Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1928: Analytic 1928

Monitor logon activity for unexpected or unusual access to devices from the Internet. Monitor for unexpected protocols to/from the Internet. While network traffic content and logon session metadata may directly identify a login event, new Internet-based network flows may also be a reliable indicator of this technique. Monitor for unusual logins to Internet connected devices or unexpected protocols to/from the Internet. Network traffic content will provide valuable context and details about the content of network flows.

ICSAN1928AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AN1928 is an ICS ATT&CK detection analytic focused on finding unusual Internet-originated access to devices and unexpected protocols crossing the Internet boundary. Its business value is exposure validation: leaders need to know whether Internet-connected operational devices are being accessed in ways that are expected, authorized, and visible to defenders. Even without a specified platform or tactic, this analytic is useful for assessing whether SOC and incident response teams can quickly distinguish approved remote access from suspicious new flows or logon activity.

Executive priority

Prioritize this as an operational resilience and audit-evidence question: which devices are reachable from the Internet, which protocols are expected, who is allowed to log in, and can the organization prove it through logs and network records? For ICS environments, gaps here can create uncertainty during incidents because teams may not know whether Internet-facing access is normal business activity, misconfiguration, or a potential intrusion path.

Technical view

Validate monitoring for Internet-based logon activity and new or unusual network flows involving devices in scope. Because ATT&CK provides no platform, tactic, or separate detection text for this analytic, implementation should be based on local asset inventory, approved remote access patterns, expected protocols, and known Internet-connected device exposure. SOC teams should correlate logon session metadata, network traffic metadata, and where available traffic content to determine whether access is expected.

Likely telemetry

  • Logon activity records for Internet-connected devices
  • Logon session metadata, including source, destination, account, time, and protocol where available
  • Network flow records for inbound and outbound Internet traffic
  • Protocol metadata for traffic to and from the Internet
  • Network traffic content or enriched packet/proxy inspection data where lawfully and operationally available

Detection direction

  • Baseline expected Internet-facing devices, approved source ranges, users, and protocols before alerting on anomalies.
  • Alert on unusual logins to Internet-connected devices, especially from unexpected sources or at unusual times.
  • Monitor for unexpected protocols to or from the Internet, including newly observed Internet-based network flows.
  • Correlate network flow data with logon metadata; a new flow may be meaningful even when a direct logon event is not captured.
  • Tune for known remote administration, vendor access, monitoring, and maintenance workflows to reduce false positives.

Mitigation priorities

  • Maintain an accurate inventory of devices with Internet exposure and the protocols they are expected to use.
  • Restrict Internet-accessible services and protocols to documented business requirements.
  • Define and enforce approved remote access paths, accounts, and maintenance windows where applicable.
  • Ensure logging and network monitoring cover Internet-facing access paths before relying on this analytic for SOC response.
  • Use recurring reviews to compare observed Internet flows against expected architecture and operational requirements.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic in the ICS domain. Its official description emphasizes monitoring unusual Internet-based logons, unexpected protocols, network flow changes, logon session metadata, and traffic content for context. No relationships were supplied, so this take does not infer a specific ATT&CK technique, tactic, actor, malware, or campaign.

Platforms, tactics, relationships, and formal detection guidance were not supplied. Local asset inventory, network architecture, identity sources, and remote access policy are required to decide what is truly unusual or unauthorized. This summary does not claim active exploitation or guaranteed detection coverage.

Official MITRE ATT&CK definition

Analytic 1928

Monitor logon activity for unexpected or unusual access to devices from the Internet. Monitor for unexpected protocols to/from the Internet. While network traffic content and logon session metadata may directly identify a login event, new Internet-based network flows may also be a reliable indicator of this technique. Monitor for unusual logins to Internet connected devices or unexpected protocols to/from the Internet. Network traffic content will provide valuable context and details about the content of network flows.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
1b22cd565eee1455...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 1b22cd565eee…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1928
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use