AN0808: Analytic 0808

Detects web console login events followed by read-only or metadata retrieval activity from GUI sources (e.g., browser session, mobile client) rather than API/CLI sources. Correlates across CloudTrail, IAM identity logs, and user-agent context.

EnterpriseAN0808AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

AN0808 is a cloud detection analytic for spotting web console logins that are followed by read-only or metadata-retrieval activity from GUI sources such as a browser or mobile client. Its practical value is distinguishing human console activity from API/CLI automation so security teams can review whether console-based discovery activity is expected, authorized, and properly logged.

Executive priority

This matters for IaaS governance because cloud console access often represents high decision risk: a valid login can quickly expose configuration, identity, and metadata details even without obvious write actions. Leaders should ask whether CloudTrail, IAM identity logs, and user-agent context are consistently retained and usable for incident review, audit evidence, and managed detection outcomes.

Technical view

For SOC and detection engineering teams, validate correlation across web console login events, subsequent read-only or metadata retrieval events, and user-agent/source context that indicates GUI use rather than API or CLI use. Because no tactic is specified and no relationship context is supplied, treat this as a focused cloud identity/activity analytic rather than a complete attack pattern by itself.

Likely telemetry

CloudTrail events for console login and subsequent cloud activity
IAM identity logs or equivalent identity context for the authenticated principal
User-agent strings and source context distinguishing browser or mobile client activity from API/CLI activity
Read-only API/event records and metadata retrieval activity in the IaaS environment
Timestamps and session correlation fields linking login activity to later events

Detection direction

Confirm the analytic can correlate login and follow-on activity within an appropriate time window.
Tune expected administrator, auditor, and compliance review behavior to reduce false positives from normal GUI-based read-only access.
Validate that user-agent parsing reliably separates GUI sources from API/CLI sources.
Look for blind spots where CloudTrail, IAM logs, or user-agent fields are missing, delayed, or not retained long enough for investigation.
Use this analytic as context for triage rather than as proof of malicious activity, since the supplied object does not define attribution, impact, or active exploitation.

Mitigation priorities

Prioritize complete and retained cloud activity logging for console login, IAM identity context, and read-only/metadata events.
Review which identities require web console access and whether read-only or metadata retrieval permissions align with business roles.
Document expected GUI-based administrative and audit workflows so SOC teams can distinguish routine activity from unusual sessions.
Ensure incident response playbooks can quickly identify the principal, session context, user agent, and follow-on cloud reads tied to a console login.

Analyst notes and limits

This is a detection analytic object, not a technique description. Its value is strongest for cloud security monitoring, identity review, SOC triage, and audit readiness around IaaS console activity.

The supplied ATT&CK fields provide no official detection text beyond the description, no tactics, no related techniques, and no relationship context. Local cloud architecture, logging configuration, identity model, and normal administrator behavior are required to determine severity and coverage.

Official MITRE ATT&CK definition

Analytic 0808

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: 99f1c93e19f23b2e...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`99f1c93e19f2…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0808
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use