AN0901: Analytic 0901
Adversaries create SaaS accounts via admin dashboards or integrations (e.g., Zoom, Salesforce, Slack). Monitor lifecycle.create or account provisioning events from non-standard sources or times.
Analyst context for executives and security teams
This analytic highlights a practical SaaS identity risk: new accounts can be created through admin dashboards or integrations such as Zoom, Salesforce, or Slack. For leaders, the issue is not just account creation itself, but whether the organization can tell the difference between expected provisioning and suspicious creation from unusual sources or at unusual times.
Executive priority
Prioritize this where SaaS applications hold sensitive business data or support critical workflows. Security, identity, and audit teams should be able to prove who can create accounts, which integrations can provision users, and whether after-hours or non-standard provisioning is reviewed. This supports incident response readiness, access governance, and compliance evidence around account lifecycle controls.
Technical view
SOC and detection teams should validate monitoring for SaaS account lifecycle.create or account provisioning events. Because no tactic or relationship context is supplied, treat this as a SaaS identity/provisioning detection analytic rather than a complete ATT&CK technique mapping. Focus on baselining normal provisioning sources, admin consoles, integration-driven account creation, service accounts, and expected business hours, then alert on deviations that are meaningful in the local environment.
Likely telemetry
- SaaS audit logs for account creation or lifecycle.create events
- Admin dashboard activity logs
- Integration or connector provisioning logs
- Identity provider or SaaS user provisioning records
- Timestamps, actor identity, source application, source IP or session context where available
Detection direction
- Confirm that account creation events are collected from each relevant SaaS platform, not only the central identity provider.
- Baseline approved provisioning paths, such as HR-driven workflows, identity provider provisioning, and authorized integrations.
- Tune for account creation from non-standard sources, unusual times, unexpected admins, or integrations that do not normally provision users.
- Use business context to reduce false positives from onboarding batches, mergers, scheduled maintenance, or help desk activity.
- Investigate whether newly created accounts receive privileged roles, external access, or access to sensitive SaaS data, if that telemetry is available.
Mitigation priorities
- Maintain an authoritative inventory of SaaS applications and integrations allowed to create accounts.
- Restrict account provisioning privileges to approved administrators, identity workflows, or vetted integrations.
- Review and periodically recertify SaaS admin roles and integration permissions.
- Require documented business justification for non-standard provisioning paths.
- Ensure SaaS audit logging is enabled, retained, and accessible to SOC and incident response teams.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic, AN0901, for SaaS account creation monitoring. It specifically names lifecycle.create or account provisioning events and calls out non-standard sources or times as detection pivots. No relationships, tactic mapping, or separate official detection text were supplied, so local SaaS architecture and identity governance processes are required to operationalize it.
The object only supports the SaaS platform and a narrow account provisioning behavior. It does not provide adversary attribution, active exploitation evidence, affected products beyond examples, severity, procedures, mitigations, or complete detection logic. Coverage depends on each SaaS application's audit logging, integration visibility, and retention.
Analytic 0901
Adversaries create SaaS accounts via admin dashboards or integrations (e.g., Zoom, Salesforce, Slack). Monitor lifecycle.create or account provisioning events from non-standard sources or times.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f19610664240… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0901Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.