@blamejs/exceptd-skills 0.12.27 → 0.12.28

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (30) hide show
  1. package/AGENTS.md +3 -0
  2. package/CHANGELOG.md +22 -0
  3. package/data/_indexes/_meta.json +22 -19
  4. package/data/_indexes/activity-feed.json +26 -5
  5. package/data/_indexes/catalog-summaries.json +3 -3
  6. package/data/_indexes/chains.json +994 -64
  7. package/data/_indexes/currency.json +28 -1
  8. package/data/_indexes/frequency.json +428 -124
  9. package/data/_indexes/handoff-dag.json +70 -19
  10. package/data/_indexes/jurisdiction-map.json +37 -12
  11. package/data/_indexes/section-offsets.json +282 -0
  12. package/data/_indexes/stale-content.json +2 -2
  13. package/data/_indexes/summary-cards.json +198 -0
  14. package/data/_indexes/token-budget.json +168 -3
  15. package/data/_indexes/trigger-table.json +190 -0
  16. package/data/_indexes/xref.json +145 -2
  17. package/data/attack-techniques.json +104 -19
  18. package/data/framework-control-gaps.json +498 -11
  19. package/data/playbooks/cloud-iam-incident.json +1351 -0
  20. package/data/playbooks/idp-incident.json +1259 -0
  21. package/data/playbooks/ransomware.json +1407 -0
  22. package/data/rfc-references.json +44 -0
  23. package/manifest-snapshot.json +219 -2
  24. package/manifest-snapshot.sha256 +1 -1
  25. package/manifest.json +282 -41
  26. package/package.json +1 -1
  27. package/sbom.cdx.json +7 -7
  28. package/skills/cloud-iam-incident/skill.md +419 -0
  29. package/skills/idp-incident-response/skill.md +352 -0
  30. package/skills/ransomware-response/skill.md +374 -0
package/data/playbooks/idp-incident.json ADDED
@@ -0,0 +1,1259 @@
1
+ {
2
+ "_meta": {
3
+ "id": "idp-incident",
4
+ "version": "1.0.0",
5
+ "last_threat_review": "2026-05-15",
6
+ "threat_currency_score": 95,
7
+ "changelog": [
8
+ {
9
+ "version": "1.0.0",
10
+ "date": "2026-05-15",
11
+ "summary": "Initial seven-phase identity-provider incident-response playbook covering Okta / Entra ID / Auth0 / Ping / OneLogin tenant compromise, federated-trust abuse, OAuth app consent abuse, and the Midnight Blizzard / Scattered Spider TTPs against IdP control-plane. Walks the tenant's audit-log API + consent inventory + federated-trust configuration + privileged-role assignments + service-account state + management-API-token inventory to surface compromise indicators; closes the GRC loop with IdP-specific framework gap mapping (NIST IA-5 federated lag, ISO A.5.16/A.5.17 federated lag, SOC 2 CC6 OAuth-consent lag, UK CAF B2 tenant-plane lag, AU ISM-1559 IdP-plane lag) and jurisdiction-aware notification drafts.",
12
+ "framework_gaps_updated": [
13
+ "NIST-800-53-IA-5-Federated",
14
+ "ISO-27001-2022-A.5.16-Federated",
15
+ "SOC2-CC6-OAuth-Consent",
16
+ "UK-CAF-B2-IdP-Tenant",
17
+ "AU-ISM-1559-IdP",
18
+ "NIS2-Art-21-Federated-Identity",
19
+ "DORA-Art-19-IdP-4h"
20
+ ]
21
+ }
22
+ ],
23
+ "owner": "@blamejs/grc",
24
+ "air_gap_mode": false,
25
+ "scope": "service",
26
+ "preconditions": [
27
+ {
28
+ "id": "idp-audit-api-reachable",
29
+ "description": "The IdP tenant's audit-log API must be reachable from the operator's investigation environment (Okta /api/v1/logs, Entra ID /auditLogs/signIns + /auditLogs/directoryAudits via Graph, Auth0 /api/v2/logs, Ping /environments/{id}/auditTrails, OneLogin /api/2/events).",
30
+ "check": "idp_audit_api_reachable == true",
31
+ "on_fail": "halt"
32
+ },
33
+ {
34
+ "id": "tenant-admin-rbac",
35
+ "description": "Operator must hold a Super Admin / Global Administrator / Tenant Owner / Read-only Admin role sufficient to enumerate consent grants, federated-trust configuration, and privileged-role assignments without exposing additional attack surface during the IR.",
36
+ "check": "operator_has_idp_admin == true",
37
+ "on_fail": "halt"
38
+ },
39
+ {
40
+ "id": "tenant-ownership",
41
+ "description": "The operator must own the tenant under investigation (or hold explicit written authorisation from the tenant owner). IdP-incident response touches authentication state for every downstream service.",
42
+ "check": "tenant_ownership_attested == true",
43
+ "on_fail": "halt"
44
+ }
45
+ ],
46
+ "mutex": [],
47
+ "feeds_into": [
48
+ {
49
+ "playbook_id": "cred-stores",
50
+ "condition": "analyze.blast_radius_score >= 4"
51
+ },
52
+ {
53
+ "playbook_id": "framework",
54
+ "condition": "analyze.compliance_theater_check.verdict == 'theater'"
55
+ }
56
+ ]
57
+ },
58
+ "domain": {
59
+ "name": "Identity-provider tenant compromise + federated-trust abuse + OAuth consent abuse",
60
+ "attack_class": "identity-abuse",
61
+ "atlas_refs": [],
62
+ "attack_refs": [
63
+ "T1078.004",
64
+ "T1556.007",
65
+ "T1098.001",
66
+ "T1606.002",
67
+ "T1199"
68
+ ],
69
+ "cve_refs": [
70
+ "CVE-2024-1709",
71
+ "CVE-2023-3519",
72
+ "CVE-2026-30615"
73
+ ],
74
+ "cwe_refs": [
75
+ "CWE-287",
76
+ "CWE-863",
77
+ "CWE-269",
78
+ "CWE-284",
79
+ "CWE-522",
80
+ "CWE-345"
81
+ ],
82
+ "d3fend_refs": [
83
+ "D3-MFA",
84
+ "D3-CBAN",
85
+ "D3-NTA",
86
+ "D3-IOPR"
87
+ ],
88
+ "frameworks_in_scope": [
89
+ "nist-800-53",
90
+ "iso-27001-2022",
91
+ "soc2",
92
+ "nis2",
93
+ "dora",
94
+ "uk-caf",
95
+ "au-ism",
96
+ "au-essential-8",
97
+ "hipaa"
98
+ ]
99
+ },
100
+ "phases": {
101
+ "govern": {
102
+ "jurisdiction_obligations": [
103
+ {
104
+ "jurisdiction": "EU",
105
+ "regulation": "GDPR Art.33",
106
+ "obligation": "notify_regulator",
107
+ "window_hours": 72,
108
+ "clock_starts": "detect_confirmed",
109
+ "evidence_required": [
110
+ "idp_audit_log_excerpt",
111
+ "data_subject_impact_assessment",
112
+ "containment_record"
113
+ ]
114
+ },
115
+ {
116
+ "jurisdiction": "EU",
117
+ "regulation": "GDPR Art.34",
118
+ "obligation": "notify_affected_individuals",
119
+ "window_hours": 72,
120
+ "clock_starts": "analyze_complete",
121
+ "evidence_required": [
122
+ "data_subject_categories_affected",
123
+ "containment_record"
124
+ ]
125
+ },
126
+ {
127
+ "jurisdiction": "EU",
128
+ "regulation": "NIS2 Art.23",
129
+ "obligation": "notify_regulator",
130
+ "window_hours": 24,
131
+ "clock_starts": "detect_confirmed",
132
+ "evidence_required": [
133
+ "idp_audit_log_excerpt",
134
+ "exposure_window_estimate",
135
+ "rotation_status"
136
+ ]
137
+ },
138
+ {
139
+ "jurisdiction": "EU",
140
+ "regulation": "DORA Art.19",
141
+ "obligation": "notify_regulator",
142
+ "window_hours": 4,
143
+ "clock_starts": "detect_confirmed",
144
+ "evidence_required": [
145
+ "idp_audit_log_excerpt",
146
+ "affected_critical_or_important_functions",
147
+ "containment_record"
148
+ ]
149
+ },
150
+ {
151
+ "jurisdiction": "UK",
152
+ "regulation": "UK GDPR Art.33",
153
+ "obligation": "notify_regulator",
154
+ "window_hours": 72,
155
+ "clock_starts": "detect_confirmed",
156
+ "evidence_required": [
157
+ "idp_audit_log_excerpt",
158
+ "data_subject_impact_assessment"
159
+ ]
160
+ },
161
+ {
162
+ "jurisdiction": "US-NY",
163
+ "regulation": "NYDFS 23 NYCRR 500.17",
164
+ "obligation": "notify_regulator",
165
+ "window_hours": 72,
166
+ "clock_starts": "detect_confirmed",
167
+ "evidence_required": [
168
+ "idp_audit_log_excerpt",
169
+ "containment_record",
170
+ "ciso_certification_status"
171
+ ]
172
+ },
173
+ {
174
+ "jurisdiction": "US-CA",
175
+ "regulation": "CCPA / CPRA Sec.1798.82",
176
+ "obligation": "notify_affected_individuals",
177
+ "window_hours": 1440,
178
+ "clock_starts": "analyze_complete",
179
+ "evidence_required": [
180
+ "california_resident_records_affected",
181
+ "containment_record"
182
+ ]
183
+ },
184
+ {
185
+ "jurisdiction": "AU",
186
+ "regulation": "Privacy Act 1988 — Notifiable Data Breaches scheme (s26WK)",
187
+ "obligation": "notify_regulator",
188
+ "window_hours": 720,
189
+ "clock_starts": "analyze_complete",
190
+ "evidence_required": [
191
+ "idp_audit_log_excerpt",
192
+ "australian_resident_records_affected",
193
+ "remediation_completed_evidence"
194
+ ]
195
+ }
196
+ ],
197
+ "theater_fingerprints": [
198
+ {
199
+ "pattern_id": "okta-mfa-as-compromise-proof",
200
+ "claim": "Okta MFA is enforced on every login, so the tenant cannot be compromised.",
201
+ "fast_detection_test": "Pull the last 90 days of admin-audit events and filter for AuthenticatorEnrollment, FactorReset, FactorBypass, and policy-change events on the MFA policy itself. Help-desk-mediated factor reset (Scattered Spider 2023-2026 TTP) leaves the user-facing MFA policy unchanged while replacing the factor under operator control. If any factor-reset event lacks a paired help-desk ticket or out-of-band identity-verification record, the MFA-enforced claim is paper compliance only.",
202
+ "implicated_controls": [
203
+ "nist-800-53-IA-5",
204
+ "iso-27001-2022-A.5.17",
205
+ "soc2-cc6.1",
206
+ "au-essential-8-Strategy-4"
207
+ ]
208
+ },
209
+ {
210
+ "pattern_id": "sso-as-identity-hygiene-complete",
211
+ "claim": "We use SSO across every SaaS, so identity hygiene is complete.",
212
+ "fast_detection_test": "Enumerate every OAuth app consent in the tenant (Entra ID enterprise applications, Okta OAuth grants, Auth0 client applications). Any consent grant from a non-corporate tenant, any grant with /.default or wildcard scope, any grant whose publisher is unverified, any consent that survived a previous SSO migration is a structural finding regardless of SSO posture. SSO authenticates users; consent grants federate scope and frequently survive identity-hygiene programmes invisibly.",
213
+ "implicated_controls": [
214
+ "nist-800-53-AC-2",
215
+ "iso-27001-2022-A.5.16",
216
+ "soc2-cc6.1"
217
+ ]
218
+ },
219
+ {
220
+ "pattern_id": "quarterly-consent-review-as-control",
221
+ "claim": "We review OAuth consent grants quarterly.",
222
+ "fast_detection_test": "Midnight Blizzard's January 2024 Entra ID campaign used a residential proxy + password spray to compromise a non-MFA test tenant, then escalated via a legacy OAuth application's privileged Graph scope. Time-to-exfil was measured in days; quarterly cadence cannot detect this. The acceptable cadence is continuous (alert on new consent grants with high-risk scope or unverified publisher) plus quarterly review. Pull the consent-grant log for the last 90 days and time the gap between grant timestamp and review timestamp — any gap above 24 hours for a high-privilege scope grant is theater.",
223
+ "implicated_controls": [
224
+ "soc2-cc6.1",
225
+ "iso-27001-2022-A.5.16",
226
+ "nist-800-53-AC-6"
227
+ ]
228
+ },
229
+ {
230
+ "pattern_id": "break-glass-never-used-as-secure",
231
+ "claim": "The break-glass / emergency-access account has never been used, so it is by definition secure.",
232
+ "fast_detection_test": "An IdP break-glass account that has never authenticated is also an account whose MFA enrolment state, password policy compliance, and audit-log alerting have never been exercised. Pull the break-glass account's last-sign-in timestamp, MFA factors, conditional-access exclusions, and audit-log alert configuration. If conditional access excludes the account from MFA AND no alert fires on break-glass authentication AND password age exceeds rotation policy, the account is a backdoor, not a control.",
233
+ "implicated_controls": [
234
+ "nist-800-53-IA-5",
235
+ "iso-27001-2022-A.5.17",
236
+ "au-ism-1559"
237
+ ]
238
+ },
239
+ {
240
+ "pattern_id": "federated-trust-set-once-trusted-forever",
241
+ "claim": "Our SAML / OIDC federation with partner X was set up by the security team and is reviewed annually.",
242
+ "fast_detection_test": "Federated-trust configuration is the highest-leverage IdP control-plane object: a malicious SAML IdP or a tampered token-signing certificate allows the attacker to mint authentic tokens for any user in the tenant. Pull every federated-trust configuration (Entra cross-tenant access settings, Okta org-to-org federation, Auth0 enterprise connections, Ping environment federations). For each, check token-signing certificate fingerprint vs the expected partner fingerprint, claim transformation rules vs documented expectation, and last-modification timestamp + actor. Any unexplained modification within the last 90 days is a structural finding."
243
+ },
244
+ {
245
+ "pattern_id": "service-account-mfa-exempt-as-design",
246
+ "claim": "Service accounts are MFA-exempt by design because automation cannot prompt for MFA.",
247
+ "fast_detection_test": "Service-account credentials are the dominant IdP pivot in 2024-2026 IR data — Snowflake-via-stolen-Okta-service-account 2024 is the public reference. Pull every service account (Okta API service users, Entra ID workload identities, Auth0 M2M apps, Ping worker apps). Validate that each holds a scoped client-credentials flow OR a workload identity federation (no static secret), that token TTL is bounded, that source-IP allowlist is configured, and that last-rotation date is within policy. Any service account with a static secret older than 90 days, no IP allowlist, and broad scope is theater compliance against the 'MFA enforced' attestation."
248
+ },
249
+ {
250
+ "pattern_id": "ip-allowlist-as-compensating-control",
251
+ "claim": "Admin access is restricted to corporate IPs via conditional access.",
252
+ "fast_detection_test": "Residential-proxy + password-spray (Midnight Blizzard 2024) defeats corporate-IP allowlist only when the corporate-IP rule includes split-tunnel VPN exits. Pull the conditional-access policy targeting admin roles and list every IP range it permits. Cross-reference against the current VPN egress range AND any documented bring-your-own-device exception. Any range whose ownership cannot be attested in writing to the corporate network team is an attack-surface gap."
253
+ }
254
+ ],
255
+ "framework_context": {
256
+ "gap_summary": "Identity-provider tenant compromise is the dominant 2023-2026 cloud-incident root cause: Okta's October 2023 support-system breach exposed customer HAR files with session tokens; Microsoft's January 2024 Midnight Blizzard incident saw a Russian state actor compromise a legacy non-MFA test tenant and escalate via OAuth-app consent abuse to corporate-mail exfiltration; the Snowflake credential-database compromise 2024 hit AT&T / Ticketmaster / Santander through stolen IdP service-account credentials; Scattered Spider's 2023-2026 campaigns against MGM, Caesars, Twilio, and dozens of others use help-desk social engineering to mint replacement MFA factors. The framework controls that purport to govern this surface — NIST 800-53 IA-5 (Authenticator Management), ISO/IEC 27001:2022 A.5.16 + A.5.17 (Identity Management + Authentication Information), SOC 2 CC6.x (Logical and Physical Access Controls), UK CAF Principle B2 (Identity and Access Control), AU Essential 8 Strategy 4 (MFA), AU ISM-1559 (Privileged Account Credential Management), and NIS2 Art.21(2)(j) (cryptography + access control) — were authored under a model where the IdP tenant itself is a trust anchor: the framework's evidence surface stops at the IdP's published authentication outcomes (was MFA required, was the session authenticated, did the role assignment match policy) and does not extend to the IdP's control plane (who modified the federated-trust configuration, who issued an OAuth consent to which app, who rotated the token-signing certificate). The result is that an attacker with IdP-control-plane access produces audit trails that are fully compliant against every relevant framework, because the framework's evidence model treats the IdP as oracle.",
257
+ "lag_score": 60,
258
+ "per_framework_gaps": [
259
+ {
260
+ "framework": "nist-800-53",
261
+ "control_id": "IA-5 (federated)",
262
+ "designed_for": "Authenticator management — issuance, distribution, storage, revocation of authenticator material.",
263
+ "insufficient_because": "IA-5 reaches authenticator material in storage and distribution. It does not reach federated-trust modification (token-signing certificate rotation, claim-transformation rule changes, OIDC discovery-document tampering) at the IdP control plane. Audit evidence that satisfies IA-5 is a quarterly snapshot of authenticator inventory; an attacker who modifies the federation in week 5 produces eight weeks of compliant audit trail before the next snapshot."
264
+ },
265
+ {
266
+ "framework": "iso-27001-2022",
267
+ "control_id": "A.5.16 + A.5.17",
268
+ "designed_for": "Identity management + authentication information (static identity lifecycle and credential protection).",
269
+ "insufficient_because": "A.5.16/A.5.17 cover static identity state (was the account provisioned, was the password rotated, was MFA enrolled). They do not name federated-state transitions (OAuth consent grants, federated-trust configuration changes, cross-tenant access settings) as a distinct control class. An ISO 27001:2022 audit can pass with zero evidence on the federated state."
270
+ },
271
+ {
272
+ "framework": "soc2",
273
+ "control_id": "CC6 (OAuth consent)",
274
+ "designed_for": "Logical and physical access controls — authentication, authorization, and access controls for human users and service accounts.",
275
+ "insufficient_because": "CC6 treats the authenticated session as the access boundary. OAuth consent grants to a third-party app federate scope outside the authenticated-session boundary; the consenting user authenticated correctly, the third-party app's onward calls are authorized by the consent grant, and CC6 evidence shows nothing anomalous. The dominant 2024-2026 IdP-pivot pattern (Midnight Blizzard's app-consent escalation) is invisible to CC6 audit evidence."
276
+ },
277
+ {
278
+ "framework": "uk-caf",
279
+ "control_id": "B2.b",
280
+ "designed_for": "NCSC CAF outcome — identity and access control, including consent management for third-party access.",
281
+ "insufficient_because": "B2.b is an outcome-based test (does the essential function effectively manage identity and access?). The outcome is assessed against the IdP tenant's published authentication outcomes; the IdP-tenant control-plane (who can modify the tenant configuration itself) is outside the outcome's typical evidence surface. A compromised tenant continues to produce compliant outcomes until the attacker abandons stealth."
282
+ },
283
+ {
284
+ "framework": "au-ism",
285
+ "control_id": "ISM-1559",
286
+ "designed_for": "Privileged account credential management — storage, rotation, monitoring of privileged credentials.",
287
+ "insufficient_because": "ISM-1559 reaches privileged credentials at the system layer (admin password vault, server-side admin accounts). It does not reach IdP-tenant control-plane operations (modifying federated trust, granting tenant-wide application permissions, rotating the token-signing certificate). The IdP tenant is the privileged-credential source-of-truth for every downstream system; ISM-1559 audits the downstream systems and treats the IdP tenant as oracle."
288
+ },
289
+ {
290
+ "framework": "au-ism",
291
+ "control_id": "ISM-1546",
292
+ "designed_for": "Multi-factor authentication for privileged users and remote access.",
293
+ "insufficient_because": "ISM-1546 covers human-initiated authentication. IdP-tenant control-plane operations are frequently performed by management-API tokens (Okta API tokens, Entra ID app secrets, Auth0 management API tokens) that never cross the human-MFA gate. A leaked management API token grants identical blast radius without ever triggering ISM-1546's evidence path."
294
+ },
295
+ {
296
+ "framework": "nis2",
297
+ "control_id": "Art.21(2)(j)",
298
+ "designed_for": "Cryptography and access-control measures — including the use of multi-factor authentication.",
299
+ "insufficient_because": "Art.21(2)(j) names cryptography and access-control as required risk-management measures; the supporting implementing acts and ENISA reference frameworks specify what evidence regulators accept. Federated-identity control-plane operations (consent grants, federated-trust changes, signing-key rotation) are not enumerated in current implementing-act guidance. IdP-provider tenants serving essential entities are in scope but the evidence model lags."
300
+ },
301
+ {
302
+ "framework": "dora",
303
+ "control_id": "Art.19 (4h IdP)",
304
+ "designed_for": "Major-ICT-related-incident notification — initial notification within 4 hours, intermediate report within 72 hours, final report within one month.",
305
+ "insufficient_because": "DORA names the 4-hour clock but does not specify IdP-tenant compromise as a distinct incident class; financial entities relying on a CSP-hosted IdP frequently classify IdP incidents under ICT-third-party-provider concentration risk (Art.28) and miss the Art.19 4-hour clock entirely. The IdP is the single highest-blast-radius critical ICT third-party; the framework treats it as fungible."
306
+ },
307
+ {
308
+ "framework": "au-essential-8",
309
+ "control_id": "Strategy 4 — Multi-factor authentication (E8 M.4)",
310
+ "designed_for": "MFA on privileged + internet-facing accounts.",
311
+ "insufficient_because": "E8 M.4 defends the interactive authentication flow. IdP-tenant control-plane operations performed via management API tokens, OAuth client credentials, or workload identity federation never cross the MFA gate. Compliance-theater test: count admin-action audit events over the last 30 days, partition by service-token vs human-MFA-session origin; if service tokens dominate, M.4 compliance is paper."
312
+ }
313
+ ]
314
+ },
315
+ "skill_preload": [
316
+ "idp-incident-response",
317
+ "identity-assurance",
318
+ "cred-stores"
319
+ ]
320
+ },
321
+ "direct": {
322
+ "threat_context": "Identity-provider tenants are the highest-blast-radius single object in a modern cloud estate. 2023-2026 IR data centres on five themes. (1) Okta's October 2023 customer-support breach: a stolen support-engineer credential gave the attacker read access to customer-uploaded HAR files containing valid session tokens for ~134 customer tenants, exploited downstream against 1Password, BeyondTrust, Cloudflare, and others — root cause was a personal-Google-account-stored Okta service-account credential. (2) Microsoft's January 2024 Midnight Blizzard (APT29 / Cozy Bear) Entra ID campaign: residential-proxy password-spray against a legacy non-MFA test tenant, OAuth app-consent abuse via a legacy application holding privileged Graph scope, escalation to corporate-mail exfiltration including senior leadership and the security team itself; tracked across 2024-2025 with continued breaches at HPE, others. (3) Snowflake credential-database compromise mid-2024: ~165 customer tenants hit through stolen IdP-service-account credentials and absent MFA enforcement, including AT&T's ~110M-record exposure, Ticketmaster, Santander. (4) Scattered Spider (UNC3944 / Octo Tempest / Storm-0875) help-desk social engineering: voice-impersonated calls to IT help-desk to mint replacement MFA factors, then SIM-swap fallback, then ransomware deployment — MGM (~USD 100M impact), Caesars (~USD 15M ransom paid), Twilio, Mailchimp, dozens of others 2022-2026; continues evolving in 2026 toward deepfake-voice + AI-augmented social-engineering reconnaissance. (5) 2026 Auth0 management-API token leakage class: management-API tokens with broad scope checked into IaC or CI configuration produce tenant-wide compromise paths bypassing MFA entirely. Across all five themes the IdP control plane is the primary attack surface; the framework controls treat the IdP as oracle.",
323
+ "rwep_threshold": {
324
+ "escalate": 90,
325
+ "monitor": 70,
326
+ "close": 30
327
+ },
328
+ "framework_lag_declaration": "NIST 800-53 IA-5 (Authenticator Management) and IA-2 (Identification and Authentication) do not reach federated-trust modification at the IdP control plane; IA-5 evidence is satisfied by a quarterly authenticator inventory while an attacker who modifies the federation in week 5 produces eight weeks of compliant audit trail. ISO/IEC 27001:2022 A.5.16 (Identity Management) and A.5.17 (Authentication Information) cover static identity state; they do not name federated-state transitions (OAuth consent, federated-trust modification, cross-tenant access settings). SOC 2 CC6 logical-access controls treat the authenticated session as the access boundary and are blind to consent-mediated lateral movement. UK CAF Principle B2.b is an outcome-based test against the IdP's published authentication outcomes; the IdP control plane is outside B2.b's typical evidence surface. AU Essential 8 Strategy 4 (MFA, E8 M.4) defends the interactive authentication flow; IdP-tenant control-plane operations performed by management-API tokens, OAuth client credentials, or workload identity federations never cross M.4's evidence path. AU ISM-1559 (Privileged Account Credential Management) and ISM-1546 (MFA for Privileged Users) reach privileged credentials at the system layer and the human-MFA surface respectively; both treat the IdP tenant as oracle and do not require auditable controls on the IdP tenant's own control plane. NIS2 Art.21(2)(j) names cryptography and access control as required risk-management measures but the supporting implementing-act guidance does not enumerate federated-identity control-plane operations. DORA Art.19's 4-hour major-ICT-incident clock applies — the IdP is a critical ICT third-party — but financial entities frequently classify IdP incidents under Art.28 concentration risk and miss the Art.19 clock. The aggregate gap is ~60 days between IdP control-plane attack and quarterly-cadence framework evidence; real-world adversary dwell time is days, not quarters.",
329
+ "skill_chain": [
330
+ {
331
+ "skill": "idp-incident-response",
332
+ "purpose": "IdP-specific incident-response depth — Okta / Entra / Auth0 / Ping / OneLogin tenant compromise + federated-trust abuse + OAuth consent abuse.",
333
+ "required": true
334
+ },
335
+ {
336
+ "skill": "identity-assurance",
337
+ "purpose": "AAL / IAL / FAL assurance constructs, FIDO2 / WebAuthn / phishing-resistant factor enrolment validation, federated-trust signing-key posture.",
338
+ "required": true
339
+ },
340
+ {
341
+ "skill": "cred-stores",
342
+ "purpose": "Downstream containment — rotate management-API tokens, downstream service-account credentials, session tokens; audit Vault / Secrets Manager for IdP-derived credentials.",
343
+ "required": true
344
+ },
345
+ {
346
+ "skill": "framework-gap-analysis",
347
+ "purpose": "Per-framework reconciliation of IdP-tenant control-plane coverage gaps.",
348
+ "required": true
349
+ },
350
+ {
351
+ "skill": "policy-exception-gen",
352
+ "purpose": "Generate auditor-ready exception language for IdP controls that cannot be remediated within obligation windows (e.g. coordinated federation re-keying across 50+ relying parties).",
353
+ "skip_if": "close.exception_generation.trigger_condition == false",
354
+ "required": false
355
+ }
356
+ ],
357
+ "token_budget": {
358
+ "estimated_total": 22000,
359
+ "breakdown": {
360
+ "govern": 3000,
361
+ "direct": 2000,
362
+ "look": 3000,
363
+ "detect": 3500,
364
+ "analyze": 4500,
365
+ "validate": 3500,
366
+ "close": 2500
367
+ }
368
+ }
369
+ },
370
+ "look": {
371
+ "artifacts": [
372
+ {
373
+ "id": "idp-audit-log-90d",
374
+ "type": "audit_trail",
375
+ "source": "Pull last 90 days of audit events: Okta /api/v1/logs (filter eventType eq user.session.*, user.authentication.*, application.lifecycle.*, system.org.*); Entra ID Microsoft Graph /auditLogs/directoryAudits + /auditLogs/signIns (filter for high-risk sign-ins, consent-grant events, role-assignment events, federation-config changes); Auth0 /api/v2/logs (filter for type starting with 'fs', 's', 'ss' management events); Ping /environments/{id}/auditTrails; OneLogin /api/2/events.",
376
+ "description": "Primary evidence base. Audit log carries every control-plane operation and every authentication outcome. 90-day window matches Okta default retention; longer-retention tenants should pull max-available.",
377
+ "required": true,
378
+ "air_gap_alternative": "Operator-supplied CSV or JSON export of the 90-day audit log from the IdP admin console (Okta Reports > System Log export, Entra Sign-in logs CSV, Auth0 log streaming sink)."
379
+ },
380
+ {
381
+ "id": "oauth-consent-grants",
382
+ "type": "api_response",
383
+ "source": "Enumerate active + recently-revoked OAuth app consent grants. Entra ID Microsoft Graph /servicePrincipals + /oauth2PermissionGrants + /appRoleAssignments; Okta /api/v1/apps + /api/v1/users/{id}/grants; Auth0 /api/v2/clients + /api/v2/client-grants; Ping /environments/{id}/applications; OneLogin /api/2/apps. Cross-reference against the consent-history audit-log filter from idp-audit-log-90d.",
384
+ "description": "Consent grants are the dominant 2024-2026 IdP pivot (Midnight Blizzard pattern). Enumerate publisher verification status, scope (specifically /.default, wildcard, and any scope granting tenant-wide read of mail/files/users), tenant of origin, grant timestamp.",
385
+ "required": true,
386
+ "air_gap_alternative": "Operator-supplied JSON export of enterprise applications + service principals + OAuth permission grants from the IdP admin portal."
387
+ },
388
+ {
389
+ "id": "federated-trust-config",
390
+ "type": "config_file",
391
+ "source": "Pull SAML / OIDC / WS-Fed identity-provider federation configurations. Entra ID /policies/identityProviders + /policies/crossTenantAccessPolicy/partners (cross-tenant access settings); Okta /api/v1/idps + /api/v1/org/security/federation; Auth0 /api/v2/connections (enterprise connections); Ping /environments/{id}/identityProviders; OneLogin /api/2/identity_providers. Capture token-signing certificate fingerprint, claim-transformation rules, issuer URI, last-modification timestamp + actor.",
392
+ "description": "Federated trust is the highest-leverage IdP control-plane object. A malicious or modified federation lets the attacker mint authentic tokens for any user in the tenant.",
393
+ "required": true,
394
+ "air_gap_alternative": "Operator-supplied export of identity-provider configuration from the IdP admin portal."
395
+ },
396
+ {
397
+ "id": "privileged-role-assignments",
398
+ "type": "api_response",
399
+ "source": "Enumerate every assignment to high-privilege roles: Entra ID Global Administrator, Privileged Role Administrator, Application Administrator, Cloud Application Administrator, Identity Governance Administrator, User Administrator via /roleManagement/directory/roleAssignments + PIM eligible assignments; Okta Super Admin + Organization Admin + Application Admin + Group Admin via /api/v1/iam/assignees; Auth0 tenant Admin + Auth0 management API role assignments; Ping Environment Admin / Identity Admin; OneLogin Account Owner / Super User.",
400
+ "description": "Recent high-privilege role assignment is one of the strongest single indicators. Cross-reference timestamp + assigner against the audit log.",
401
+ "required": true,
402
+ "air_gap_alternative": "Operator-supplied CSV export of privileged role assignments from the IdP admin portal."
403
+ },
404
+ {
405
+ "id": "mfa-factor-events",
406
+ "type": "audit_trail",
407
+ "source": "Filter idp-audit-log-90d for MFA factor enrolment, modification, reset, and bypass events. Okta event types user.mfa.factor.activate + user.mfa.factor.reset + user.mfa.factor.deactivate; Entra ID category 'AuthenticationMethod' under /auditLogs/directoryAudits; Auth0 mfa.* + management.* event types; Ping similar.",
408
+ "description": "Scattered Spider's primary TTP is help-desk-mediated factor reset. Each factor-reset event must pair with a documented identity-verification record from the help-desk system.",
409
+ "required": true,
410
+ "air_gap_alternative": "Operator-supplied CSV export of MFA / authentication method audit events."
411
+ },
412
+ {
413
+ "id": "break-glass-account-state",
414
+ "type": "api_response",
415
+ "source": "Enumerate break-glass / emergency-access accounts (Entra ID excluded from conditional access; Okta accounts in an emergency-access group; Auth0 accounts with bypass flags; Ping accounts excluded from MFA policy). Capture last-sign-in timestamp, MFA factor enrolment, conditional-access exclusions, password age, audit-log alert configuration.",
416
+ "description": "Break-glass accounts are designed to bypass normal controls; theater-pattern is to attest 'never used' without exercising the audit-alert path.",
417
+ "required": true,
418
+ "air_gap_alternative": "Operator-supplied CSV listing break-glass account inventory + last-sign-in + MFA enrolment from the IdP admin portal."
419
+ },
420
+ {
421
+ "id": "service-account-inventory",
422
+ "type": "api_response",
423
+ "source": "Enumerate non-human identities: Okta service users + API service users; Entra ID workload identities + service principals with credentials; Auth0 M2M apps + their client_credentials grants; Ping worker apps; OneLogin API credentials. For each, capture last-rotation timestamp, scope, source-IP allowlist, last-use timestamp, owner.",
424
+ "description": "Snowflake-via-Okta-service-account 2024 is the public reference for this attack class. Any service account with static secret older than 90 days, broad scope, no IP allowlist is a high-priority finding.",
425
+ "required": true,
426
+ "air_gap_alternative": "Operator-supplied CSV listing service accounts + last-rotation + scope + IP allowlist."
427
+ },
428
+ {
429
+ "id": "session-token-inventory",
430
+ "type": "api_response",
431
+ "source": "Enumerate active sessions: Okta /api/v1/users/{id}/sessions; Entra ID Get-MgUser sign-in activity + sign-in tokens via Graph; Auth0 /api/v2/users/{id}/sessions; Ping similar. Capture session age, source IP, user agent, last-touch timestamp.",
432
+ "description": "Long-lived sessions surviving credential rotation are a common containment gap. Capture pre-revocation state for the residual-risk statement.",
433
+ "required": true,
434
+ "air_gap_alternative": "Operator-supplied session inventory from the IdP admin portal."
435
+ },
436
+ {
437
+ "id": "management-api-tokens",
438
+ "type": "api_response",
439
+ "source": "Enumerate management-plane API access: Okta API tokens via /api/v1/api-tokens; Entra ID application secrets + certificates via /applications/{id}/passwordCredentials + /applications/{id}/keyCredentials; Auth0 management API client_id + client_secret pairs; Ping application secrets; OneLogin API credentials.",
440
+ "description": "Management-API tokens bypass the human-MFA gate entirely. Any token with broad scope + age > 90 days + no audit-log alerting is a structural finding.",
441
+ "required": true,
442
+ "air_gap_alternative": "Operator-supplied inventory of management API tokens + age + scope from the IdP admin portal."
443
+ },
444
+ {
445
+ "id": "cross-tenant-consent-grants",
446
+ "type": "api_response",
447
+ "source": "Enumerate cross-tenant access settings: Entra ID /policies/crossTenantAccessPolicy + per-partner inbound/outbound rules; Okta org-to-org federation configurations; Auth0 tenant linking; Ping environment federations.",
448
+ "description": "Cross-tenant federation is invisible to most identity-hygiene programmes yet grants persistent token-issuance against the home tenant. Any cross-tenant grant from a tenant whose ownership cannot be attested in writing is a finding.",
449
+ "required": true,
450
+ "air_gap_alternative": "Operator-supplied export of cross-tenant access settings from the IdP admin portal."
451
+ },
452
+ {
453
+ "id": "recent-credential-resets",
454
+ "type": "audit_trail",
455
+ "source": "Filter idp-audit-log-90d for password-reset, passkey-enrolment, and recovery-factor-modification events. Okta user.account.update_password + user.account.unlock + user.credential.enroll; Entra ID 'User changed password' + 'Reset user password' + 'Update authentication phone method'; Auth0 management.users.password-changed + management.users.mfa-reset.",
456
+ "description": "Password / passkey reset paired with subsequent privilege escalation is a high-signal indicator. The reset timestamp + reset-by actor + subsequent role-assignment timestamp build the attack timeline.",
457
+ "required": true,
458
+ "air_gap_alternative": "Operator-supplied CSV export of credential-reset events."
459
+ }
460
+ ],
461
+ "collection_scope": {
462
+ "time_window": "90d",
463
+ "asset_scope": "single_idp_tenant_under_investigation",
464
+ "depth": "deep",
465
+ "sampling": "complete enumeration of consent grants, federated-trust configuration, privileged-role assignments, break-glass accounts, service accounts, session tokens, management-API tokens, and cross-tenant grants. Audit-log collection is bounded by the IdP's retention window (90 days for most tenants without log-export streaming)."
466
+ },
467
+ "environment_assumptions": [
468
+ {
469
+ "assumption": "operator_has_read_only_admin_in_tenant == true",
470
+ "if_false": "Without an admin-tier role the consent grants, federated-trust configuration, and management-API token inventory cannot be enumerated. Escalate to a documented tenant-owner break-glass procedure."
471
+ },
472
+ {
473
+ "assumption": "idp_audit_log_retention >= 90d",
474
+ "if_false": "Reduce time window to retained log span and emit a 'truncated-retention' visibility note in the evidence package. The attacker's dwell time may exceed the available log."
475
+ },
476
+ {
477
+ "assumption": "tenant_uses_one_primary_idp",
478
+ "if_false": "If multiple IdPs federate (common in M&A landscapes), enumerate each as a distinct tenant under investigation and add federation-trust crosswalk between them."
479
+ },
480
+ {
481
+ "assumption": "no_active_response_actions_in_flight",
482
+ "if_false": "If containment is already running (token revocations, password resets) the audit log will reflect operator activity that must be filtered from attacker activity. Capture operator activity as a separate evidence band."
483
+ }
484
+ ],
485
+ "fallback_if_unavailable": [
486
+ {
487
+ "artifact_id": "idp-audit-log-90d",
488
+ "fallback_action": "escalate_to_human",
489
+ "confidence_impact": "high"
490
+ },
491
+ {
492
+ "artifact_id": "oauth-consent-grants",
493
+ "fallback_action": "escalate_to_human",
494
+ "confidence_impact": "high"
495
+ },
496
+ {
497
+ "artifact_id": "federated-trust-config",
498
+ "fallback_action": "escalate_to_human",
499
+ "confidence_impact": "high"
500
+ },
501
+ {
502
+ "artifact_id": "privileged-role-assignments",
503
+ "fallback_action": "mark_inconclusive",
504
+ "confidence_impact": "high"
505
+ },
506
+ {
507
+ "artifact_id": "mfa-factor-events",
508
+ "fallback_action": "mark_inconclusive",
509
+ "confidence_impact": "medium"
510
+ },
511
+ {
512
+ "artifact_id": "break-glass-account-state",
513
+ "fallback_action": "mark_inconclusive",
514
+ "confidence_impact": "medium"
515
+ },
516
+ {
517
+ "artifact_id": "service-account-inventory",
518
+ "fallback_action": "mark_inconclusive",
519
+ "confidence_impact": "high"
520
+ },
521
+ {
522
+ "artifact_id": "session-token-inventory",
523
+ "fallback_action": "mark_inconclusive",
524
+ "confidence_impact": "low"
525
+ },
526
+ {
527
+ "artifact_id": "management-api-tokens",
528
+ "fallback_action": "escalate_to_human",
529
+ "confidence_impact": "high"
530
+ },
531
+ {
532
+ "artifact_id": "cross-tenant-consent-grants",
533
+ "fallback_action": "mark_inconclusive",
534
+ "confidence_impact": "high"
535
+ },
536
+ {
537
+ "artifact_id": "recent-credential-resets",
538
+ "fallback_action": "mark_inconclusive",
539
+ "confidence_impact": "medium"
540
+ }
541
+ ]
542
+ },
543
+ "detect": {
544
+ "indicators": [
545
+ {
546
+ "id": "unauthorized-consent-grant-from-non-corp-tenant",
547
+ "type": "log_pattern",
548
+ "value": "Within the oauth-consent-grants artifact: any consent grant whose tenant-of-origin (Entra) or publisher (Okta/Auth0) is not on the corporate-tenant allowlist AND whose granted scope includes Mail.Read / Mail.ReadWrite / Files.Read.All / User.Read.All / Directory.Read.All / .default / wildcard. Cross-reference idp-audit-log-90d for the grant timestamp and granter identity.",
549
+ "description": "Midnight Blizzard's January 2024 escalation pattern. Consent from an attacker-controlled tenant or from an unverified publisher with tenant-wide read scope is the dominant 2024-2026 IdP pivot.",
550
+ "confidence": "high",
551
+ "deterministic": false,
552
+ "attack_ref": "T1098.001",
553
+ "false_positive_checks_required": [
554
+ "Cross-check against a documented corporate-tenant allowlist (sister-org tenants, audited partner tenants). If the tenant-of-origin matches an allowlisted partner with current written attestation, demote.",
555
+ "Verify whether the granter is a documented cross-tenant collaboration sponsor (e.g. a contracted M&A integration partner). If yes and the scope is bounded, demote.",
556
+ "Confirm the consent timestamp does not match a known SSO migration window. SSO migrations frequently produce bulk consent re-grants that look anomalous in isolation but are operator-initiated."
557
+ ]
558
+ },
559
+ {
560
+ "id": "anomalous-federated-trust-addition",
561
+ "type": "log_pattern",
562
+ "value": "Within the federated-trust-config artifact: any federation whose last-modification timestamp is within the last 90 days AND whose token-signing certificate fingerprint, issuer URI, or claim-transformation rules differ from the documented expected state. Cross-reference idp-audit-log-90d for the modification actor.",
563
+ "description": "Federation modification is the highest-leverage IdP control-plane operation. A malicious federation lets the attacker mint authentic tokens for any user.",
564
+ "confidence": "deterministic",
565
+ "deterministic": true,
566
+ "attack_ref": "T1556.007",
567
+ "false_positive_checks_required": [
568
+ "Verify whether the modification is part of a documented IdP migration project (e.g. ADFS → Entra ID hybrid migration, on-prem AD federation cutover). Pull the change-control ticket for the modification window and confirm the actor matches the project's named operator.",
569
+ "If the modification is a scheduled certificate rotation, confirm the new fingerprint matches the partner's published rotation announcement.",
570
+ "Cross-reference the modification actor against the privileged-role-assignments artifact; if the actor's role was newly assigned within 30 days of the modification, the rotation context is suspicious regardless of project-ticket attestation."
571
+ ]
572
+ },
573
+ {
574
+ "id": "mfa-factor-swap-without-password-reset",
575
+ "type": "log_pattern",
576
+ "value": "Within the mfa-factor-events artifact: any factor-reset or factor-deactivate event followed by factor-enrolment within 24h, with no paired password-reset event in recent-credential-resets and no paired help-desk ticket in operator-supplied evidence. Cross-reference idp-audit-log-90d for the reset actor.",
577
+ "description": "Scattered Spider primary TTP. Help-desk-mediated factor swap leaves the user-facing MFA policy unchanged while replacing the factor under operator control.",
578
+ "confidence": "high",
579
+ "deterministic": false,
580
+ "attack_ref": "T1556.007",
581
+ "false_positive_checks_required": [
582
+ "Verify whether the swap is a documented user-initiated factor migration (e.g. lost-phone recovery). The help-desk ticket + identity-verification record must match the swap window.",
583
+ "Confirm whether the user was on a documented self-service factor-rotation programme; some tenants run quarterly factor refreshes for compliance.",
584
+ "Cross-reference against the user's session inventory (session-token-inventory); a factor swap with no immediately subsequent re-authentication is more suspicious than one followed by normal user activity."
585
+ ]
586
+ },
587
+ {
588
+ "id": "recent-high-privilege-role-assignment",
589
+ "type": "log_pattern",
590
+ "value": "Within the privileged-role-assignments artifact: any assignment to Super Admin / Global Administrator / Tenant Owner / Application Administrator / Privileged Role Administrator within the last 90 days. Cross-reference idp-audit-log-90d for the assigner identity and any paired access-review or change-control record.",
591
+ "description": "Recent role assignment is a high-signal indicator independent of attacker entry vector. New admins are frequent intermediate-stage compromise outcomes.",
592
+ "confidence": "high",
593
+ "deterministic": false,
594
+ "attack_ref": "T1098.001",
595
+ "false_positive_checks_required": [
596
+ "Verify whether the assignment matches a documented onboarding or RBAC-review cycle. The assigner identity must match the documented owner.",
597
+ "If the assignee is a known break-glass account being exercised under an IR drill, confirm the drill is on the operator's calendar and demote.",
598
+ "Cross-reference against the audit-log actor IP and user agent; an assigner action from an anomalous IP relative to that operator's history holds severity regardless of role-review documentation."
599
+ ]
600
+ },
601
+ {
602
+ "id": "service-account-unused-then-active",
603
+ "type": "log_pattern",
604
+ "value": "Within the service-account-inventory artifact, intersected with idp-audit-log-90d: any service account whose last-use timestamp prior to the investigation window was >180 days old AND that produced authentication events during the investigation window. The dormant-then-active pattern is the Snowflake-via-Okta-service-account signature.",
605
+ "description": "Dormant service-account reactivation. Attackers prefer dormant credentials because they bypass owner attention and frequently lack rotation hygiene.",
606
+ "confidence": "high",
607
+ "deterministic": false,
608
+ "attack_ref": "T1078.004",
609
+ "false_positive_checks_required": [
610
+ "Verify whether the reactivation matches a documented scheduled-job restart (annual reconciliation, quarterly data refresh, post-maintenance reboot). Cross-reference the operator's runbook calendar.",
611
+ "Confirm the source IP of the reactivation matches the documented service-account origin (corporate egress, CI runner range, partner ingress).",
612
+ "If reactivation is paired with rotation (new client secret immediately after first use), the rotation context suggests operator-initiated activity; otherwise hold."
613
+ ]
614
+ },
615
+ {
616
+ "id": "cross-tenant-assumption-anomaly",
617
+ "type": "log_pattern",
618
+ "value": "Within the cross-tenant-consent-grants artifact: any inbound or outbound cross-tenant rule pointing at a tenant whose ownership cannot be attested in writing, OR any change to cross-tenant access settings within the last 90 days. Cross-reference idp-audit-log-90d for the modification actor.",
619
+ "description": "Cross-tenant federation grants persistent token-issuance against the home tenant. Invisible to most identity-hygiene programmes.",
620
+ "confidence": "high",
621
+ "deterministic": false,
622
+ "attack_ref": "T1199",
623
+ "false_positive_checks_required": [
624
+ "Verify the partner tenant is on the corporate cross-tenant allowlist with current written attestation (M&A integration, JV, audited supplier).",
625
+ "Confirm the cross-tenant rule's permission set does not exceed the documented partnership scope (a JV-grade trust with global Mail.Read access is anomalous regardless of allowlist status).",
626
+ "If the change is a scope-tightening operation (e.g. removing previously-permitted scopes), the change is defensive — demote to low severity."
627
+ ]
628
+ },
629
+ {
630
+ "id": "break-glass-account-authentication",
631
+ "type": "log_pattern",
632
+ "value": "Within idp-audit-log-90d, intersected with break-glass-account-state: any successful authentication event from a designated break-glass account, OR any modification to break-glass-account conditional-access exclusions, OR any rotation event on break-glass credentials.",
633
+ "description": "Break-glass authentication is by definition extraordinary. Each event must pair with a documented IR drill or production-incident record.",
634
+ "confidence": "high",
635
+ "deterministic": false,
636
+ "attack_ref": "T1078.004",
637
+ "false_positive_checks_required": [
638
+ "Verify whether the event matches an operator-confirmed IR drill or documented break-glass exercise. The drill calendar must show the event on its schedule.",
639
+ "Confirm the authentication source IP, user agent, and authentication factors match the documented break-glass procedure.",
640
+ "If the event is paired with subsequent privileged-role activity, hold severity regardless of drill attestation — the break-glass account should be exercised but not used for routine work."
641
+ ]
642
+ },
643
+ {
644
+ "id": "oauth-app-publisher-unverified",
645
+ "type": "log_pattern",
646
+ "value": "Within the oauth-consent-grants artifact: any consent grant to an application whose publisher is marked 'unverified' OR whose publisher domain does not match a documented corporate-or-partner registry.",
647
+ "description": "Unverified-publisher consent is a common Midnight-Blizzard-class staging tactic — register an app under a generic name, request broad scope, harvest tokens.",
648
+ "confidence": "high",
649
+ "deterministic": false,
650
+ "attack_ref": "T1098.001",
651
+ "false_positive_checks_required": [
652
+ "Verify whether the app is an internal-but-unverified-publisher application (operator-supplied attestation of internal authorship; the publisher-verification gap is a vendor-account configuration, not a malicious app).",
653
+ "If publisher verification has been requested but not yet completed by the vendor, the gap is administrative; demote pending vendor follow-up but track in the residual-risk statement.",
654
+ "Cross-reference the granted scope against the app's documented purpose. Even an internal app with unverified-publisher status is a finding if the scope exceeds documented need."
655
+ ]
656
+ },
657
+ {
658
+ "id": "session-token-forgery-evidence",
659
+ "type": "log_pattern",
660
+ "value": "Within idp-audit-log-90d: any session authentication event whose token-issuance metadata is inconsistent with the federation-config artifact (issuer URI mismatch, signing-certificate fingerprint mismatch, claim transformation outcome inconsistent with documented rules).",
661
+ "description": "Token forgery via web-cookie / session-cookie forgery (T1606.002) leaves trace metadata in the audit log when the IdP's signing-state has been tampered with.",
662
+ "confidence": "high",
663
+ "deterministic": false,
664
+ "attack_ref": "T1606.002",
665
+ "false_positive_checks_required": [
666
+ "Verify whether a signing-certificate rotation occurred within the inconsistency window; rotation creates legitimate metadata drift.",
667
+ "Confirm whether the issuing federation is part of a documented multi-region failover; some IdP deployments mint tokens from multiple signing keys legitimately.",
668
+ "If the inconsistency is sustained across many events from a single source, the attribution is stronger than isolated drift."
669
+ ]
670
+ }
671
+ ],
672
+ "false_positive_profile": [
673
+ {
674
+ "indicator_id": "unauthorized-consent-grant-from-non-corp-tenant",
675
+ "benign_pattern": "Legitimate cross-tenant collaboration consent (M&A integration partner, audited supplier, JV partner).",
676
+ "distinguishing_test": "The collaboration partner must appear on a documented corporate-tenant allowlist with current written attestation AND the granted scope must be bounded to the documented collaboration purpose. Wildcard or /.default scope to any partner is a finding regardless of allowlist status."
677
+ },
678
+ {
679
+ "indicator_id": "anomalous-federated-trust-addition",
680
+ "benign_pattern": "Planned IdP migration (ADFS → Entra ID hybrid, on-prem AD federation cutover) or scheduled signing-certificate rotation.",
681
+ "distinguishing_test": "The migration or rotation must appear on the operator's change-control register with named operator, expected fingerprint, and rollback plan. Any modification by an actor whose role was assigned within 30 days of the modification holds severity regardless of project documentation."
682
+ },
683
+ {
684
+ "indicator_id": "mfa-factor-swap-without-password-reset",
685
+ "benign_pattern": "User-initiated factor migration (lost phone, device upgrade) with operator-assisted recovery.",
686
+ "distinguishing_test": "The swap must pair with a help-desk ticket + identity-verification record (knowledge-based + government-ID + recorded callback to a previously-registered number). Phone-only verification or chat-only verification is not sufficient under Scattered Spider TTP."
687
+ },
688
+ {
689
+ "indicator_id": "recent-high-privilege-role-assignment",
690
+ "benign_pattern": "Documented onboarding, RBAC review-cycle promotion, or break-glass drill.",
691
+ "distinguishing_test": "The assignment must match a documented onboarding ticket, an RBAC-review record signed off by the assignee's manager, or a calendared break-glass drill. Cross-reference assigner IP and user agent against historical operator activity."
692
+ },
693
+ {
694
+ "indicator_id": "service-account-unused-then-active",
695
+ "benign_pattern": "Scheduled job restart, post-maintenance reboot, or migration-driven reactivation.",
696
+ "distinguishing_test": "Match the reactivation against the operator's runbook calendar and confirm the source IP matches documented service-account origin. Pair reactivation with rotation (new client secret) to confirm operator-initiated provenance."
697
+ },
698
+ {
699
+ "indicator_id": "cross-tenant-assumption-anomaly",
700
+ "benign_pattern": "M&A integration, audited supplier federation, JV partner trust.",
701
+ "distinguishing_test": "Partner tenant must be on the corporate cross-tenant allowlist with current written attestation AND the permission set must not exceed documented partnership scope. Scope-tightening modifications are defensive and may be demoted."
702
+ },
703
+ {
704
+ "indicator_id": "break-glass-account-authentication",
705
+ "benign_pattern": "Calendared IR drill, documented production-incident break-glass exercise, or quarterly authentication-path exercise.",
706
+ "distinguishing_test": "Drill must appear on the operator's calendar with named drill operator, expected source IP, and expected outcome. Subsequent privileged-role activity from the break-glass account holds severity regardless of drill attestation."
707
+ },
708
+ {
709
+ "indicator_id": "oauth-app-publisher-unverified",
710
+ "benign_pattern": "Internal app under vendor-account anonymization where publisher-verification has been requested but not yet completed.",
711
+ "distinguishing_test": "Operator-supplied attestation of internal authorship + documented vendor-side verification request must both be present. Granted scope must still match documented purpose; unverified-publisher status does not excuse scope exceeding need."
712
+ },
713
+ {
714
+ "indicator_id": "session-token-forgery-evidence",
715
+ "benign_pattern": "Signing-certificate rotation, multi-region IdP failover, or planned issuer URI change.",
716
+ "distinguishing_test": "Rotation must appear on the operator's change-control register with named operator and expected new fingerprint. Sustained inconsistency across many events from a single source holds severity regardless of rotation context."
717
+ }
718
+ ],
719
+ "minimum_signal": {
720
+ "detected": "At least one deterministic indicator (anomalous-federated-trust-addition) fires AND the false-positive distinguishing test does not clear it. OR two or more high-confidence non-deterministic indicators fire on the same actor / asset within a 7-day window.",
721
+ "inconclusive": "Single high-confidence indicator fires AND the distinguishing test cannot be performed (e.g. operator cannot produce a help-desk ticket within the obligation window). Treat as detected with the caveat noted; do not stand down containment.",
722
+ "not_detected": "Full enumeration of consent grants + federated-trust + privileged-role assignments + break-glass state + service accounts + management-API tokens + cross-tenant grants complete AND no indicator fires AND all break-glass authentications are matched to drill attestations AND all federation modifications are matched to change-control records."
723
+ }
724
+ },
725
+ "analyze": {
726
+ "rwep_inputs": [
727
+ {
728
+ "signal_id": "anomalous-federated-trust-addition",
729
+ "rwep_factor": "blast_radius",
730
+ "weight": 30,
731
+ "notes": "Federation modification = tenant-wide token-issuance compromise. Treat as highest blast radius."
732
+ },
733
+ {
734
+ "signal_id": "anomalous-federated-trust-addition",
735
+ "rwep_factor": "active_exploitation",
736
+ "weight": 25,
737
+ "notes": "Midnight Blizzard, Scattered Spider, and APT29 continue exploiting federated-trust modification in 2024-2026."
738
+ },
739
+ {
740
+ "signal_id": "unauthorized-consent-grant-from-non-corp-tenant",
741
+ "rwep_factor": "active_exploitation",
742
+ "weight": 25,
743
+ "notes": "Dominant 2024-2026 pivot; Midnight Blizzard's Entra ID campaign is the public reference."
744
+ },
745
+ {
746
+ "signal_id": "unauthorized-consent-grant-from-non-corp-tenant",
747
+ "rwep_factor": "blast_radius",
748
+ "weight": 20,
749
+ "notes": "Tenant-wide Mail.Read or Files.Read scope = full mail / file exfiltration."
750
+ },
751
+ {
752
+ "signal_id": "mfa-factor-swap-without-password-reset",
753
+ "rwep_factor": "active_exploitation",
754
+ "weight": 25,
755
+ "notes": "Scattered Spider primary TTP; voice-cloning + deepfake-video reconnaissance accelerating in 2026."
756
+ },
757
+ {
758
+ "signal_id": "service-account-unused-then-active",
759
+ "rwep_factor": "active_exploitation",
760
+ "weight": 20,
761
+ "notes": "Snowflake-via-Okta-service-account 2024 reference; ongoing in 2025-2026."
762
+ },
763
+ {
764
+ "signal_id": "service-account-unused-then-active",
765
+ "rwep_factor": "blast_radius",
766
+ "weight": 15,
767
+ "notes": "Service-account scope frequently exceeds human-account scope; broad downstream blast radius."
768
+ },
769
+ {
770
+ "signal_id": "recent-high-privilege-role-assignment",
771
+ "rwep_factor": "blast_radius",
772
+ "weight": 20,
773
+ "notes": "New admin grants tenant-wide control plane access."
774
+ },
775
+ {
776
+ "signal_id": "cross-tenant-assumption-anomaly",
777
+ "rwep_factor": "blast_radius",
778
+ "weight": 15,
779
+ "notes": "Persistent cross-tenant token issuance grants long-lived access independent of the home tenant's credential rotation."
780
+ },
781
+ {
782
+ "signal_id": "break-glass-account-authentication",
783
+ "rwep_factor": "blast_radius",
784
+ "weight": 20,
785
+ "notes": "Break-glass accounts are designed to bypass controls; unauthorized use = full tenant compromise."
786
+ },
787
+ {
788
+ "signal_id": "oauth-app-publisher-unverified",
789
+ "rwep_factor": "ai_weaponization",
790
+ "weight": 10,
791
+ "notes": "AI-augmented app registration + consent-grant phishing campaigns are operational in 2025-2026."
792
+ },
793
+ {
794
+ "signal_id": "session-token-forgery-evidence",
795
+ "rwep_factor": "active_exploitation",
796
+ "weight": 20,
797
+ "notes": "Token-signing-state tampering = sustained ability to mint authentic tokens."
798
+ }
799
+ ],
800
+ "blast_radius_model": {
801
+ "scope_question": "Given the IdP-tenant control-plane indicator(s) that fired, what is the blast radius across (a) tenant subscribers, (b) federated applications, (c) admin actions performable, (d) downstream SaaS apps reachable via session or token reuse?",
802
+ "scoring_rubric": [
803
+ {
804
+ "condition": "Single low-confidence indicator fires AND distinguishing test cleanly demotes (FP)",
805
+ "blast_radius_score": 1,
806
+ "description": "No live exposure. Document and close."
807
+ },
808
+ {
809
+ "condition": "Single non-deterministic indicator fires on a single non-admin account with bounded scope",
810
+ "blast_radius_score": 2,
811
+ "description": "Account-scope compromise. Targeted rotation + session revoke sufficient."
812
+ },
813
+ {
814
+ "condition": "Single high-confidence indicator on an admin account OR a service account with broad scope, single downstream-app exposure",
815
+ "blast_radius_score": 3,
816
+ "description": "Tenant-scope partial compromise. Broad rotation + scoped audit-log review across the credential's reachable downstream apps."
817
+ },
818
+ {
819
+ "condition": "Federation modification OR cross-tenant grant OR multiple admin-tier consent grants — tenant-wide token-issuance compromise OR persistent cross-tenant trust",
820
+ "blast_radius_score": 4,
821
+ "description": "Tenant-wide control-plane compromise. Triggers feeds_into → cred-stores for downstream containment. Federation re-keying + cross-tenant trust review + comprehensive admin-action audit-log review for the full exposure window required."
822
+ },
823
+ {
824
+ "condition": "Federation modification AND OAuth consent abuse AND privileged-role escalation AND multiple downstream-app SAML/OIDC consumers — multi-tier identity boundary collapse",
825
+ "blast_radius_score": 5,
826
+ "description": "Identity boundary collapse across tenant + federation + downstream SaaS. Treat as a confirmed incident. Full federation re-keying, downstream session-revocation cascade, downstream SaaS audit-log review for the full exposure window, multi-jurisdiction notification clocks fire in parallel."
827
+ }
828
+ ]
829
+ },
830
+ "compliance_theater_check": {
831
+ "claim": "Tenant runs Okta / Entra ID / Auth0 with MFA enforced + SSO across SaaS + quarterly OAuth consent review + break-glass account that has never been used → tenant identity hygiene is complete.",
832
+ "audit_evidence": "MFA enforcement policy screenshots; SSO coverage report; quarterly OAuth consent review minutes; break-glass account configuration screenshot.",
833
+ "reality_test": "Run this playbook against the tenant. Count: (a) consent grants from non-corp tenants OR with /.default / wildcard scope OR with unverified publishers, (b) federated-trust configurations whose last-modification actor cannot be matched to a change-control ticket, (c) service accounts with static secrets older than 90 days, (d) break-glass accounts whose authentication path lacks audit-log alerting, (e) management-API tokens with broad scope and no source-IP allowlist, (f) cross-tenant access settings to tenants without written ownership attestation. Any count > 0 is the gap between paper-compliance attestation and actual IdP control-plane posture. Additionally cross-reference any service account showing dormant-then-active activity against the operator's runbook calendar — unmatched reactivation events are theater regardless of the 'MFA enforced' attestation.",
834
+ "theater_verdict_if_gap": "MFA-enforced SSO + quarterly consent review is paper compliance against an attacker whose pivot is the IdP control plane. Real coverage requires (a) continuous consent-grant alerting on high-risk scope + unverified publisher, (b) federation-modification audit-log alerting with change-control ticket cross-reference, (c) service-account rotation enforcement with IP allowlist, (d) break-glass authentication alerting with on-call paging, (e) management-API token inventory with TTL + scope + source-IP enforcement, (f) cross-tenant access-settings continuous review. Either deploy the missing controls OR generate auditor-ready policy exception with bounded duration + compensating audit-log monitoring."
835
+ },
836
+ "framework_gap_mapping": [
837
+ {
838
+ "finding_id": "federation-modification-uncovered",
839
+ "framework": "nist-800-53",
840
+ "claimed_control": "IA-5 — Authenticator Management",
841
+ "actual_gap": "IA-5 evidence is satisfied by a quarterly snapshot of authenticator inventory. Federated-trust modifications (token-signing certificate rotation, claim-transformation rule changes, OIDC discovery-document tampering) at the IdP control plane are outside the evidence path.",
842
+ "required_control": "Extend IA-5 scope to federated-trust configuration with continuous attestation: signing-certificate fingerprint inventory + claim-transformation rule baseline + per-modification change-control attestation required for SOC 2 / ISO 27001:2022 evidence."
843
+ },
844
+ {
845
+ "finding_id": "oauth-consent-abuse-uncovered",
846
+ "framework": "soc2",
847
+ "claimed_control": "CC6 — Logical and Physical Access Controls",
848
+ "actual_gap": "CC6 treats the authenticated session as the access boundary. OAuth consent grants federate scope outside the authenticated-session boundary; the consenting user authenticated correctly, the third-party app's onward calls are authorized by the grant, and CC6 audit evidence shows nothing anomalous.",
849
+ "required_control": "Add a CC6 sub-criterion requiring evidence of OAuth consent-grant inventory + continuous alerting on high-risk scope grants + per-grant business-purpose attestation."
850
+ },
851
+ {
852
+ "finding_id": "federated-state-uncovered",
853
+ "framework": "iso-27001-2022",
854
+ "claimed_control": "A.5.16 + A.5.17 — Identity Management + Authentication Information",
855
+ "actual_gap": "A.5.16/A.5.17 cover static identity state (was the account provisioned, was MFA enrolled). Federated-state transitions are not enumerated.",
856
+ "required_control": "Add a control-objective footnote requiring inventory of OAuth consent grants + federated-trust configuration + cross-tenant access settings, with documented change-control for each modification."
857
+ },
858
+ {
859
+ "finding_id": "idp-tenant-plane-uncovered",
860
+ "framework": "uk-caf",
861
+ "claimed_control": "B2.b — Identity and Access Control",
862
+ "actual_gap": "B2.b is outcome-based against the IdP tenant's published authentication outcomes. The IdP-tenant control plane (who modified the tenant configuration itself) is outside the outcome's typical evidence surface.",
863
+ "required_control": "Extend B2.b outcome assessment to the IdP-tenant control plane: federated-trust integrity, consent-grant inventory, privileged-role-assignment audit, management-API-token inventory."
864
+ },
865
+ {
866
+ "finding_id": "idp-tenant-plane-au-uncovered",
867
+ "framework": "au-ism",
868
+ "claimed_control": "ISM-1559 — Privileged Account Credential Management",
869
+ "actual_gap": "ISM-1559 reaches privileged credentials at the system layer; it does not reach IdP-tenant control-plane operations. The IdP tenant is the privileged-credential source-of-truth for every downstream system but ISM-1559 audits the downstream systems and treats the IdP tenant as oracle.",
870
+ "required_control": "Extend ISM-1559 scope to the IdP tenant's own control plane: management-API-token inventory, consent-grant inventory, federated-trust integrity, with continuous alerting."
871
+ },
872
+ {
873
+ "finding_id": "idp-incident-nis2-clock",
874
+ "framework": "nis2",
875
+ "claimed_control": "Art.21(2)(j) + Art.23",
876
+ "actual_gap": "Art.21(2)(j) names cryptography and access-control; the implementing-act guidance does not enumerate federated-identity control-plane operations. Art.23 24-hour clock fires on IdP incidents serving essential entities but tenant operators frequently miss the trigger.",
877
+ "required_control": "Extend implementing-act guidance to enumerate federated-identity control-plane indicators (consent abuse, federation modification, cross-tenant compromise) as Art.23-triggering events."
878
+ }
879
+ ],
880
+ "escalation_criteria": [
881
+ {
882
+ "condition": "rwep >= 90 AND any deterministic indicator fires",
883
+ "action": "page_on_call"
884
+ },
885
+ {
886
+ "condition": "blast_radius_score >= 4",
887
+ "action": "trigger_playbook",
888
+ "target_playbook": "cred-stores"
889
+ },
890
+ {
891
+ "condition": "compliance_theater_check.verdict == 'theater' AND jurisdiction_obligations contains 'EU'",
892
+ "action": "notify_legal"
893
+ },
894
+ {
895
+ "condition": "any_federation_modification_unmatched_to_change_control == true",
896
+ "action": "raise_severity"
897
+ }
898
+ ]
899
+ },
900
+ "validate": {
901
+ "remediation_paths": [
902
+ {
903
+ "id": "rotate-signing-keys-and-revoke-sessions",
904
+ "description": "(1) Rotate every IdP token-signing certificate and OIDC signing key, coordinating with every federated relying party. (2) Revoke every active session at the IdP. (3) Force re-enrolment of MFA factors for all admin-tier and privileged-role accounts. (4) Rotate every management-API token (Okta API tokens, Entra app secrets, Auth0 management API tokens, Ping application secrets, OneLogin API credentials). (5) Audit IaC repositories + CI configuration + secret stores for drift against the rotated state.",
905
+ "preconditions": [
906
+ "tenant_admin_access_intact == true",
907
+ "downstream_relying_party_inventory_complete == true"
908
+ ],
909
+ "priority": 1,
910
+ "compensating_controls": [
911
+ "session-revocation-attestation",
912
+ "downstream-saas-audit-log-baseline-captured",
913
+ "iac-secret-rotation-attestation"
914
+ ],
915
+ "estimated_time_hours": 8
916
+ },
917
+ {
918
+ "id": "review-and-revoke-consent-grants",
919
+ "description": "(1) Review every OAuth consent grant from the last 90 days. (2) Revoke any grant whose tenant-of-origin is unattested, whose scope includes wildcard or /.default, or whose publisher is unverified without documented internal-authorship attestation. (3) Review every federated-trust configuration; close cross-tenant trusts not in current attestation scope. (4) Document the post-remediation state in a signed attestation.",
920
+ "preconditions": [
921
+ "consent_grant_inventory_complete == true",
922
+ "cross_tenant_inventory_complete == true"
923
+ ],
924
+ "priority": 2,
925
+ "compensating_controls": [
926
+ "consent-grant-attestation",
927
+ "federated-trust-attestation"
928
+ ],
929
+ "estimated_time_hours": 4
930
+ },
931
+ {
932
+ "id": "harden-service-accounts-and-break-glass",
933
+ "description": "(1) Audit every service account; enforce 90-day rotation, source-IP allowlist, scoped client credentials or workload identity federation, audit-log alerting on token use. (2) Audit OEM remote-support tunnels and partner integration tokens. (3) Comprehensive review of break-glass account state: MFA factor enrolment, conditional-access exclusions, password age, audit-log alerting + on-call paging configuration. (4) Quarterly break-glass exercise on the calendar with named drill operator + expected outcome.",
934
+ "preconditions": [
935
+ "service_account_inventory_complete == true",
936
+ "break_glass_inventory_complete == true"
937
+ ],
938
+ "priority": 3,
939
+ "compensating_controls": [
940
+ "service-account-rotation-attestation",
941
+ "break-glass-drill-calendar"
942
+ ],
943
+ "estimated_time_hours": 8
944
+ },
945
+ {
946
+ "id": "policy-exception-coordinated-rekey",
947
+ "description": "If federated-trust re-keying requires coordinated rollout across 50+ relying parties (large enterprise federation, M&A integration in flight), generate exception with bounded duration + enhanced audit-log monitoring + IR-team standby.",
948
+ "preconditions": [
949
+ "coordinated_rekey_required == true",
950
+ "enhanced_audit_log_alerting_active == true"
951
+ ],
952
+ "priority": 4,
953
+ "compensating_controls": [
954
+ "enhanced-audit-log-alerting-on-federated-trust",
955
+ "incident-response-team-on-standby",
956
+ "downstream-rp-notification-tracker"
957
+ ],
958
+ "estimated_time_hours": 72
959
+ }
960
+ ],
961
+ "validation_tests": [
962
+ {
963
+ "id": "consent-grants-clean",
964
+ "test": "Re-enumerate OAuth consent grants post-remediation. Confirm zero grants from non-corp tenants, zero wildcard / .default scope grants without business-purpose attestation, zero unverified-publisher grants without internal-authorship attestation.",
965
+ "expected_result": "Consent inventory matches post-remediation attestation state.",
966
+ "test_type": "negative"
967
+ },
968
+ {
969
+ "id": "federated-trust-baseline",
970
+ "test": "Re-pull federated-trust configuration; confirm token-signing certificate fingerprint, issuer URI, and claim-transformation rules match the documented post-rotation expected state.",
971
+ "expected_result": "Federation state matches documented baseline.",
972
+ "test_type": "functional"
973
+ },
974
+ {
975
+ "id": "session-revocation-verified",
976
+ "test": "Pull active session inventory; confirm zero sessions surviving the revocation timestamp.",
977
+ "expected_result": "No sessions older than the revocation timestamp.",
978
+ "test_type": "negative"
979
+ },
980
+ {
981
+ "id": "service-account-rotation-verified",
982
+ "test": "Audit every service account's last-rotation timestamp + source-IP allowlist + scope. Expect every account to satisfy the rotation policy.",
983
+ "expected_result": "Every service account compliant with rotation + IP-allowlist policy.",
984
+ "test_type": "functional"
985
+ },
986
+ {
987
+ "id": "audit-log-alerting-active",
988
+ "test": "Trigger a synthetic high-risk OAuth consent grant + a synthetic federated-trust modification (both backed out within minutes). Confirm both fire the documented audit-log alert path within SLA.",
989
+ "expected_result": "Both synthetic events alert within SLA.",
990
+ "test_type": "functional"
991
+ },
992
+ {
993
+ "id": "break-glass-alert-fires",
994
+ "test": "Exercise a break-glass account in a calendared drill. Confirm the authentication fires the documented on-call paging alert.",
995
+ "expected_result": "On-call paged within SLA.",
996
+ "test_type": "functional"
997
+ }
998
+ ],
999
+ "residual_risk_statement": {
1000
+ "risk": "Even after rotation + consent revocation + federation re-keying + service-account hardening, any tokens minted during the exposure window may already have been used downstream — particularly for offline-validatable bearer tokens (JWTs against API gateways with no live revocation check) and refresh tokens delivered to attacker-controlled apps prior to consent revocation.",
1001
+ "why_remains": "IdP-tenant compromise is irreversible at the token-issuance level. Revocation prevents future token use against the rotated state but does not undo prior token use. Downstream-SaaS audit-log review establishes upper bound on misuse but cannot prove negative for all classes (long-lived offline-validated tokens, downstream cached state).",
1002
+ "acceptance_level": "ciso",
1003
+ "compensating_controls_in_place": [
1004
+ "all-management-api-tokens-rotated",
1005
+ "all-sessions-revoked-and-attested",
1006
+ "all-mfa-factors-re-enrolled-for-admin-tier",
1007
+ "consent-grant-inventory-attested",
1008
+ "federated-trust-rekeyed",
1009
+ "downstream-saas-audit-log-baseline-captured-for-exposure-window",
1010
+ "continuous-consent-grant-alerting-active",
1011
+ "continuous-federated-trust-modification-alerting-active"
1012
+ ]
1013
+ },
1014
+ "evidence_requirements": [
1015
+ {
1016
+ "evidence_type": "scan_report",
1017
+ "description": "Pre-remediation enumeration of consent grants + federated-trust configuration + privileged-role assignments + break-glass state + service accounts + management-API tokens + cross-tenant grants, with per-finding indicator id + RWEP. Plus post-remediation re-enumeration showing the attested clean state.",
1018
+ "retention_period": "7_years",
1019
+ "framework_satisfied": [
1020
+ "soc2-cc6.1",
1021
+ "iso-27001-2022-A.5.16",
1022
+ "iso-27001-2022-A.5.17",
1023
+ "nist-800-53-IA-5"
1024
+ ]
1025
+ },
1026
+ {
1027
+ "evidence_type": "log_excerpt",
1028
+ "description": "IdP audit-log excerpt for the exposure window covering every fired indicator, with paired change-control / help-desk / drill-calendar attestation where applicable.",
1029
+ "retention_period": "7_years",
1030
+ "framework_satisfied": [
1031
+ "gdpr-art-33",
1032
+ "nis2-art21-2c",
1033
+ "dora-art-19",
1034
+ "soc2-cc7.2"
1035
+ ]
1036
+ },
1037
+ {
1038
+ "evidence_type": "ticket_reference",
1039
+ "description": "Rotation + consent-revocation + federation re-keying tickets with timestamps, approvers, downstream-relying-party notification confirmation.",
1040
+ "retention_period": "7_years",
1041
+ "framework_satisfied": [
1042
+ "soc2-cc8.1",
1043
+ "iso-27001-2022-A.5.36"
1044
+ ]
1045
+ },
1046
+ {
1047
+ "evidence_type": "attestation",
1048
+ "description": "Signed exceptd attestation: tenant identity (hashed), scan timestamps, finding count by indicator, RWEP at detection, RWEP post-remediation, rotated artifact IDs (hashed), exposure window.",
1049
+ "retention_period": "7_years",
1050
+ "framework_satisfied": [
1051
+ "nist-800-53-CA-7",
1052
+ "iso-27001-2022-A.5.36",
1053
+ "nis2-art21-2c"
1054
+ ]
1055
+ }
1056
+ ],
1057
+ "regression_trigger": [
1058
+ {
1059
+ "condition": "24h_post_close",
1060
+ "interval": "on_event"
1061
+ },
1062
+ {
1063
+ "condition": "7d_post_close",
1064
+ "interval": "7d"
1065
+ },
1066
+ {
1067
+ "condition": "30d_post_close",
1068
+ "interval": "30d"
1069
+ },
1070
+ {
1071
+ "condition": "new_idp_advisory_published",
1072
+ "interval": "on_event"
1073
+ },
1074
+ {
1075
+ "condition": "post_federation_modification",
1076
+ "interval": "on_event"
1077
+ }
1078
+ ]
1079
+ },
1080
+ "close": {
1081
+ "evidence_package": {
1082
+ "bundle_format": "csaf-2.0",
1083
+ "contents": [
1084
+ "scan_report",
1085
+ "log_excerpt",
1086
+ "ticket_reference",
1087
+ "attestation",
1088
+ "framework_gap_mapping",
1089
+ "compliance_theater_verdict",
1090
+ "residual_risk_statement",
1091
+ "structured_idp_audit_export",
1092
+ "ir_timeline"
1093
+ ],
1094
+ "destination": "local_only",
1095
+ "signed": true
1096
+ },
1097
+ "learning_loop": {
1098
+ "enabled": true,
1099
+ "lesson_template": {
1100
+ "attack_vector": "Identity-provider tenant compromise via $entry_vector (residential-proxy password-spray, help-desk social engineering, leaked management-API token, OAuth-app consent abuse, federated-trust modification, cross-tenant trust abuse, dormant-service-account reactivation).",
1101
+ "control_gap": "Framework controls (NIST IA-5, ISO A.5.16/A.5.17, SOC 2 CC6, UK CAF B2.b, AU ISM-1559, AU E8 M.4) treat the IdP tenant as oracle. IdP-tenant control-plane operations (consent grants, federated-trust modification, cross-tenant access, management-API tokens) are outside the framework's evidence surface.",
1102
+ "framework_gap": "Aggregate ~60-day lag between IdP control-plane attack and quarterly-cadence framework evidence cycles. DORA Art.19 4-hour clock applies but tenant operators frequently classify IdP incidents under Art.28 concentration risk and miss the clock.",
1103
+ "new_control_requirement": "Continuous consent-grant alerting on high-risk scope + unverified publisher; federated-trust modification alerting with change-control cross-reference; service-account rotation enforcement with IP allowlist; break-glass authentication alerting with on-call paging; management-API token inventory with TTL + scope + source-IP enforcement; cross-tenant access-settings continuous review. IdP-tenant control plane becomes its own control class with quarterly attestation requirement."
1104
+ },
1105
+ "feeds_back_to_skills": [
1106
+ "idp-incident-response",
1107
+ "identity-assurance",
1108
+ "cred-stores",
1109
+ "framework-gap-analysis"
1110
+ ]
1111
+ },
1112
+ "notification_actions": [
1113
+ {
1114
+ "obligation_ref": "EU/GDPR Art.33 72h",
1115
+ "deadline": "computed_at_runtime",
1116
+ "recipient": "internal_legal",
1117
+ "evidence_attached": [
1118
+ "idp_audit_log_excerpt",
1119
+ "data_subject_impact_assessment",
1120
+ "containment_record"
1121
+ ],
1122
+ "draft_notification": "GDPR Art.33 72-hour notification: Identity-provider tenant control-plane compromise affecting ${affected_principal_count} principals. Vector: ${entry_vector}. Exposure window: ${exposure_window}. Categories of data subjects potentially affected: ${data_subject_categories}. Containment actions completed: signing keys rotated, sessions revoked, consent grants reviewed, federated trust re-keyed, management-API tokens rotated. Risk assessment: ${risk_level}. Notification to data subjects required: ${art34_assessment}. DPO contact: ${dpo_contact}."
1123
+ },
1124
+ {
1125
+ "obligation_ref": "EU/GDPR Art.34 72h",
1126
+ "deadline": "computed_at_runtime",
1127
+ "recipient": "data_subjects",
1128
+ "evidence_attached": [
1129
+ "data_subject_categories_affected",
1130
+ "containment_record"
1131
+ ],
1132
+ "draft_notification": "GDPR Art.34 notification (draft for review): We are writing to notify you of an identity-provider compromise incident affecting systems that process your personal data. Affected systems: ${affected_systems}. Exposure window: ${exposure_window}. Containment actions completed: identity-provider signing keys and tokens rotated, sessions revoked, downstream audit logs reviewed. Recommended steps: ${recommended_actions}. DPO contact: ${dpo_contact}."
1133
+ },
1134
+ {
1135
+ "obligation_ref": "EU/NIS2 Art.23 24h",
1136
+ "deadline": "computed_at_runtime",
1137
+ "recipient": "internal_legal",
1138
+ "evidence_attached": [
1139
+ "idp_audit_log_excerpt",
1140
+ "exposure_window_estimate",
1141
+ "rotation_status"
1142
+ ],
1143
+ "draft_notification": "NIS2 Art.23 early-warning notification: Identity-provider tenant control-plane compromise on ${affected_system_count} downstream essential-service systems. Suspected exposure window: ${exposure_window}. Initial containment: signing keys rotated, sessions revoked, consent grants reviewed. Full incident assessment within 72h per Art.23(4)."
1144
+ },
1145
+ {
1146
+ "obligation_ref": "EU/DORA Art.19 4h",
1147
+ "deadline": "computed_at_runtime",
1148
+ "recipient": "internal_legal",
1149
+ "evidence_attached": [
1150
+ "idp_audit_log_excerpt",
1151
+ "affected_critical_or_important_functions",
1152
+ "containment_record"
1153
+ ],
1154
+ "draft_notification": "DORA Art.19 initial notification: Major-ICT-related incident — identity-provider tenant control-plane compromise affecting ${critical_or_important_function_count} critical or important functions. Initial containment: ${containment_actions}. Intermediate report (72h) and final report (1 month) to follow per Art.19(4)."
1155
+ },
1156
+ {
1157
+ "obligation_ref": "UK/UK GDPR Art.33 72h",
1158
+ "deadline": "computed_at_runtime",
1159
+ "recipient": "internal_legal",
1160
+ "evidence_attached": [
1161
+ "idp_audit_log_excerpt",
1162
+ "data_subject_impact_assessment"
1163
+ ],
1164
+ "draft_notification": "UK GDPR Art.33 72-hour notification to ICO: Identity-provider tenant control-plane compromise. Mirror of GDPR Art.33 notification body, addressed to ICO casework team."
1165
+ },
1166
+ {
1167
+ "obligation_ref": "US-NY/NYDFS 23 NYCRR 500.17 72h",
1168
+ "deadline": "computed_at_runtime",
1169
+ "recipient": "internal_legal",
1170
+ "evidence_attached": [
1171
+ "idp_audit_log_excerpt",
1172
+ "containment_record",
1173
+ "ciso_certification_status"
1174
+ ],
1175
+ "draft_notification": "NYDFS 23 NYCRR 500.17 72-hour cyber-event notification: Identity-provider tenant control-plane compromise affecting ${affected_nyregulated_entities}. Containment actions: ${containment_actions}. Class A designation status: ${class_a_status}. CISO certification cycle: ${ciso_certification_cycle}."
1176
+ },
1177
+ {
1178
+ "obligation_ref": "US-CA/CCPA / CPRA Sec.1798.82 1440h",
1179
+ "deadline": "computed_at_runtime",
1180
+ "recipient": "data_subjects",
1181
+ "evidence_attached": [
1182
+ "california_resident_records_affected",
1183
+ "containment_record"
1184
+ ],
1185
+ "draft_notification": "California breach notification: Identity-provider compromise that may have affected your personal information. ${incident_description}. ${types_of_information_affected}. ${steps_taken}. ${steps_individuals_can_take}. ${contact_information}."
1186
+ },
1187
+ {
1188
+ "obligation_ref": "AU/Privacy Act 1988 — Notifiable Data Breaches scheme (s26WK) 720h",
1189
+ "deadline": "computed_at_runtime",
1190
+ "recipient": "internal_legal",
1191
+ "evidence_attached": [
1192
+ "idp_audit_log_excerpt",
1193
+ "australian_resident_records_affected",
1194
+ "remediation_completed_evidence"
1195
+ ],
1196
+ "draft_notification": "OAIC NDB notification (draft for review): Identity-provider tenant compromise affecting ${australian_resident_count} Australian residents. Exposure window: ${exposure_window}. Remediation completed: ${remediation_summary}."
1197
+ }
1198
+ ],
1199
+ "exception_generation": {
1200
+ "trigger_condition": "coordinated_rekey_required == true OR (federation_modification_remediation_eta > obligation_window)",
1201
+ "exception_template": {
1202
+ "scope": "Federated-trust re-keying across ${relying_party_count} relying parties cannot be completed within ${obligation_window} due to ${blocking_reason}.",
1203
+ "duration": "until_vendor_patch",
1204
+ "compensating_controls": [
1205
+ "enhanced-audit-log-alerting-on-idp-control-plane",
1206
+ "incident-response-team-on-standby",
1207
+ "ip-allowlist-tightened-on-management-api",
1208
+ "session-ttl-reduced-during-exception-window",
1209
+ "downstream-rp-notification-tracker-active"
1210
+ ],
1211
+ "risk_acceptance_owner": "ciso",
1212
+ "auditor_ready_language": "Pursuant to ${framework_id} ${control_id}, the organization documents a time-bound risk acceptance for un-rotated federated-trust state on ${relying_party_count} relying parties due to ${blocking_reason_narrative}. Rotation ETA: ${rotation_eta}. Compensating controls in place: ${compensating_controls}. Residual exposure: tokens minted prior to rotation remain valid against unrotated relying parties; downstream audit logs are reviewed daily during the exception window. Risk accepted by ${ciso_name} on ${acceptance_date}. Time-bound until ${duration_expiry} or rotation completion, whichever is first. Detection coverage is provided by ${detection_controls}. The exception will be re-evaluated on (a) rotation completion, (b) listed expiry date, (c) any audit-log anomaly on the un-rotated federation — whichever is first."
1213
+ }
1214
+ },
1215
+ "regression_schedule": {
1216
+ "next_run": "computed_at_runtime",
1217
+ "trigger": "both",
1218
+ "notify_on_skip": true
1219
+ }
1220
+ }
1221
+ },
1222
+ "directives": [
1223
+ {
1224
+ "id": "okta-tenant-compromise",
1225
+ "title": "Okta tenant compromise — support-system / service-account / help-desk-social-engineering classes",
1226
+ "applies_to": {
1227
+ "always": true
1228
+ }
1229
+ },
1230
+ {
1231
+ "id": "entra-id-app-consent-abuse",
1232
+ "title": "Entra ID OAuth-app consent abuse — Midnight Blizzard / Cozy Bear pattern",
1233
+ "applies_to": {
1234
+ "attack_technique": "T1098.001"
1235
+ }
1236
+ },
1237
+ {
1238
+ "id": "auth0-management-api-leak",
1239
+ "title": "Auth0 management-API token leakage — IaC / CI credential exposure class",
1240
+ "applies_to": {
1241
+ "attack_technique": "T1078.004"
1242
+ }
1243
+ },
1244
+ {
1245
+ "id": "federated-trust-modification",
1246
+ "title": "Federated-trust modification — token-signing certificate or claim-transformation rule tampering",
1247
+ "applies_to": {
1248
+ "attack_technique": "T1556.007"
1249
+ }
1250
+ },
1251
+ {
1252
+ "id": "scattered-spider-help-desk-se",
1253
+ "title": "Scattered Spider help-desk social-engineering — MFA factor swap without password reset",
1254
+ "applies_to": {
1255
+ "attack_technique": "T1556.007"
1256
+ }
1257
+ }
1258
+ ]
1259
+ }