AN0370: Analytic 0370
Detects access to cloud APIs or CLI tools to move or sync files from sensitive buckets to external endpoints using protocols like HTTPS or S3 APIs.
Analyst context for executives and security teams
AN0370 is a cloud-focused detection analytic for identifying possible movement or synchronization of files from sensitive storage buckets to external destinations through cloud APIs, CLI tools, HTTPS, or S3-style APIs. For leaders, the practical issue is not the tool itself but whether the organization can prove it would notice unusual bulk movement of sensitive cloud data before it becomes a business, legal, or operational incident.
Executive priority
Prioritize this as a cloud data exposure and incident-readiness validation item for IaaS environments that use sensitive object storage. Executives and risk owners should ask whether critical buckets are inventoried, whether external transfers are logged and reviewed, and whether SOC and IR teams can quickly distinguish approved backup, replication, or data-processing activity from suspicious movement to external endpoints. This supports cloud security governance, audit evidence, and breach-response decision-making, but the supplied ATT&CK object does not provide evidence of active exploitation or a specific adversary campaign.
Technical view
SOC and detection teams should validate visibility into cloud API and CLI access involving sensitive buckets, especially operations consistent with file movement or synchronization to destinations outside expected accounts, networks, or services. Because ATT&CK does not provide a specific detection query for this analytic, teams should build local logic around known sensitive bucket inventories, approved data-transfer paths, authentication context, source identity, destination endpoint, transfer volume, frequency, and protocol use such as HTTPS or S3 APIs. Incident responders should ensure alerts preserve enough context to answer: who initiated the transfer, from where, using what credentials or role, which bucket/object paths were accessed, what destination was used, and whether the activity matches approved business workflows.
Likely telemetry
- IaaS cloud API audit logs for object storage access and file operations
- Cloud CLI/API authentication and session context, including user, role, service account, and source location
- Object storage access logs showing bucket, object path, operation type, volume, and timing
- Network or egress telemetry for HTTPS or S3 API traffic to external endpoints where available
- Cloud security posture or asset inventory data identifying sensitive buckets
Detection direction
- Start with an authoritative list of sensitive buckets; without that context, this analytic will either miss important movement or generate noisy alerts.
- Tune for access patterns consistent with moving or syncing files to external endpoints, including unusual volume, new destination, new identity, unusual source location, or activity outside approved workflows.
- Correlate object storage activity with identity context so detections can distinguish human users, automation, service roles, and expected data pipelines.
- Expect false positives from legitimate backup, migration, replication, analytics, and managed file-transfer jobs; require allowlists or baselines with ownership and review dates.
- Validate that logs include enough destination detail for HTTPS or S3 API transfers; many environments collect API activity but lack usable egress or endpoint context.
Mitigation priorities
- Inventory and classify sensitive IaaS storage buckets before tuning detections around them.
- Restrict bucket access and synchronization permissions to approved identities, roles, services, and destinations using least privilege.
- Define and document approved external transfer paths, including backup, replication, migration, and data-processing exceptions.
- Enable and retain cloud API, object access, identity, and relevant egress logs needed for investigation and compliance evidence.
- Review alerts with data owners so detection thresholds reflect business workflows and material data-risk scenarios.
Analyst notes and limits
The object is a detection analytic, not a technique. Its value is strongest when paired with local knowledge of sensitive cloud buckets and sanctioned data-transfer workflows. The supplied ATT&CK fields support IaaS, cloud APIs/CLI tools, sensitive buckets, external endpoints, HTTPS, and S3 APIs; they do not supply a concrete query, tactic, related technique, adversary, or incident pattern.
Official detection content is not provided, and no relationships are supplied. This take therefore avoids claiming a specific ATT&CK tactic, adversary behavior chain, exploitation status, or guaranteed detection outcome. Local cloud architecture, logging configuration, bucket classification, and approved transfer patterns are required to operationalize the analytic.
Analytic 0370
Detects access to cloud APIs or CLI tools to move or sync files from sensitive buckets to external endpoints using protocols like HTTPS or S3 APIs.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 43e7bd2cbdda… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0370Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.