AN1514: Analytic 1514
Abnormal API calls from user accounts invoking file upload endpoints outside normal baselines (M365, Google Drive, Box). Defender perspective: monitor unified audit logs for elevated frequency of Upload, Create, or Copy operations from compromised accounts.
Analyst context for executives and security teams
This analytic matters because unusual file-upload activity in SaaS platforms can be an early sign that a compromised user account is staging, moving, or creating content at a volume or pattern that does not match normal business behavior. For leaders, the decision point is whether the organization can distinguish legitimate collaboration spikes from abnormal account-driven uploads across services such as M365, Google Drive, and Box.
Executive priority
Prioritize this as a SaaS account-monitoring and audit-readiness issue. The business risk is not defined by a specific ATT&CK tactic in the supplied object, but by whether security teams can baseline normal user file activity and investigate deviations quickly. Executives should ask whether unified audit logs are enabled, retained, searchable, and tied to incident response workflows for compromised-account scenarios.
Technical view
Validate monitoring for abnormal API calls from user accounts invoking file upload-related endpoints in SaaS environments. The supplied description specifically calls out elevated frequency of Upload, Create, or Copy operations from compromised accounts, with examples including M365, Google Drive, and Box. SOC and detection teams should focus on user-level baselines, service-specific operation names, time-windowed frequency changes, and account context such as role, department, normal collaboration patterns, and recent authentication anomalies where locally available.
Likely telemetry
- SaaS unified audit logs
- User account activity logs
- API operation logs for Upload, Create, and Copy actions
- File activity metadata such as object name, destination, timestamp, and actor
- Identity context for the acting account
Detection direction
- Confirm that SaaS audit logging captures file upload, create, and copy operations for the relevant platforms in use.
- Build or validate user-level baselines so alerting is based on abnormal frequency or pattern changes rather than static thresholds alone.
- Tune for expected business events such as migrations, bulk project uploads, legal discovery, or administrative workflows to reduce false positives.
- Correlate abnormal file activity with local identity and account-risk evidence where available, especially for suspected compromised accounts.
- Document coverage gaps where SaaS platforms, tenants, or log sources do not provide sufficient API or file-operation visibility.
Mitigation priorities
- Ensure unified audit logging is enabled and retained for SaaS file activity.
- Define investigation playbooks for abnormal upload/create/copy activity from user accounts.
- Use identity and access management controls to reduce compromised-account risk, such as strong authentication and appropriate account privilege boundaries, where applicable to the environment.
- Review SaaS permissions and sharing models so unusual account activity has limited opportunity to affect sensitive repositories.
- Regularly test detection logic against known benign bulk activity and controlled administrative workflows to validate signal quality.
Analyst notes and limits
The object is a detection analytic for SaaS platforms with no supplied tactic, technique relationship, or separate official detection text. The strongest supported interpretation is monitoring abnormal user-account API activity around file upload-related operations in SaaS audit logs. Local baselines and business context are essential because high-volume file activity can be legitimate.
No relationship context, tactic mapping, procedure examples, or formal detection logic were supplied. The analytic names M365, Google Drive, and Box as examples, but coverage depends on the organization’s actual SaaS platforms, audit-log configuration, retention, and ability to baseline user behavior. This take does not assert active exploitation, attribution, or guaranteed detection.
Analytic 1514
Abnormal API calls from user accounts invoking file upload endpoints outside normal baselines (M365, Google Drive, Box). Defender perspective: monitor unified audit logs for elevated frequency of Upload, Create, or Copy operations from compromised accounts.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 35228c979f02… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1514Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.