Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0708: Analytic 0708

Monitor for cloud API calls that export or collect guest or system logs. Abnormal use of Azure VM Agent’s CollectGuestLogs.exe or AWS CloudWatch GetLogEvents across multiple instances should be correlated with lateral movement or data staging.

EnterpriseAN0708AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because cloud guest and system logs can become both an investigation asset and a target for misuse. In IaaS environments, unusual API-driven collection or export of logs across multiple virtual machines may indicate activity that deserves incident review, especially when it appears alongside lateral movement or data staging signals. For leaders, the key question is whether the organization can distinguish legitimate operations, troubleshooting, and monitoring from abnormal bulk log collection at cloud scale.

Executive priority

Prioritize validation where IaaS workloads support critical operations or regulated evidence requirements. Confirm that cloud audit logging, log access governance, and SOC triage processes can explain who collected guest or system logs, from which instances, and why. This supports incident decision-making, compliance evidence integrity, and operational resilience without assuming the activity is malicious by default.

Technical view

For SOC and detection teams, validate monitoring for cloud API calls associated with guest or system log export or collection. The ATT&CK analytic specifically references abnormal use of Azure VM Agent’s CollectGuestLogs.exe and AWS CloudWatch GetLogEvents across multiple instances. Since no ATT&CK detection logic is provided, teams should build environment-specific baselines for expected administrative, troubleshooting, observability, and automation behavior, then correlate unusual multi-instance log access with other signals such as lateral movement or data staging where available.

Likely telemetry

  • Cloud control-plane audit logs for IaaS API activity
  • Azure activity and VM Agent related telemetry where CollectGuestLogs.exe usage is observable
  • AWS CloudWatch API activity, including GetLogEvents
  • Instance inventory and workload ownership context
  • Identity and access records for users, roles, service principals, or automation invoking log collection

Detection direction

  • Validate that cloud API logging is enabled and retained for the IaaS accounts, subscriptions, or projects in scope.
  • Baseline normal log collection by administrators, monitoring tools, backup processes, incident responders, and automation to reduce false positives.
  • Look for unusual scale, frequency, timing, or identity context, especially log collection across multiple instances.
  • Correlate abnormal guest or system log access with related investigation signals rather than alerting on single benign troubleshooting events alone.
  • Review blind spots where logs are collected by privileged cloud identities, temporary credentials, or approved automation that is not clearly attributable to a business owner.

Mitigation priorities

  • Restrict permissions for guest and system log collection to approved administrative, monitoring, and incident response roles.
  • Use least privilege and role separation for cloud identities that can access logs across multiple instances.
  • Ensure control-plane audit logs and relevant cloud service logs are retained long enough to support investigations and compliance evidence needs.
  • Document approved operational use cases for bulk or cross-instance log collection so SOC teams can distinguish expected activity from anomalies.
  • Periodically review privileged cloud roles, service accounts, and automation that can export or collect logs.
Analyst notes and limits

This is a detection analytic object, not a technique description. The supplied ATT&CK content is focused on monitoring cloud API calls for guest or system log collection in IaaS, with examples from Azure VM Agent CollectGuestLogs.exe and AWS CloudWatch GetLogEvents. No tactics, relationships, or formal detection logic were supplied, so local baselining and cloud identity context are essential.

The official object does not provide detection pseudocode, analytics logic, related ATT&CK techniques, or relationship context. This take therefore avoids claims about adversary intent, active exploitation, attribution, or guaranteed detection coverage. Applicability is limited to the supplied platform scope: IaaS.

Official MITRE ATT&CK definition

Analytic 0708

Monitor for cloud API calls that export or collect guest or system logs. Abnormal use of Azure VM Agent’s CollectGuestLogs.exe or AWS CloudWatch GetLogEvents across multiple instances should be correlated with lateral movement or data staging.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
fbf41986dfae3140...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle fbf41986dfae…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0708
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use