AN0202: Analytic 0202
Session cookie reuse on unmanaged browsers, devices, or client types deviating from user baseline (e.g., switching from Chrome to curl).
Analyst context for executives and security teams
This analytic is about spotting SaaS session cookie reuse from browsers, devices, or client types that do not match a user’s normal pattern, such as a session normally seen in Chrome suddenly appearing from curl. For leaders, the practical value is identity and SaaS resilience: session cookies can allow access without a fresh password or MFA prompt, so visibility into abnormal session use can materially improve account-takeover investigation and response readiness.
Executive priority
Prioritize this as an identity and SaaS monitoring control validation item. Security leaders should ask whether critical SaaS platforms expose enough session, browser, device, and client telemetry to identify abnormal reuse, and whether SOC and incident response teams have a process to revoke sessions quickly when suspicious behavior is confirmed. This also supports audit and compliance evidence around account monitoring and response, but the supplied ATT&CK object does not provide specific regulatory mappings or impact claims.
Technical view
Validate whether SaaS logs can show session identifiers or session-correlated activity, user identity, browser or user-agent, device posture or managed/unmanaged status, client type, source network context, and historical user baseline. Detection logic should focus on deviations from a user’s normal access pattern, especially session activity from unmanaged browsers, unmanaged devices, or unusual client types. Because ATT&CK provides no official detection text and no relationship context for this analytic, teams should treat it as a detection design prompt rather than a complete rule.
Likely telemetry
- SaaS authentication and session activity logs
- User identity and account activity records
- Browser, user-agent, or client-type fields
- Device management or managed/unmanaged device indicators
- Source IP, network, and geolocation context where available
Detection direction
- Confirm that SaaS platforms actually log the fields needed to compare session activity against user baselines.
- Tune for meaningful deviations, such as a session appearing from an unmanaged browser, unmanaged device, or unexpected client type rather than alerting on every browser change.
- Account for legitimate user behavior such as device replacement, travel, browser updates, automation, accessibility tools, or approved API/client usage.
- Correlate suspicious session reuse with other account activity before escalation where possible, because the supplied object does not define a complete detection method.
- Validate response handoffs: analysts should know how to confirm suspicious session behavior and trigger session revocation or account containment.
Mitigation priorities
- Inventory critical SaaS applications and determine which provide sufficient session, browser, device, and client telemetry.
- Enforce managed-device and approved-client access policies where supported by the SaaS environment.
- Establish rapid session revocation and account containment procedures for suspected session misuse.
- Maintain user and device baselines for high-risk roles and sensitive SaaS applications.
- Review gaps where SaaS logging, device posture, or identity controls cannot distinguish managed from unmanaged access.
Analyst notes and limits
This ATT&CK object is a detection analytic for SaaS environments focused on session cookie reuse that deviates from a user baseline. There are no supplied tactics, relationships, aliases, or official detection details. Use it to drive control validation and telemetry assessment rather than as a finished detection rule.
The source object provides only a short description and external reference. It does not specify affected SaaS products, required log fields, detection logic, false-positive rates, adversary attribution, active exploitation, or ATT&CK relationships. Local SaaS logging, identity architecture, device management coverage, and baseline quality are required to assess feasibility.
Analytic 0202
Session cookie reuse on unmanaged browsers, devices, or client types deviating from user baseline (e.g., switching from Chrome to curl).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 9293f2a4ed54… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0202Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.