AN1129: Analytic 1129
Discovery of SaaS services connected to productivity platforms (e.g., Microsoft 365, Google Workspace). Defender perspective includes unexpected enumeration of enabled services, API integrations, or OAuth applications tied to user accounts.
Analyst context for executives and security teams
This analytic concerns discovery of SaaS services connected to office productivity platforms, such as enabled services, API integrations, or OAuth applications tied to user accounts. For leaders, the value is not the enumeration itself but what it can reveal: where identity, collaboration, and third-party SaaS connections may create unmanaged access paths or investigation blind spots.
Executive priority
Prioritize this as an identity and cloud/SaaS visibility question. Security leaders should ask whether the organization can prove which services and OAuth/API integrations are connected to productivity accounts, who can enumerate them, and whether unexpected discovery activity would be noticed during an incident. This supports operational resilience, audit evidence, and faster IR scoping when productivity platforms are involved.
Technical view
The supplied ATT&CK object is a detection analytic for Office Suite platforms, but it provides no formal detection logic or tactics. SOC and detection teams should validate whether productivity-platform telemetry can show enumeration of enabled services, API integrations, and OAuth applications associated with user accounts. IR teams should treat unusual discovery of connected SaaS services as context for account investigation, consent review, and SaaS integration scoping.
Likely telemetry
- Productivity platform audit logs for user, admin, and application activity
- Identity logs showing account access and administrative actions
- OAuth application consent, authorization, and permission grant records
- API access logs related to connected services or integrations
- SaaS/service inventory records showing enabled services and linked applications
Detection direction
- Confirm whether logs distinguish normal administrative inventory activity from unexpected enumeration tied to user accounts.
- Baseline expected SaaS integration review activity by administrators, security tools, and approved automation to reduce false positives.
- Look for unusual access patterns around enabled services, API integrations, or OAuth applications, especially from accounts that do not normally perform this activity.
- Correlate enumeration activity with identity context such as account role, recent authentication behavior, and whether the account owns or has consented to connected applications.
- Account for the main blind spot: the ATT&CK object supplies no detection logic, so local platform logging, retention, and audit configuration determine practical coverage.
Mitigation priorities
- Maintain an authoritative inventory of SaaS services, API integrations, and OAuth applications connected to productivity accounts.
- Limit who can administer or approve integrations and review permissions granted to connected applications.
- Regularly review user- and tenant-level OAuth/application consents for business justification and excessive permissions.
- Ensure productivity-suite audit logging and retention support incident response and compliance evidence needs.
- Document approved administrative and security-tool enumeration behavior so detections can focus on unexpected activity.
Analyst notes and limits
This take is based only on ATT&CK analytic AN1129. The object identifies the defender perspective as unexpected enumeration of enabled services, API integrations, or OAuth applications tied to user accounts on Office Suite platforms. No relationships, tactics, or official detection logic were supplied, so recommendations are framed as validation priorities rather than confirmed analytic behavior.
Coverage cannot be inferred from this object alone. Organizations must verify their specific productivity platform, identity provider, SaaS integrations, logging configuration, and retention. No active exploitation, attribution, impact, or guaranteed detection is implied.
Analytic 1129
Discovery of SaaS services connected to productivity platforms (e.g., Microsoft 365, Google Workspace). Defender perspective includes unexpected enumeration of enabled services, API integrations, or OAuth applications tied to user accounts.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 310c7593bfaf… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1129Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.