Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1356: Analytic 1356

Defenders should monitor for anomalous or unauthorized changes to cloud compute configurations that alter quotas, tenant-wide policies, subscription associations, or allowed deployment regions. From a defender’s perspective, suspicious behavior chains include a sudden increase in compute quota requests followed by new instance or resource creation, policy modifications that weaken security restrictions, or enabling previously unused/unsupported cloud regions. Correlation across identity, configuration, and subsequent provisioning logs is critical to distinguish legitimate administrative activity from adversarial abuse.

EnterpriseAN1356AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because changes to cloud compute configuration can quickly alter an organization’s risk posture: higher quotas, weakened tenant or subscription policies, changed subscription associations, or newly enabled regions may allow unexpected resource deployment and reduce governance control. For leaders, the key issue is not just whether cloud admins can make these changes, but whether the organization can distinguish approved scaling and policy work from unauthorized or anomalous activity before it affects cost, compliance, or operational resilience.

Executive priority

Prioritize this as a cloud governance and incident-readiness control point for IaaS environments. Security and cloud leaders should ask whether quota changes, tenant-wide policy changes, subscription association changes, allowed-region changes, and follow-on provisioning are logged, reviewed, and correlated with identity context. This supports budget control, audit evidence, and faster incident decisions when cloud configuration changes appear outside normal administrative patterns.

Technical view

SOC, cloud security, and IR teams should validate monitoring for anomalous or unauthorized IaaS compute configuration changes involving quotas, tenant-wide policies, subscription associations, and allowed deployment regions. The analytic’s decision value depends on correlation: identity activity, configuration change records, and subsequent provisioning logs should be reviewed together. Suspicious chains include compute quota increases followed by new instance or resource creation, policy changes that weaken restrictions, or enabling regions that were previously unused or unsupported. No ATT&CK tactic or relationship context was supplied, so detections should remain behavior-focused rather than campaign- or technique-chain-specific.

Likely telemetry

  • Cloud control-plane audit logs for compute quota requests and approvals
  • Tenant-wide policy and subscription policy change logs
  • Subscription association or account/project linkage change records
  • Allowed-region or region enablement configuration logs
  • Cloud identity and administrator activity logs

Detection direction

  • Correlate configuration changes with the identity that performed them, the approval/change context, and any subsequent resource creation.
  • Baseline normal quota, region, subscription, and policy administration patterns to identify unusual timing, actors, regions, or scale.
  • Tune for legitimate cloud operations such as planned capacity increases, regional expansion, disaster recovery testing, or infrastructure migrations to reduce false positives.
  • Prioritize alerting when a quota increase is followed by new compute provisioning, when policies are weakened, or when previously unused or unsupported regions are enabled.
  • Check for blind spots where cloud audit logs are not retained, not centralized, lack identity context, or are not correlated with provisioning activity.

Mitigation priorities

  • Ensure IaaS administrative actions for quotas, tenant policies, subscription associations, and deployment regions are governed by least privilege and formal change control.
  • Require review or approval workflows for high-impact configuration changes such as quota expansion, region enablement, and policy weakening.
  • Centralize and retain cloud identity, configuration, and provisioning logs so SOC and IR teams can reconstruct behavior chains.
  • Maintain documented allowed regions, expected subscription associations, and approved quota limits to support audit and detection baselines.
  • Regularly test whether monitoring can connect configuration changes to follow-on resource creation and distinguish authorized administration from anomalous activity.
Analyst notes and limits

This object is a MITRE detection analytic for IaaS cloud compute configuration monitoring. The official description emphasizes correlation across identity, configuration, and provisioning logs. No official detection logic, ATT&CK tactics, aliases, labels, or relationship context were supplied, so this take focuses on defensive validation and governance rather than specific adversary procedures.

The source object does not provide a concrete detection query, tactic mapping, related techniques, adversary relationships, or vendor-specific telemetry fields. Local cloud provider architecture, logging configuration, IAM model, and change-management data are required to determine actual coverage and alert thresholds.

Official MITRE ATT&CK definition

Analytic 1356

Defenders should monitor for anomalous or unauthorized changes to cloud compute configurations that alter quotas, tenant-wide policies, subscription associations, or allowed deployment regions. From a defender’s perspective, suspicious behavior chains include a sudden increase in compute quota requests followed by new instance or resource creation, policy modifications that weaken security restrictions, or enabling previously unused/unsupported cloud regions. Correlation across identity, configuration, and subsequent provisioning logs is critical to distinguish legitimate administrative activity from adversarial abuse.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
e9b5e37c4977477f...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle e9b5e37c4977…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1356
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use