Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0005: Analytic 0005

Detects pub/sub traffic over unusual ports, high-frequency topic publications, and connections to known-bad or dynamic broker endpoints outside allowlisted infrastructure.

EnterpriseAN0005AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because publish/subscribe network traffic can be legitimate infrastructure messaging, but the same pattern can become risky when it appears on unexpected ports, publishes at abnormal frequency, or connects to broker endpoints that are known-bad, dynamic, or outside approved infrastructure. For leaders, the decision value is whether the organization can distinguish authorized broker communications from unmanaged or suspicious network messaging before it affects monitoring, incident response, or operational resilience.

Executive priority

Prioritize this as a network visibility and control-validation issue for environments that rely on brokered messaging or tightly governed network paths. Executives should ask whether approved broker infrastructure is documented, whether network teams maintain allowlists, and whether the SOC can show evidence of unusual ports, high-frequency publication behavior, and external broker connections. The business risk is not proven compromise from this object alone; it is the operational blind spot created when broker-like traffic blends into normal network activity without baselines or ownership.

Technical view

The supplied ATT&CK analytic is scoped to Network Devices and focuses on three observable conditions: pub/sub traffic over unusual ports, high-frequency topic publications, and connections to known-bad or dynamic broker endpoints outside allowlisted infrastructure. SOC and detection teams should validate whether network telemetry can identify broker-style traffic patterns, ports, connection destinations, endpoint reputation or dynamism, and deviations from approved broker infrastructure. Because no ATT&CK tactic, technique relationship, or official detection logic is supplied, teams should treat this as a detection strategy prompt rather than a ready-to-deploy rule.

Likely telemetry

  • Network device logs showing source, destination, port, protocol, and connection timing
  • Flow records or equivalent network session metadata for frequency and volume baselining
  • Firewall, proxy, or gateway logs that can identify connections outside approved broker infrastructure
  • Allowlist or asset inventory data for authorized broker endpoints and expected ports
  • Threat intelligence or reputation context for known-bad broker endpoints where available

Detection direction

  • Validate that approved pub/sub broker infrastructure and expected ports are explicitly documented; otherwise 'unusual' cannot be measured reliably.
  • Baseline normal publication frequency and connection patterns before alerting on high-frequency topic publication to reduce false positives from legitimate high-volume messaging systems.
  • Tune detections around combinations of suspicious conditions, such as unusual port plus non-allowlisted broker endpoint, rather than relying on a single weak signal.
  • Check for blind spots where network devices log only connection metadata and not enough protocol context to recognize pub/sub behavior.
  • Use allowlist exceptions carefully and review them periodically, because stale broker inventories can suppress meaningful alerts.

Mitigation priorities

  • Create and maintain an authoritative inventory of approved broker infrastructure, expected ports, and owning teams.
  • Restrict broker communications to approved destinations and ports where network architecture permits.
  • Ensure network devices, firewalls, proxies, or gateways generate usable telemetry for broker-related connections and frequency analysis.
  • Establish SOC playbooks for investigating non-allowlisted broker endpoints, unusual ports, and abnormal publication rates.
  • Review exceptions and allowlists as part of change management and compliance evidence collection.
Analyst notes and limits

This take is based on MITRE ATT&CK analytic AN0005 in the enterprise-attack domain. The object describes detection intent but does not provide a formal detection query, tactics, technique relationships, aliases, or campaign context. The strongest defensive use is to validate network monitoring coverage, broker allowlisting, and baselining practices.

No relationship context, official detection logic, ATT&CK tactic mapping, or specific protocol details were supplied. Local environment knowledge is required to define approved broker endpoints, expected ports, normal publication frequency, and acceptable dynamic destinations.

Official MITRE ATT&CK definition

Analytic 0005

Detects pub/sub traffic over unusual ports, high-frequency topic publications, and connections to known-bad or dynamic broker endpoints outside allowlisted infrastructure.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
68c266c5927cca96...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 68c266c5927c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0005
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use