AN0690: Analytic 0690

Detects creation of cloud instances, services, or resources in normally unused or unsupported regions, especially following initial account access or credential use from known regions. Correlates resource provisioning across regions with absence of historical usage and alerting from standard logging services (e.g., GuardDuty not enabled in that region).

EnterpriseAN0690AnalyticObject v1.0 Modified Nov 12, 2025, 22:03 UTC (UTC+00:00)

This analytic focuses on a cloud risk that can be easy to miss: new infrastructure being created in regions the organization does not normally use or support. For executives and security leaders, the decision value is whether cloud governance and monitoring are consistent across all regions, not only the regions where teams usually operate. Unused-region activity can create business risk because resources may be outside expected logging, alerting, cost, and compliance oversight.

Executive priority

Prioritize validation of regional cloud controls for IaaS environments. Leaders should ask whether the organization has an approved-region policy, whether monitoring services are enabled in every region where resources could be created, and whether incident responders can quickly determine if new regional activity followed unusual account or credential use. This is relevant to cloud security, IAM governance, SOC readiness, compliance evidence, and cost/risk control.

Technical view

SOC and cloud detection teams should validate whether they can identify creation of cloud instances, services, or resources in regions with no historical organizational usage. The analytic description specifically calls for correlating regional provisioning with prior credential or account access from known regions and with gaps in standard logging services, such as a logging or alerting service not being enabled in the newly used region. Because no ATT&CK tactic or formal detection logic is supplied, implementation should be treated as a cloud posture and activity-correlation use case rather than a complete rule.

Likely telemetry

Cloud control-plane audit logs showing creation of instances, services, or resources
Region field or equivalent location metadata for cloud resource provisioning events
Historical baseline of normally used and approved cloud regions
Identity and credential-use logs tied to the account that performed provisioning
Cloud security/logging service status by region, including whether standard alerting is enabled

Detection direction

Build or validate baselines for historically used and formally approved regions, then alert on new resource provisioning outside those regions.
Correlate unused-region provisioning with recent account or credential use patterns, especially where access originated from regions normally associated with the account but provisioning occurs elsewhere.
Check for monitoring blind spots: the analytic explicitly highlights cases where standard logging or alerting services are not enabled in the new region.
Tune for legitimate cloud expansion, disaster recovery testing, regional migrations, and engineering experiments to reduce false positives.
Require enrichment with account owner, project, business unit, region approval status, and logging-service state so analysts can distinguish authorized change from suspicious activity.

Mitigation priorities

Define and maintain an approved-region policy for IaaS usage.
Ensure cloud audit logging, alerting, and security monitoring are consistently enabled across all regions where resources can be provisioned.
Use cloud governance and IAM controls to limit who can create resources, especially outside approved regions.
Maintain an inventory of regional resource usage and review exceptions as part of cloud security and compliance readiness.
Prepare incident response playbooks for investigating unexpected regional provisioning, including credential review, resource ownership validation, and logging coverage checks.

Analyst notes and limits

This object is a MITRE detection analytic for IaaS platforms, not a technique description. The strongest defensive value is in validating regional monitoring coverage and correlating resource creation with identity activity and historical regional usage. No relationship context was supplied, so this take does not map the analytic to a specific ATT&CK tactic, technique, threat actor, or campaign.

The official object provides a description but no formal detection logic, no tactics, and no relationships. Local cloud architecture, approved-region policy, audit-log availability, and logging-service configuration are required to determine whether this analytic is implementable and meaningful in a specific environment.

Official MITRE ATT&CK definition

Analytic 0690

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Nov 12, 2025, 22:03 UTC (UTC+00:00)
Raw hash: db681f7f98b2858c...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Nov 12, 2025, 22:03 UTC (UTC+00:00)	Current bundle	`db681f7f98b2…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0690
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use