, or application assignments.
  • Tune detections against approved HR, IT service management, and automated provisioning workflows to reduce false positives.
  • Review whether service accounts, break-glass administrators, or delegated admins can create users without comparable monitoring.
  • Confirm log retention is sufficient for incident response and compliance evidence.

Mitigation priorities

  • Restrict who can create users in the identity provider using least-privilege administration.
  • Require governance around account provisioning and privileged role assignment.
  • Monitor and review administrative user-creation activity regularly.
  • Ensure IdP audit logs are centralized for SOC and incident response use.
  • Test incident response procedures for suspicious identity creation and follow-on access assignment.
Analyst notes and limits

The object is a MITRE ATT&CK detection analytic, AN1607, focused on adversary-created users through IAM/IdP APIs or portals such as Azure AD or Okta examples in the official description. The strongest relationship-driven context is unavailable because no relationships were supplied.

Official detection content is not provided, tactics are not specified, and no relationship context is supplied. This take is therefore limited to the official description, platform field, and external reference. Local IdP configuration, provisioning architecture, and log availability are required to determine actual coverage.

Official MITRE ATT&CK definition

Analytic 1607

Adversary creates users via IAM/IdP API or portal (e.g., Azure AD, Okta). Detection involves monitoring API calls, admin action logs, and correlation with role assignments.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
3e10d7240d9c3061...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 3e10d7240d9c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1607
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use