AN1987: Analytic 1987
Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
Analyst context for executives and security teams
AN1987 is a detection analytic note for activity in the PRE platform where direct detection may be impractical because the behavior can be very common, noisy, false-positive prone, or outside the organization’s visibility. The practical value is to avoid over-investing in weak standalone alerts and instead use this behavior to guide where teams need stronger visibility in adjacent phases, especially around Initial Access.
Executive priority
Treat this as a coverage and prioritization issue rather than a single alerting problem. Leaders should ask whether the organization can produce evidence of monitoring around the related lifecycle stages it can actually observe, and whether SOC time is being spent on high-noise signals with limited decision value. This matters for incident readiness, audit defensibility, and budget decisions because some pre-compromise activity may not be observable from inside the enterprise.
Technical view
SOC and detection teams should validate whether any detections mapped to this analytic depend on high-volume, low-context events. Because no official detection logic is provided and no tactics are specified, teams should not assume coverage from this analytic alone. Use it as a prompt to review detections in related lifecycle stages, particularly Initial Access where visibility may be more actionable. Any alerting should be tuned against local baselines and supported by corroborating evidence before escalation.
Likely telemetry
- Events from observable Initial Access-related controls and monitoring points
- Security alert metadata showing event volume, suppression, and false-positive rates
- Logs from identity, access, email, endpoint, network, or cloud controls where they are relevant to locally defined Initial Access monitoring
- Case management or SIEM records showing whether related alerts produce actionable investigations
Detection direction
- Validate whether the organization has visibility into the activity at all; the ATT&CK description notes some activity may occur outside defender visibility.
- Avoid treating high-occurrence signals as standalone high-confidence detections without corroboration.
- Measure false-positive rate and analyst workload for any related alerting.
- Prioritize detection content in adjacent observable stages, especially Initial Access, rather than relying on PRE-stage visibility alone.
- Document visibility gaps explicitly so compliance, risk, and incident response stakeholders understand what cannot be directly monitored.
Mitigation priorities
- Prioritize controls and monitoring for lifecycle stages the organization can observe and influence, especially Initial Access-related control points.
- Use local baselining and alert-quality review to reduce noise before expanding alert coverage.
- Ensure incident response playbooks include decision criteria for noisy or low-confidence signals.
- Maintain evidence of detection limitations and compensating controls for risk and audit discussions.
- Review whether managed detection, threat intelligence, identity, cloud, or endpoint monitoring services can provide better context where internal visibility is limited.
Analyst notes and limits
The supplied ATT&CK object is an analytic-level entry, not a technique or procedure. It has no relationship context, no explicit tactic, and no official detection logic. The key analytic insight is that the described activity may be noisy, common, and sometimes outside the target organization’s visibility, so defensive value comes from coverage validation and adjacent-stage monitoring rather than a single precise detector.
This take is limited to the supplied STIX fields and the MITRE external reference. No active exploitation, attribution, specific adversary behavior, concrete detection query, or guaranteed telemetry source is supported by the supplied object.
Analytic 1987
Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 4329339c3dfa… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1987Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.