AN0027: Analytic 0027
Monitors cloud function creation triggered by specific audit log events (e.g., IAM changes, object creation), followed by anomalous behavior from new service accounts.
Analyst context for executives and security teams
This analytic matters because cloud functions can be created in response to audit-log events, such as IAM changes or object creation, and then operate through newly created service accounts. For leaders, the practical issue is whether cloud automation is observable enough to distinguish approved event-driven workflows from suspicious new identities and unexpected behavior in IaaS environments.
Executive priority
Prioritize this as a cloud security and identity-governance validation item. The business decision is not simply whether serverless functions are allowed, but whether the organization can prove who created them, what events trigger them, what service accounts they use, and whether those accounts begin behaving outside expected patterns. This supports incident readiness, audit evidence for privileged change monitoring, and control prioritization around cloud identity and automation.
Technical view
For SOC, detection engineering, and IR teams, validate monitoring around cloud function creation, trigger configuration tied to audit-log events, and subsequent activity by new service accounts. Because ATT&CK provides no tactic mapping, no formal detection logic, and no relationship context for this analytic, teams should treat it as a coverage-validation pattern rather than a complete rule. Focus on correlating function creation with trigger source, IAM or object-related audit events, service account creation or assignment, and later anomalous service account actions in IaaS telemetry.
Likely telemetry
- Cloud audit logs for function creation and configuration changes
- Audit-log events related to IAM changes
- Audit-log events related to object creation
- Cloud function trigger configuration metadata
- Service account creation, assignment, and permission-change records
Detection direction
- Confirm that cloud function creation events are collected with actor, timestamp, project/account, region, trigger type, and associated service account details.
- Correlate newly created or modified cloud functions with audit-log event triggers, especially IAM-change and object-creation events identified in the ATT&CK description.
- Baseline expected service account behavior so that activity from newly created service accounts can be reviewed for anomalies rather than treated as automatically malicious.
- Tune for legitimate automation, CI/CD deployments, infrastructure-as-code activity, and approved event-driven workflows to reduce false positives.
- Identify blind spots where audit logs, function configuration history, or service account activity are not retained long enough for incident reconstruction.
Mitigation priorities
- Establish governance for who can create cloud functions and assign service accounts in IaaS environments.
- Require review of event-driven cloud functions that are triggered by audit-log events involving IAM or object creation.
- Apply least-privilege permissions to service accounts used by cloud functions and review new service accounts promptly.
- Maintain logging and retention for cloud function configuration, IAM changes, object creation events, and service account activity.
- Document approved automation patterns so SOC and IR teams can distinguish expected workflows from suspicious new function-and-identity combinations.
Analyst notes and limits
This Glexia take is based on an ATT&CK detection analytic, AN0027, for IaaS environments. The official description is narrow: it monitors cloud function creation triggered by specific audit-log events, followed by anomalous behavior from new service accounts. No ATT&CK tactics, relationships, aliases, labels, or official detection logic were supplied.
Coverage and risk cannot be inferred from the ATT&CK object alone. Local cloud provider configuration, logging scope, retention, identity model, and approved automation patterns are required to determine whether this analytic is implementable or high priority in a specific environment.
Analytic 0027
Monitors cloud function creation triggered by specific audit log events (e.g., IAM changes, object creation), followed by anomalous behavior from new service accounts.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a0ecdffc7683… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0027Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.