AN0017: Analytic 0017
Cloud login from atypical geolocation or user-agent string, followed by resource enumeration or infrastructure manipulation using cloud CLI/API
Analyst context for executives and security teams
This analytic matters because it looks for a common cloud-risk pattern: a login that does not look normal for the user, followed by activity that explores or changes cloud infrastructure through CLI/API access. For leaders, the business issue is not just an unusual login; it is whether the organization can quickly tell if cloud access has turned into resource discovery or infrastructure manipulation that could affect availability, cost, data exposure, or incident scope.
Executive priority
Prioritize this as a cloud identity and operational resilience validation item for IaaS environments. Security leaders should ask whether cloud login context, API activity, and resource-change evidence are collected in one place and reviewed quickly enough to support incident decisions. This analytic can also support compliance and audit conversations by demonstrating that the organization monitors anomalous cloud access followed by potentially sensitive administrative behavior.
Technical view
For SOC, detection engineering, and IR teams, validate whether alerts can correlate three evidence areas: atypical cloud login geolocation, atypical user-agent string, and subsequent cloud CLI/API-driven resource enumeration or infrastructure manipulation. Because the supplied ATT&CK object does not specify tactics, procedures, thresholds, or detection logic, teams should tune locally against known administrator behavior, automation accounts, service accounts, VPN/proxy use, and expected CI/CD or infrastructure-as-code activity.
Likely telemetry
- Cloud identity sign-in logs for IaaS access
- Geolocation and source network metadata associated with cloud logins
- User-agent strings from cloud authentication and API activity
- Cloud CLI/API audit logs
- Resource enumeration events in cloud control-plane logs
Detection direction
- Confirm that cloud login events and cloud CLI/API audit events can be correlated by user, role, session, source, and time window.
- Baseline normal geographies and user-agent strings for administrators, automation, and service accounts before treating deviations as high confidence.
- Tune for the sequence described by the analytic: atypical login context followed by resource enumeration or infrastructure manipulation, rather than either condition alone.
- Review expected sources of false positives, including travel, VPN egress changes, new administrative workstations, cloud shell usage, CI/CD systems, and infrastructure-as-code pipelines.
- Assess blind spots where API activity is logged but not retained, where user-agent fields are missing or normalized away, or where identity context is not joined to cloud control-plane events.
Mitigation priorities
- Ensure IaaS identity, sign-in, and control-plane audit logging are enabled, retained, and accessible for investigation.
- Strengthen cloud identity controls around administrative and API access, including least privilege and review of accounts capable of resource enumeration or infrastructure manipulation.
- Define normal administrative access patterns for users, roles, automation, and service accounts so anomalous geolocation or user-agent changes are meaningful.
- Establish IR playbooks for suspicious cloud login followed by CLI/API activity, including session review, credential validation, permission review, and resource-change scoping.
- Use the analytic as a coverage test for managed detection, cloud security monitoring, and compliance evidence around privileged cloud activity monitoring.
Analyst notes and limits
The object is an ATT&CK detection analytic, not a technique or procedure. Its value is in validating cloud monitoring coverage for an IaaS control-plane sequence: atypical login context followed by CLI/API activity against resources. No relationship context was supplied, so this take does not infer related ATT&CK techniques, adversaries, tools, campaigns, or tactics.
The official detection field is not provided, tactics are not specified, and no relationships are supplied. Local baselines, cloud provider log formats, identity architecture, and administrative workflows are required to turn this into reliable detection logic. The object supports IaaS only; no other platforms should be assumed.
Analytic 0017
Cloud login from atypical geolocation or user-agent string, followed by resource enumeration or infrastructure manipulation using cloud CLI/API
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 71ebc24a0427… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0017Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.