AN0339: Analytic 0339
Deletion or disablement of user accounts in platforms like Okta, Salesforce, or Zoom with anomalies in admin session attributes or mass actions within short duration.
Analyst context for executives and security teams
This analytic matters because rapid deletion or disablement of user accounts in SaaS platforms can directly affect business continuity, workforce access, customer operations, and incident response visibility. In environments such as Okta, Salesforce, or Zoom, unusual admin-session attributes or many account actions in a short period should prompt leaders to ask whether administrative activity is authorized, change-controlled, and recoverable.
Executive priority
Prioritize this as a SaaS identity and administration control-validation use case. The business question is whether the organization can quickly distinguish legitimate bulk account administration from suspicious or disruptive account changes, preserve evidence, and restore access where needed. It is especially relevant to IAM governance, SaaS security monitoring, audit evidence for privileged activity, and incident decision-making during suspected account compromise or insider-risk scenarios.
Technical view
Validate whether SaaS administrative audit logs capture account deletion and disablement events, the acting administrator, affected users, timestamps, session attributes, source network context, and whether actions occur in bulk or within a short duration. Because ATT&CK provides no official detection logic for this analytic and no tactic mapping in the supplied object, detection teams should treat this as a behavior pattern to operationalize locally: anomalous administrative sessions plus unusual volume or velocity of user-account state changes in SaaS platforms.
Likely telemetry
- SaaS administrative audit logs for user deletion and user disablement events
- Administrator identity and role/permission context
- Admin session attributes such as source IP, device/browser/session metadata where available
- Timestamps and counts of affected accounts to identify mass actions in a short duration
- Change-management or ticketing records for authorized bulk deprovisioning
Detection direction
- Baseline normal account deprovisioning volumes by platform, business unit, administrator role, and time window.
- Alert on mass deletion or disablement of user accounts over short durations, especially when not matched to approved change activity.
- Correlate suspicious account actions with anomalous admin session attributes, such as unusual source location, unfamiliar device context, or atypical login/session behavior where the SaaS audit source supports it.
- Tune for legitimate HR offboarding, mergers, license cleanup, test tenants, and scheduled administrative maintenance to reduce false positives.
- Confirm logging retention and field completeness before relying on this analytic; many gaps will come from SaaS audit-plan limitations, inconsistent admin telemetry, or lack of ticket/change correlation.
Mitigation priorities
- Enforce least-privilege administrative roles for SaaS user management.
- Require strong authentication and controlled access for SaaS administrators.
- Use change approval and documented workflows for bulk user deletion or disablement.
- Retain SaaS audit logs long enough to support investigation and compliance evidence.
- Establish recovery procedures for accidental or unauthorized account disablement or deletion where platform capabilities allow.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for SaaS platforms and specifically names Okta, Salesforce, and Zoom as examples. It describes suspicious deletion or disablement of user accounts when paired with anomalous admin session attributes or mass actions in a short duration. No ATT&CK relationships, tactic mapping, or official detection content were supplied, so implementation should be driven by local SaaS logging capabilities and administrative process knowledge.
This take is limited to the official STIX fields, external reference, and provided context. It does not establish adversary attribution, active exploitation, specific ATT&CK tactics, or guaranteed detection coverage. Local platform configuration, audit-log licensing, identity architecture, and change-management data are required to determine real coverage and alert fidelity.
Analytic 0339
Deletion or disablement of user accounts in platforms like Okta, Salesforce, or Zoom with anomalies in admin session attributes or mass actions within short duration.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 3843afd60027… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0339Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.