AN1348: Analytic 1348
Behavioral chain: (1) cross-account or third-party principal assumes a role into the tenant/subscription/project; (2) privileged API calls are made in short succession; (3) access originates from unfamiliar networks or geos. Correlate assume-role/federation events with sensitive API usage.
Analyst context for executives and security teams
This analytic matters because it focuses on a high-risk cloud access pattern: an outside or cross-account identity enters an IaaS environment, quickly performs privileged actions, and does so from networks or locations that are not familiar. For leaders, the decision value is whether the organization can prove it sees and investigates risky third-party, federated, or cross-account access before it becomes an incident response problem.
Executive priority
Prioritize this as a cloud identity and access governance question, not only a SOC rule. Executives should ask whether privileged cross-account and third-party role access is approved, logged, reviewed, and correlated with sensitive API activity. This supports business continuity, third-party risk management, audit evidence, and incident decision-making when cloud administrative access is involved.
Technical view
For IaaS environments, validate that detection engineering can correlate assume-role or federation events with privileged API calls occurring in short succession, then enrich that activity with source network and geolocation context. Because no ATT&CK tactic or formal detection logic is supplied, teams should implement this as a behavior chain and tune it against known administrative workflows, trusted third-party integrations, and approved cross-account access paths.
Likely telemetry
- IaaS control-plane audit logs
- Assume-role, federation, or cross-account access events
- Privileged or sensitive API call records
- Identity principal, role, tenant/subscription/project, and third-party account context
- Source IP address, network ownership, and geolocation enrichment
Detection direction
- Confirm that assume-role or federation events are retained and searchable with principal, role, source, and target environment details.
- Correlate cross-account or third-party role assumption with privileged API activity shortly afterward rather than alerting on either event alone.
- Tune allowlists carefully for approved third-party providers, automation, and administrative break-glass workflows to reduce false positives.
- Review blind spots where cloud audit logs are incomplete, geolocation enrichment is unavailable, or identity context is not normalized across accounts/projects/subscriptions.
- Treat unfamiliar network or geo as risk context requiring investigation, not as standalone proof of malicious activity.
Mitigation priorities
- Inventory and review third-party, federated, and cross-account role trust relationships in IaaS environments.
- Restrict privileged roles to approved principals and business-justified access paths.
- Require operational owners to document expected source networks, automation patterns, and privileged API use for high-risk roles.
- Ensure control-plane logging, identity logging, and enrichment needed for this analytic are enabled and retained for investigation.
- Use periodic access reviews and incident response playbooks to validate that suspicious cross-account privileged activity can be triaged quickly.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic, not a technique, and provides a behavioral chain rather than executable detection logic. The strongest use is as a validation checklist for cloud identity monitoring, third-party access governance, and SOC correlation across role assumption, privileged API use, and source context.
No tactic, relationship context, formal detection field, specific cloud provider, procedure examples, or mitigation mappings were supplied. Local cloud architecture, approved third-party access patterns, logging coverage, and identity governance evidence are required before determining detection quality or risk exposure.
Analytic 1348
Behavioral chain: (1) cross-account or third-party principal assumes a role into the tenant/subscription/project; (2) privileged API calls are made in short succession; (3) access originates from unfamiliar networks or geos. Correlate assume-role/federation events with sensitive API usage.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | eff4368ccb7a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1348Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.