AN1188: Analytic 1188
Creation, deletion, or modification of security groups and firewall rules in cloud control plane logs that expand access to cloud resources beyond expected baselines. Defender view: unexpected ingress/egress rules permitting 0.0.0.0/0 or opening atypical ports, often correlated with privileged role or API key activity.
Analyst context for executives and security teams
This analytic focuses on cloud network exposure changes: security group or firewall rule updates that make cloud resources reachable beyond expected baselines, especially broad ingress or egress such as 0.0.0.0/0 or unusual open ports. For leaders, the value is not just detecting a rule change; it is proving the organization can notice when cloud control-plane activity weakens segmentation or exposes critical services before that exposure becomes an incident driver.
Executive priority
Prioritize this as a cloud security and resilience control validation item for IaaS environments. Executives should ask whether cloud firewall and security group changes are logged, reviewed against approved baselines, and correlated to privileged identity or API key use. This supports incident decision-making, audit evidence for change control, and risk-based prioritization of cloud misconfiguration exposure.
Technical view
SOC, detection engineering, and IR teams should validate monitoring of cloud control plane logs for creation, deletion, or modification of security groups and firewall rules. Detection logic should compare new or changed rules against expected baselines, with attention to ingress or egress permitting 0.0.0.0/0 and ports that are atypical for the asset or environment. Because the supplied ATT&CK object does not specify a tactic or relationship context, teams should treat this as a cloud exposure analytic rather than infer a specific attack phase.
Likely telemetry
- IaaS cloud control plane audit logs
- Security group and firewall rule change events
- Rule attributes including source or destination CIDR ranges such as 0.0.0.0/0
- Port and protocol fields for ingress and egress rules
- Identity context for privileged roles, users, service accounts, or API keys associated with the change
Detection direction
- Validate that rule creation, deletion, and modification events are collected consistently across IaaS accounts, projects, subscriptions, and regions in scope.
- Tune for deviations from expected baselines rather than only broad static matches, since some internet-facing rules may be legitimate.
- Prioritize alerts where broad access such as 0.0.0.0/0 coincides with atypical ports or privileged role/API key activity.
- Include both ingress and egress rule changes to avoid a blind spot around outbound exposure.
- Suppress or annotate approved deployment and change windows using change records, but ensure emergency or manual changes remain reviewable.
Mitigation priorities
- Establish and maintain expected baselines for security groups and firewall rules around critical cloud resources.
- Require controlled change processes for broad network exposure and privileged cloud network administration.
- Apply least-privilege network access patterns and avoid unrestricted CIDR ranges unless explicitly justified.
- Review privileged identities and API keys that can modify cloud firewall or security group policy.
- Use periodic control validation to confirm logging, alerting, and response workflows still cover IaaS network rule changes.
Analyst notes and limits
The ATT&CK object is a detection analytic for IaaS cloud environments and describes cloud control-plane evidence of security group or firewall rule changes that expand access. No ATT&CK tactics, related techniques, groups, software, or mitigations were supplied, so this take frames practical defensive value without assigning attack stage or attribution.
Official detection content was not provided, and no relationships were supplied. Local baselines, asset criticality, approved exposure patterns, and cloud-provider-specific log schemas are required to convert this into production detection logic.
Analytic 1188
Creation, deletion, or modification of security groups and firewall rules in cloud control plane logs that expand access to cloud resources beyond expected baselines. Defender view: unexpected ingress/egress rules permitting 0.0.0.0/0 or opening atypical ports, often correlated with privileged role or API key activity.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 618f904fd9e9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1188Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.