AN1506: Analytic 1506
Detects login and usage patterns deviating from typical Microsoft 365 or Google Workspace user profiles.
Analyst context for executives and security teams
This analytic matters because Microsoft 365 and Google Workspace are business-critical identity and collaboration environments. Detecting login and usage patterns that deviate from a user’s normal profile can help surface suspicious account activity before it becomes a broader data exposure, fraud, or operational disruption issue. The value is not in a single alert, but in whether the organization has enough baseline behavior, identity logs, and response process maturity to distinguish unusual but legitimate work from activity that requires investigation.
Executive priority
Prioritize this as an identity and cloud/SaaS monitoring question: do security teams have reliable visibility into Microsoft 365 or Google Workspace user activity, and can they prove it during an incident or audit? Leaders should ask whether behavioral detections are tuned for high-value users, privileged accounts, and sensitive collaboration repositories, and whether SOC and incident response teams have a defined playbook for validating abnormal sign-in or usage behavior without disrupting legitimate business operations.
Technical view
The supplied ATT&CK object defines a detection analytic for deviations from typical Microsoft 365 or Google Workspace user profiles, with platform scope limited to Office Suite. Because no official detection logic or relationship context is provided, SOC teams should validate the underlying data model first: user identity, authentication events, session context, application usage, and historical baselines. Detection engineering should focus on comparing current login and SaaS usage behavior against established user norms, while accounting for expected travel, role changes, new devices, administrative activity, and business process changes that can create false positives.
Likely telemetry
- Microsoft 365 or Google Workspace sign-in and authentication logs
- User account and identity attributes
- SaaS application usage and activity logs
- Session metadata such as time, location, device, and client/application context where available
- Administrative and privileged account activity records
Detection direction
- Confirm that Microsoft 365 or Google Workspace logs are collected with sufficient retention, identity resolution, and timestamp consistency to support user-level baselining.
- Validate that detections compare activity to normal behavior for the same user or peer group rather than relying only on static thresholds.
- Tune for expected business exceptions such as travel, shift work, role changes, new device enrollment, and approved automation.
- Prioritize review paths for privileged users and accounts with access to sensitive collaboration data.
- Ensure alerts include enough context for triage: user, application, sign-in pattern, usage pattern, historical comparison, and recent account changes.
Mitigation priorities
- Establish authoritative identity and SaaS logging coverage before relying on behavioral analytics.
- Define normal user-profile baselines for key user populations, especially privileged and high-risk roles.
- Integrate abnormal-login and abnormal-usage alerts into SOC triage and incident response procedures.
- Use identity governance, least privilege, and access review processes to reduce the impact of suspicious account activity.
- Maintain audit-ready evidence showing log sources, retention, analytic assumptions, tuning decisions, and response ownership.
Analyst notes and limits
This is a detection analytic object, not a technique or procedure. The official description is limited to detecting deviations from typical Microsoft 365 or Google Workspace user profiles, and the object does not provide detailed detection logic, tactics, or relationships. Treat this as guidance for validating SaaS identity behavior monitoring rather than as a complete detection rule.
No official detection field, ATT&CK tactic, related technique, actor, malware, campaign, or procedure relationships were supplied. The take is therefore limited to conservative defensive interpretation of the stated Office Suite analytic scope. Local tenant configuration, available log licensing, retention, identity architecture, and business context are required to determine actual coverage or alert quality.
Analytic 1506
Detects login and usage patterns deviating from typical Microsoft 365 or Google Workspace user profiles.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 96ea28d751c3… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1506Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.