AN0811: Analytic 0811
Detects SaaS web login followed by dashboard or web GUI page views from unfamiliar locations, devices, or access patterns. Identifies use of sensitive reporting or configuration consoles accessed from high-risk accounts.
Analyst context for executives and security teams
This analytic matters because it focuses on a common business-risk moment in SaaS environments: a login that is followed by use of dashboards, web GUIs, reporting areas, or configuration consoles from an unfamiliar location, device, or access pattern. For leaders, the value is not simply detecting a login anomaly; it is validating whether high-risk SaaS accounts and sensitive administrative or reporting interfaces are being monitored closely enough to support timely incident decisions.
Executive priority
Treat this as a priority for SaaS security governance and identity-driven resilience. Executives and risk owners should ask whether the organization can prove visibility into high-risk SaaS accounts, unusual access locations or devices, and subsequent access to sensitive consoles. This supports incident response readiness, audit evidence for access monitoring, and prioritization of identity and cloud/SaaS logging investments.
Technical view
SOC and detection teams should validate whether SaaS authentication events can be correlated with follow-on web GUI, dashboard, reporting, or configuration page activity. The supplied ATT&CK object is limited to SaaS and does not provide tactics, a formal detection rule, or relationship context, so teams must define local baselines for familiar locations, devices, users, and access patterns. Detection logic should pay special attention to high-risk accounts and sensitive consoles, while accounting for legitimate travel, VPN/proxy use, device changes, and administrative workflows.
Likely telemetry
- SaaS web login events
- Source location or geolocation associated with SaaS access
- Device or browser/session attributes where available
- SaaS dashboard, web GUI, reporting, or configuration page view events
- User/account risk context, especially high-risk or privileged accounts
Detection direction
- Confirm that SaaS login telemetry and post-login page access telemetry can be correlated by user and session or near-time sequence.
- Baseline familiar locations, devices, and access patterns before alerting on unfamiliar activity.
- Prioritize alerts involving high-risk accounts or access to sensitive reporting and configuration consoles.
- Tune for expected business exceptions such as travel, new devices, VPNs, proxies, and sanctioned administrative activity.
- Identify blind spots where SaaS applications do not provide page-level GUI, dashboard, reporting, or configuration access logs.
Mitigation priorities
- Ensure critical SaaS platforms produce and retain authentication and activity logs needed for investigation.
- Maintain an inventory of high-risk SaaS accounts and sensitive reporting or configuration consoles.
- Apply stronger access governance and review processes to accounts with access to sensitive SaaS consoles.
- Use identity and SaaS security controls to reduce risk from unfamiliar devices, locations, or abnormal access patterns where supported.
- Document monitoring coverage and exceptions as compliance and incident response evidence.
Analyst notes and limits
The object is a detection analytic, not an adversary technique. Its decision value is in validating SaaS identity and activity monitoring around unusual logins followed by sensitive web GUI usage. Because no official detection logic or relationships were supplied, implementation should be adapted to the organization’s SaaS platforms, account model, logging depth, and normal user behavior.
Official detection content, tactics, labels, aliases, and relationship context were not supplied. The object only supports SaaS as the platform. This take does not imply active exploitation, attribution, impact, or guaranteed detection coverage.
Analytic 0811
Detects SaaS web login followed by dashboard or web GUI page views from unfamiliar locations, devices, or access patterns. Identifies use of sensitive reporting or configuration consoles accessed from high-risk accounts.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 6712d02c7837… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0811Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.