AN1328: Analytic 1328

AN1328 is a cloud detection analytic concept for a sudden increase in object access by a new IAM user or role, followed by data movement to external IP addresses. Its business value is that it points to a high-consequence cloud scenario: newly created or newly used identity access touching object storage at scale and then sending data outside the environment. For leaders, this is a validation point for whether cloud identity, storage access logging, and egress monitoring can be joined quickly enough to support incident decisions.

Executive priority

Prioritize this analytic as a cloud security and incident response readiness check for IaaS environments. The key leadership question is whether the organization can prove who accessed cloud objects, whether that identity was new or unusual, and whether related outbound transfer activity can be reviewed with enough speed and confidence to support containment, legal/compliance triage, and business continuity decisions. Because the ATT&CK object provides no tactic mapping, no relationship context, and no detailed detection logic, treat it as a coverage requirement rather than a complete detection rule.

Technical view

SOC and detection engineering teams should validate correlation across three evidence areas: IAM user or role age/first-seen status, object access volume or rate, and outbound network destinations classified as external IPs. The analytic is explicitly scoped to IaaS. Since no official detection logic is provided, teams should define local baselines for normal object access by identity type, service account, workload, and time window, then test whether alerts preserve enough context for IR: identity, object store/resource, access action, volume, source, destination IP, and timing sequence.

Likely telemetry

IaaS IAM audit logs showing user or role creation, assumption, first use, and permission context
Object storage access logs showing object reads or access volume by IAM user or role
Cloud control-plane audit logs for storage and identity activity
Network flow, egress, proxy, firewall, or cloud network telemetry showing outbound connections to external IP addresses
Asset, account, and identity inventory needed to determine whether an IAM user or role is new or unusual

Detection direction

Validate that logging is enabled and retained for IAM activity, object access events, and outbound network activity in the relevant IaaS accounts or projects.
Tune thresholds for a 'spike' using local baselines; newly deployed workloads, backups, migrations, analytics jobs, and data replication can create legitimate high-volume object access.
Require sequence-aware correlation: new IAM user or role activity, increased object access, then external egress within a defensible time window.
Ensure alerts include enough enrichment for triage, including identity age, role/session details where available, object store/resource identifiers, accessed object counts or bytes, destination IPs, and account/project context.
Watch for blind spots where object access logs are disabled, service roles are reused broadly, network egress is not centrally logged, or external IP classification is incomplete.

Mitigation priorities

Confirm least-privilege IAM design for users and roles that can access object storage in IaaS environments.
Strengthen governance for creation and use of new IAM users and roles, including approval, ownership, and review processes.
Enable and retain object access, IAM audit, and egress telemetry needed to investigate suspected exfiltration patterns.
Apply egress control and monitoring appropriate to the environment, especially for workloads that can read sensitive object stores.
Build incident response playbooks for suspected cloud data exposure that include identity containment, object access scoping, destination review, and evidence preservation.

Analyst notes and limits

This object is a detection analytic, not a technique description. The official description is specific to IaaS and centers on a behavioral pattern: new IAM user or role, object access spike, and data exfiltration to external IPs. No ATT&CK tactics, relationships, or official detection implementation were supplied, so local engineering must define thresholds, correlation windows, and identity/storage/network data mappings.

The supplied ATT&CK fields do not provide detection pseudocode, data source mappings, related techniques, mitigations, procedures, or known threat actor usage. Any assessment of risk, alert fidelity, or coverage requires local cloud architecture, logging configuration, IAM model, and normal workload behavior.

Official MITRE ATT&CK definition

Analytic 1328

Spike in object access from new IAM user or role followed by data exfiltration to external IPs

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Nov 12, 2025, 22:03 UTC (UTC+00:00)
Raw hash: 25948d781974d259...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Nov 12, 2025, 22:03 UTC (UTC+00:00)	Current bundle	`25948d781974…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1328
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams