AN1504: Analytic 1504
Detects cloud account use for API calls that exceed normal scope, such as IAM changes or access to services never used before.
Analyst context for executives and security teams
This analytic matters because unusual cloud API use can be an early signal that an identity or account is operating outside its expected business role. For executives and security leaders, the practical question is whether the organization can recognize when a cloud account starts making high-risk IAM changes or touching services it has never used before, especially in IaaS environments where identity permissions often define the blast radius.
Executive priority
Prioritize this as a cloud identity and resilience control validation. The business value is not just alerting on API calls, but proving that security teams understand normal cloud account behavior, can detect privilege- or scope-expanding activity, and can produce evidence for incident response and compliance reviews. Leaders should ask whether cloud audit logs are complete, whether account baselines exist for human and service identities, and whether IAM changes receive faster triage than routine operational activity.
Technical view
For SOC, detection engineering, and IR teams, validate whether IaaS cloud API telemetry can show when an account performs API calls outside its normal scope. Useful test cases include unusual IAM changes and access to cloud services the account has not previously used. Because ATT&CK provides no implementation logic or relationships for this analytic, teams should define local baselines by account type, role, workload, and administrative function, then tune for expected operational changes such as deployments, onboarding, automation, or break-glass activity.
Likely telemetry
- IaaS cloud control-plane/API audit logs
- IAM change events, including policy, role, user, group, credential, and permission changes where available
- Account or principal identity context, such as user, role, service account, workload identity, or access key metadata
- Historical API usage by account or principal to establish normal scope
- Cloud service access history showing first-time or rare service usage
Detection direction
- Confirm that cloud API audit logging is enabled and retained for the relevant IaaS accounts and regions or equivalent scopes.
- Baseline normal API usage per account or principal rather than relying only on global rarity; service accounts and automation often have distinct patterns.
- Give higher priority to out-of-scope IAM changes because they can alter access, persistence, or blast radius.
- Tune for planned changes, infrastructure-as-code deployments, onboarding, incident break-glass use, and cloud migration activity to reduce false positives.
- Review whether first-time service access is meaningful in the local environment; new legitimate projects can look similar to suspicious scope expansion.
Mitigation priorities
- Ensure comprehensive IaaS API audit logging and retention before relying on this analytic.
- Maintain an inventory of cloud accounts, roles, service identities, and expected administrative functions.
- Apply least privilege and review IAM permissions so unusual API use has limited operational impact.
- Use change management or deployment records to distinguish authorized scope changes from unexplained activity.
- Define IR triage steps for unexpected IAM changes, including account review, credential review, and rollback decision points where appropriate.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for IaaS environments. It describes detecting cloud account API calls that exceed normal scope, including IAM changes or access to services not previously used. No tactics, relationships, or detailed detection logic were provided, so this take focuses on control validation, telemetry readiness, and cloud identity monitoring rather than a specific adversary pattern.
Official detection content is not provided, tactics are not specified, and no relationship context is supplied. Local cloud architecture, logging configuration, account roles, and historical usage are required to determine alert thresholds, severity, and false-positive handling.
Analytic 1504
Detects cloud account use for API calls that exceed normal scope, such as IAM changes or access to services never used before.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 21f8d0f7f415… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1504Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.