Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1942: Analytic 1942

Monitor for suspicious network traffic that could be indicative of adversary reconnaissance, such as rapid successions of requests indicative of web crawling and/or large quantities of requests originating from a single source (especially if the source is known to be associated with an adversary). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields.

EnterpriseAN1942AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Analytic 1942 is about spotting possible reconnaissance in web/network traffic before an incident becomes obvious. The business value is early warning: rapid request patterns, unusually large request volumes from one source, or suspicious HTTP/S metadata can indicate someone is mapping public-facing assets or content. For leaders, this is a validation point for whether web traffic monitoring can support early incident triage and exposure management.

Executive priority

Treat this as a resilience and readiness question: do security teams have usable evidence from web traffic to identify abnormal reconnaissance against externally reachable services? Because the ATT&CK object is scoped to PRE and has no supplied tactic or relationship context, it should not drive attribution or impact conclusions by itself. It should drive budget and control conversations around web logging quality, SOC visibility, triage playbooks, and audit evidence that public-facing monitoring is in place.

Technical view

SOC and detection teams should validate monitoring for suspicious network traffic consistent with reconnaissance: rapid successions of web requests, large quantities of requests from a single source, and anomalous HTTP/S metadata such as referer and user-agent fields. Since no official detection logic is provided, teams should define local baselines for normal crawler, scanner, partner, customer, and monitoring traffic before alerting. The PRE platform designation and lack of supplied tactics mean this analytic is best treated as pre-incident reconnaissance visibility rather than proof of compromise.

Likely telemetry

  • Web server access logs
  • HTTP/S request metadata
  • Source IP or source network identifiers
  • Request rate and request volume over time
  • Referer header values

Detection direction

  • Validate that web access logs retain source, timestamp, URI/request target, method, response status, referer, and user-agent fields where available.
  • Tune for rapid request sequences and unusually high request counts from a single source, while accounting for legitimate search engines, uptime monitoring, vulnerability scanning, content delivery networks, and business partners.
  • Review suspicious referer or user-agent strings as enrichment signals, not standalone proof of malicious activity.
  • Correlate source reputation only as context; do not assume attribution unless supported by independent evidence.
  • Confirm retention and query performance are sufficient for incident responders to reconstruct reconnaissance timelines.

Mitigation priorities

  • Prioritize complete and consistent logging for public-facing web services and related network paths.
  • Establish baselines for normal request rates, known crawlers, approved scanners, and expected high-volume sources.
  • Create SOC triage procedures for suspected reconnaissance, including when to escalate to incident response or exposure review.
  • Use findings to inform vulnerability and exposure management for assets receiving unusual reconnaissance traffic.
  • Maintain compliance-ready evidence that monitoring and review of externally facing services are operating as intended.
Analyst notes and limits

This object is a detection analytic, not an ATT&CK technique. It provides a monitoring concept for reconnaissance-like web traffic but does not include formal detection logic, tactics, relationships, aliases, or labels. The most useful local work is to translate the concept into environment-specific thresholds and exception handling.

The supplied ATT&CK fields do not provide relationships, official detection logic, affected technologies beyond platform PRE, adversary attribution, or confirmed exploitation context. Local network architecture, logging coverage, traffic baselines, and business-approved scanning sources are required to make this analytic operational.

Official MITRE ATT&CK definition

Analytic 1942

Monitor for suspicious network traffic that could be indicative of adversary reconnaissance, such as rapid successions of requests indicative of web crawling and/or large quantities of requests originating from a single source (especially if the source is known to be associated with an adversary). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
73bb3b232c496375...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 73bb3b232c49…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1942
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use