AN0697: Analytic 0697
Monitors API calls and service-specific logs for enumeration of organizational roles, permissions, and group structure, particularly outside of normal admin behavior baselines.
Analyst context for executives and security teams
AN0697 is a SaaS detection analytic focused on spotting unusual enumeration of organizational roles, permissions, and group structure through API calls and service-specific logs. For leaders, the value is visibility into identity and authorization discovery: if an intruder or misused account is mapping who has access to what, that activity can shape later privilege abuse or lateral movement decisions. The business issue is whether SaaS identity and administration activity is logged well enough to distinguish normal admin work from suspicious reconnaissance.
Executive priority
Prioritize this analytic where SaaS platforms hold sensitive data, business-critical workflows, or privileged administrative roles. Executives and risk owners should ask whether the organization can produce audit evidence showing who enumerated roles, permissions, and groups, from where, and whether the behavior matched approved administrative activity. This is especially relevant to identity governance, cloud/SaaS security monitoring, incident response scoping, and compliance readiness around access oversight.
Technical view
SOC and detection teams should validate collection of SaaS API activity and service-specific administrative logs that show role, permission, and group enumeration. Because no ATT&CK detection logic is provided, teams need to define local baselines for normal administrator behavior, expected automation, identity governance tools, and helpdesk workflows. Detection should focus on enumeration occurring outside expected admin patterns, unusual accounts, unusual timing, abnormal volume, or access from unexpected locations where those fields are available in the SaaS logs.
Likely telemetry
- SaaS API call logs
- Service-specific administrative audit logs
- Role and permission query events
- Group membership or group structure lookup events
- User/account identifiers tied to enumeration activity
Detection direction
- Confirm that SaaS logs capture API calls related to roles, permissions, and group structure, not just authentication events.
- Build baselines for normal administrative users, approved automation, IAM governance processes, and routine reporting jobs before alerting on enumeration volume alone.
- Tune for activity outside normal admin behavior baselines, including non-admin accounts performing broad lookups where the SaaS platform records this distinction.
- Review false positives from legitimate audits, access reviews, onboarding/offboarding workflows, synchronization tools, and security inventory processes.
- Ensure alerts preserve enough context for incident responders to determine whether enumeration preceded suspicious access changes or other SaaS activity, without assuming malicious intent from enumeration alone.
Mitigation priorities
- Establish and document expected SaaS administrative roles, approved automation, and normal access-review workflows.
- Enable and retain SaaS API and administrative audit logging needed to investigate role, permission, and group enumeration.
- Apply least privilege to accounts that can view broad organizational authorization structure, consistent with business requirements.
- Review service accounts and integrations that routinely enumerate identity or permission data so they can be distinguished from unexpected activity.
- Use findings from this analytic to improve identity governance evidence, incident response playbooks, and SaaS monitoring coverage.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for the SaaS platform scope. It describes monitoring API calls and service-specific logs for enumeration of organizational roles, permissions, and group structure, particularly outside normal administrative baselines. No tactics, related techniques, relationships, or detailed detection logic were supplied, so implementation depends heavily on the organization’s SaaS platforms and logging schemas.
Official detection content is not provided, and no relationship context is supplied. This take cannot infer specific ATT&CK tactics, adversary use, impact, or guaranteed detection coverage. Local SaaS log availability, field quality, retention, and baseline maturity will determine practical usefulness.
Analytic 0697
Monitors API calls and service-specific logs for enumeration of organizational roles, permissions, and group structure, particularly outside of normal admin behavior baselines.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | ca28d0546554… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0697Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.