AN1162: Analytic 1162

Abuse of SaaS platforms such as Confluence, GitHub, SharePoint Online, or Slack to access excessive internal documentation or export source code/data. Includes use of tokens or browser automation from unapproved IPs.

EnterpriseAN1162AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

This analytic points to a business-critical SaaS risk: legitimate collaboration and code platforms can be misused to gather excessive internal documentation or export source code and data, especially when access comes from tokens, automation, or unapproved IP addresses. For leaders, the issue is not only “can we see logins,” but whether the organization can distinguish normal knowledge work from bulk access or export behavior that may precede data loss or compromise response decisions.

Executive priority

Prioritize this as a cloud/SaaS governance and incident-readiness question. Security leaders should ask whether Confluence, GitHub, SharePoint Online, Slack, and similar platforms have auditable logging, approved network/location expectations, token governance, and export monitoring. The business value is strongest where these platforms contain source code, internal procedures, customer-sensitive documentation, or operational runbooks needed for continuity and compliance evidence.

Technical view

The supplied ATT&CK object is a detection analytic for SaaS platforms. It describes abuse involving excessive access to internal documentation or source/data export, including token use or browser automation from unapproved IPs. SOC and detection teams should validate whether SaaS audit logs can show user identity, token/API activity, export/download events, repository or document access volume, automation indicators where available, source IP, and approved versus unapproved network context. Because ATT&CK provides no official detection logic for this analytic, local baselining and platform-specific audit capabilities are required.

Likely telemetry

SaaS audit logs from collaboration, code, document, and chat platforms
User authentication and session records, including source IP and geolocation where available
Token/API access logs and token creation or use events
Document, page, repository, file, or channel access records
Bulk download, export, clone, or data extraction events

Detection direction

Validate that monitored SaaS platforms actually record exports, bulk reads, repository/source access, and token/API usage; many blind spots come from limited license tiers, disabled audit logging, or short retention.
Baseline normal access volume by role, team, project, and platform before alerting on 'excessive' access to reduce false positives from migrations, audits, onboarding, legal discovery, or engineering release activity.
Correlate unapproved IP use with token/API activity and high-volume documentation or source-code access rather than treating location alone as sufficient evidence.
Tune detections for sensitive repositories, internal documentation spaces, and high-value SharePoint/Slack/Confluence/GitHub assets where excessive access has higher business impact.
Ensure alerts include enough context for IR triage: user, token or session, IP, asset accessed, export/download count, time window, and whether access came through approved controls.

Mitigation priorities

Inventory SaaS platforms that hold internal documentation, source code, or exportable business data and confirm audit logging and retention are enabled.
Define approved access paths and IP/network expectations for sensitive SaaS use, then make exceptions explicit and reviewable.
Strengthen identity and token governance, including review of API tokens, service accounts, and browser/session access patterns.
Restrict or monitor bulk export, download, clone, and sharing capabilities for sensitive workspaces and repositories based on role need.
Prepare incident response playbooks for suspected SaaS data access abuse, including token revocation, session termination, access review, and evidence preservation.

Analyst notes and limits

No relationship context, tactics, or official detection text were supplied. The examples named by ATT&CK are Confluence, GitHub, SharePoint Online, and Slack, but the platform scope is SaaS generally. The practical value of this analytic depends on local SaaS logging depth, identity context, and the organization’s definition of approved IPs and normal access behavior.

This take is based only on the supplied ATT&CK analytic fields and external reference. It does not establish active exploitation, attribution, specific adversary behavior, or guaranteed detection coverage. Platform-specific implementation details must be validated in the customer environment.

Official MITRE ATT&CK definition

Analytic 1162

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: 9cfce13809ace92a...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`9cfce13809ac…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1162
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use