Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1960: Analytic 1960

Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.

Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

EnterpriseAN1960AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AN1960 is a detection analytic where MITRE explicitly warns that the underlying activity may be common, noisy, and often outside the target organization’s direct visibility. For leaders, the practical takeaway is that this is not a simple “write a rule and alert” problem. Coverage depends on whether the organization can collect useful pre-compromise or external-facing evidence, and whether SOC teams can connect weak early signals to later lifecycle activity such as Initial Access.

Executive priority

Treat this as a control-validation and visibility question, not just an alerting question. Executives should ask whether the organization has realistic evidence sources for PRE-stage activity, how much depends on third-party or external telemetry, and whether incident response playbooks can pivot from noisy early indicators into higher-confidence Initial Access investigation. This matters for budget prioritization because investing in noisy detections without triage context can increase SOC burden without improving resilience.

Technical view

The supplied ATT&CK object provides no specific detection logic, tactics, or relationships beyond the PRE platform and a note that related lifecycle stages such as Initial Access may be more practical detection points. SOC and detection engineering teams should validate whether any proposed analytic has acceptable precision, whether the activity is observable from internal telemetry at all, and whether it can be correlated with later authentication, endpoint, email, network, or access events that indicate Initial Access. Treat standalone alerts from this analytic as low-confidence unless enriched by local context.

Likely telemetry

  • External or pre-compromise intelligence relevant to the organization’s exposure
  • Security telemetry associated with Initial Access investigation paths
  • Authentication and access logs that can confirm or refute follow-on access
  • Email, web, endpoint, or network events where available to correlate later-stage activity
  • Case management and alert history to measure false-positive volume and analyst workload

Detection direction

  • Do not assume direct visibility: confirm whether the relevant activity occurs inside telemetry the organization actually collects.
  • Measure false-positive rates before promoting detections to high-priority alerting, since MITRE notes high occurrence and false-positive potential.
  • Use correlation with related lifecycle stages, especially Initial Access, to raise confidence rather than relying on the PRE-stage signal alone.
  • Document blind spots where activity occurs outside organizational visibility or depends on external sources.
  • Tune escalation criteria around corroborating evidence, affected assets, exposed services, identity context, and subsequent suspicious access.

Mitigation priorities

  • Prioritize visibility assessment first: identify whether PRE-stage or external-facing evidence is available and reliable.
  • Strengthen monitoring and response around Initial Access paths, since MITRE identifies related stages as more practical detection focus areas.
  • Define triage thresholds so noisy signals do not overwhelm the SOC without corroboration.
  • Use threat intelligence and exposure-management processes to contextualize weak external signals, where available.
  • Maintain incident response playbooks that pivot from early indicators to identity, endpoint, network, and access validation.
Analyst notes and limits

This object is a detection analytic, not a technique, and the supplied fields are intentionally sparse. MITRE’s key value here is the warning about detectability: high frequency, false positives, and possible activity outside defender visibility. Any operational use should be validated against local telemetry, SOC capacity, and correlation opportunities.

No official detection logic, tactic mapping, relationships, aliases, or detailed data sources were supplied. The object only supports conservative guidance about noisy PRE-stage detection and the need to focus on related lifecycle stages such as Initial Access. Local environment evidence is required before assessing coverage or alert value.

Official MITRE ATT&CK definition

Analytic 1960

Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.

Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
8f1a2be89c52aff3...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 8f1a2be89c52…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1960
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use