Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1488: Analytic 1488

Detects anomalous SaaS application integration activity across environments such as Slack, Salesforce, or other enterprise SaaS services. Focus is on unauthorized app additions, unusual permission grants, and persistence through service principal tokens.

EnterpriseAN1488AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because SaaS integrations can become a durable access path into business data and workflows. Unauthorized app additions, unusual permission grants, or persistence through service principal tokens may allow access to enterprise SaaS environments even when a user password is changed. For leaders, the practical question is whether the organization can see and govern third-party and internal SaaS app integrations across services such as Slack, Salesforce, and other enterprise SaaS platforms.

Executive priority

Prioritize this as a cloud/SaaS governance and incident readiness issue. SaaS applications often hold sensitive customer, employee, financial, and operational data, so unmanaged integrations create audit, privacy, and business continuity risk. Executives should ask who approves SaaS integrations, how high-risk permissions are reviewed, whether service principal tokens are inventoried, and whether SOC and incident response teams can rapidly identify and revoke suspicious app access.

Technical view

The supplied ATT&CK object defines a SaaS detection analytic focused on anomalous application integration activity, specifically unauthorized app additions, unusual permission grants, and persistence through service principal tokens. Because no official detection logic is provided, SOC and detection engineering teams should validate whether SaaS audit logs capture app installation, consent, permission scope changes, token creation or use, and service principal activity across supported SaaS services. Baselines should distinguish expected administrative integrations from unusual new apps, rare permission combinations, unexpected actors, and activity outside normal change processes.

Likely telemetry

  • SaaS audit logs for application additions or installations
  • SaaS administrative activity logs for permission grants and consent events
  • Service principal or application token creation, refresh, and usage records
  • Identity provider logs linking users, admins, service principals, and SaaS applications
  • Change management or approval records for authorized SaaS integrations

Detection direction

  • Validate that monitored SaaS platforms produce logs for app additions, permission grants, and service principal token activity; coverage will vary by service and licensing.
  • Build allowlists or baselines for approved integrations, expected administrators, expected permission scopes, and normal change windows.
  • Alert on newly added SaaS apps with broad or unusual permissions, especially when not tied to an approved change record.
  • Review service principal token activity for persistence indicators such as long-lived tokens, rarely used integrations becoming active, or tokens associated with unexpected apps.
  • Tune for false positives from legitimate SaaS onboarding, business automation, marketplace app deployment, and administrator maintenance.

Mitigation priorities

  • Establish an approval and ownership process for SaaS integrations before deployment.
  • Maintain an inventory of connected SaaS applications, granted permissions, owners, and service principal tokens.
  • Apply least-privilege permission grants and periodically review high-risk scopes.
  • Restrict who can add integrations or grant permissions in enterprise SaaS services.
  • Define incident response procedures to revoke suspicious app access, rotate or invalidate tokens, and preserve SaaS audit evidence.
Analyst notes and limits

This take is based only on ATT&CK analytic AN1488. The object identifies SaaS as the platform and names example environments such as Slack and Salesforce, but it does not provide specific detection logic, tactics, relationships, or procedure examples. Local SaaS architecture, logging availability, identity provider integration, and change management records are required to operationalize it.

Official detection content was not provided, and no relationship context was supplied. The assessment therefore cannot assert specific ATT&CK tactics, adversary use, active exploitation, impact, or guaranteed detection coverage. Validation must be performed against each organization’s actual SaaS services and audit logging capabilities.

Official MITRE ATT&CK definition

Analytic 1488

Detects anomalous SaaS application integration activity across environments such as Slack, Salesforce, or other enterprise SaaS services. Focus is on unauthorized app additions, unusual permission grants, and persistence through service principal tokens.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
06f1cc83733798db...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 06f1cc837337…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1488
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use