Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1168: Analytic 1168

Automated abuse of cloud-hosted applications (e.g., web apps, REST endpoints, internal APIs) causing compute exhaustion, high 5xx error rates, or frequent autoscaling triggers logged in app insights or cloudwatch.

EnterpriseAN1168AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic describes a cloud availability risk: automated abuse of cloud-hosted applications, REST endpoints, or internal APIs that drives compute exhaustion, elevated 5xx errors, or repeated autoscaling events. For leaders, the practical issue is not just “traffic volume,” but whether cloud monitoring, application telemetry, and operational response processes can distinguish abnormal automated load from legitimate demand before cost, service reliability, or customer-facing availability are affected.

Executive priority

Prioritize this as an operational resilience and cloud cost-control validation item for IaaS-hosted applications. Executives should ask whether critical applications have evidence of abnormal error-rate spikes, autoscaling churn, and resource exhaustion; whether SOC and cloud operations share the same alerting view; and whether incident response can quickly separate malicious or abusive automation from normal business surges. Because ATT&CK provides no tactic mapping or relationships here, priority should be based on local exposure: internet-facing apps, API dependency criticality, and business tolerance for downtime or cloud spend spikes.

Technical view

SOC, cloud security, and IR teams should validate that monitoring covers application health and cloud resource behavior for IaaS-hosted workloads. The supplied analytic points to cloud-hosted applications, web apps, REST endpoints, and internal APIs with indicators such as compute exhaustion, high HTTP 5xx rates, and frequent autoscaling triggers in app insights or CloudWatch-like telemetry. Since no official detection logic is provided, teams should build environment-specific baselines for request patterns, error rates, resource saturation, and scaling activity, then tune alerts around deviations that correlate across application and infrastructure layers.

Likely telemetry

  • Application performance monitoring data, including request rate, latency, dependency failures, and 5xx error rates
  • Cloud monitoring events for compute utilization, autoscaling triggers, instance or container scaling activity, and resource saturation
  • Web application, API gateway, load balancer, and reverse proxy logs showing request volume and endpoint-level error patterns
  • Infrastructure metrics from IaaS-hosted workloads, including CPU, memory, network, and service health indicators
  • Incident and operations records showing service degradation, autoscaling churn, or application availability events

Detection direction

  • Validate that alerts correlate application-layer symptoms, such as high 5xx rates, with infrastructure-layer symptoms, such as compute exhaustion or repeated autoscaling.
  • Establish baselines for normal traffic bursts, scheduled jobs, product launches, and business-cycle peaks to reduce false positives from legitimate demand.
  • Review whether internal APIs are monitored with the same rigor as internet-facing endpoints, because the official description includes internal APIs as in scope.
  • Tune detection around sustained or repeated abnormal load patterns rather than single metric spikes, unless the affected application has very low tolerance for downtime.
  • Confirm that cloud operations, SOC, and incident response teams can see the same app insights or cloud monitoring evidence during triage.

Mitigation priorities

  • Identify the IaaS-hosted applications and APIs where compute exhaustion or 5xx spikes would create material business impact.
  • Ensure monitoring and alerting exist for application error rates, autoscaling triggers, and compute/resource saturation before relying on this analytic operationally.
  • Define response playbooks for availability-impacting automated abuse, including ownership between SOC, cloud operations, application teams, and incident response.
  • Use baselining and capacity planning to distinguish expected demand surges from abnormal automated activity.
  • Review resilience controls and operational limits for critical applications, prioritizing services with high availability requirements or significant cloud cost exposure.
Analyst notes and limits

This is a detection analytic object, not a full ATT&CK technique. The strongest decision value is in validating observability and response readiness for cloud application availability signals. The object is specific to IaaS and mentions app insights or CloudWatch-style monitoring, but it does not provide detection logic, tactics, procedures, mitigations, or relationship context.

Official detection is not provided, and no related ATT&CK objects or tactics were supplied. This take does not infer adversary attribution, active exploitation, impact, or guaranteed detection coverage. Local application architecture, cloud logging configuration, traffic baselines, and business criticality are required to determine practical risk and alert thresholds.

Official MITRE ATT&CK definition

Analytic 1168

Automated abuse of cloud-hosted applications (e.g., web apps, REST endpoints, internal APIs) causing compute exhaustion, high 5xx error rates, or frequent autoscaling triggers logged in app insights or cloudwatch.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
083bd2e85ef1effc...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 083bd2e85ef1…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1168
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use