AN1191: Analytic 1191
Detects user agents or background services making unauthorized or unscheduled web API calls to cloud/web services over HTTPS.
Analyst context for executives and security teams
This analytic matters because unscheduled HTTPS API activity from macOS user agents or background services can indicate that an endpoint, application, or service account is communicating with cloud or web services outside expected business workflows. For leaders, the value is not simply spotting web traffic; it is validating whether the organization can distinguish normal SaaS/API behavior from unauthorized automation, misconfigured agents, or potentially suspicious background activity.
Executive priority
Prioritize this as a visibility and governance question for macOS fleets and cloud/web service usage: do security teams know which background services are allowed to call external APIs, when they should run, and what evidence proves that? This supports incident triage, cloud security oversight, compliance evidence for endpoint monitoring, and budget decisions around endpoint/network telemetry retention and baselining.
Technical view
For SOC and detection teams, validate whether macOS endpoint and network telemetry can identify user agents or background services making HTTPS API calls to cloud or web services, then compare those calls against approved schedules, destinations, and service ownership. Because ATT&CK provides no tactic, relationship, or detection logic for this analytic, implementation should be environment-specific and focused on allowlisted services, expected timing, destination reputation/context, and deviations from normal macOS service behavior.
Likely telemetry
- macOS endpoint process and service execution telemetry
- Network connection metadata for HTTPS sessions
- Proxy, secure web gateway, firewall, or DNS logs showing destinations and timing
- User agent strings where available from proxy or web telemetry
- Cloud or web service access logs for API calls
Detection direction
- Baseline approved macOS background services and scheduled agents that legitimately call cloud or web APIs.
- Correlate process/service identity, destination, timing, and user agent rather than alerting on HTTPS alone.
- Tune out known enterprise management, security, backup, collaboration, and update services after ownership and schedule are confirmed.
- Look for calls occurring outside expected maintenance windows, from unusual processes, or to cloud/web services not associated with the asset owner.
- Account for blind spots where TLS encryption, missing proxy visibility, incomplete user agent logging, or unmanaged macOS devices reduce context.
Mitigation priorities
- Establish and maintain an inventory of approved macOS background services and their expected cloud/web API destinations.
- Require change control or service ownership for new scheduled agents and background API integrations.
- Ensure endpoint and network logging can retain enough process, destination, timing, and user agent context for investigations.
- Use policy controls where available to restrict unauthorized background services and unapproved external API destinations.
- Review exceptions periodically so allowlists do not become stale or overly broad.
Analyst notes and limits
This object is a detection analytic, not a technique. The supplied ATT&CK fields identify macOS as the platform and describe the behavior as unauthorized or unscheduled HTTPS API calls by user agents or background services. No tactics, related techniques, detection details, or relationships were supplied, so local baselines and asset/service ownership are essential for meaningful detection.
ATT&CK did not provide detection logic, data sources, relationships, tactics, or examples for this analytic. This take therefore avoids claims about attacker use, impact, attribution, or guaranteed coverage. Practical implementation depends on the organization’s macOS management, proxy/network visibility, cloud service logging, and approved service inventory.
Analytic 1191
Detects user agents or background services making unauthorized or unscheduled web API calls to cloud/web services over HTTPS.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 02e756b6d3d8… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1191Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.