AN1055: Analytic 1055

Track creation or update of SaaS automation scripts (e.g., Google Workspace Apps Script). Detect when these scripts are bound to user events such as file opens or account modifications, and correlate with subsequent abnormal API calls that exfiltrate or modify user data.

EnterpriseAN1055AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

This analytic matters because SaaS automation scripts can turn normal business platforms into a persistence, data access, or data manipulation path. For leaders, the key issue is whether the organization can see when user- or tenant-level automation is created, changed, tied to user events, and followed by unusual API activity against business data.

Executive priority

Prioritize this as a SaaS governance and detection-readiness question: do security, IAM, and cloud/SaaS administrators have audit evidence for automation script creation and modification, event bindings, and downstream API activity? The business risk is not the script alone, but unreviewed automation that can access or change user data at scale inside trusted SaaS workflows.

Technical view

For SOC and detection engineering teams, validate coverage for SaaS audit events showing creation or update of automation scripts, such as Google Workspace Apps Script, and whether those scripts are bound to user-triggered events like file opens or account modifications. Correlate those events with later abnormal API calls that access, exfiltrate, or modify user data. Because no official detection logic is provided, local baselining is required to distinguish approved administrative or productivity automation from suspicious changes.

Likely telemetry

SaaS audit logs for automation script creation and updates
SaaS audit logs for script trigger or event-binding configuration
Identity and account activity associated with the script owner or modifier
SaaS API activity logs showing data reads, exports, updates, or deletions
File or user-object access events following script execution

Detection direction

Confirm the SaaS platform logs script creation, script updates, and trigger/event-binding changes with actor, timestamp, object, and affected user or file context.
Build correlation from script change events to subsequent abnormal API calls involving user data access or modification.
Tune for known approved automation owners, service accounts, and business workflows to reduce false positives.
Watch for blind spots where SaaS audit logging is disabled, retained for too short a period, or not ingested into the SOC workflow.
Review whether event-bound automation is monitored differently from manually executed scripts, since user-triggered execution may blend into normal activity.

Mitigation priorities

Inventory approved SaaS automation scripts and their owners.
Restrict who can create or modify automation scripts and event bindings where the SaaS platform supports it.
Review permissions granted to scripts and associated accounts using least-privilege principles.
Require change review for automation that can access or modify user data.
Ensure SaaS audit logs and API activity logs are retained and available for investigation and compliance evidence.

Analyst notes and limits

The supplied ATT&CK object is a detection analytic for SaaS platforms and specifically references automation scripts such as Google Workspace Apps Script. No tactics, relationships, or official detection logic were supplied, so this take focuses on validation, telemetry, and control questions supported by the description.

This assessment is limited to the provided ATT&CK fields and external reference. It does not establish active exploitation, actor attribution, impact, or existing detection coverage. Local SaaS platform capabilities, licensing, log retention, and approved automation inventory will determine practical detection quality.

Official MITRE ATT&CK definition

Analytic 1055

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: 7a32769047795f19...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`7a3276904779…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1055
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use