Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN2022: Analytic 2022

Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.

Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

EnterpriseAN2022AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic is a warning that some pre-compromise activity is hard to detect directly because it may be common, noisy, or occur outside the organization’s visibility. For leaders, the practical value is not a single alert rule; it is a decision to validate whether the organization has enough upstream intelligence and downstream detection around related lifecycle stages, especially Initial Access, to compensate for weak direct visibility.

Executive priority

Treat this as a coverage and risk-management issue rather than a simple detection gap. Security leaders should ask whether SOC, incident response, and threat intelligence processes can recognize related activity when direct observation is unreliable, and whether audit or board reporting distinguishes between monitored internal telemetry and activity that may happen outside enterprise visibility. Investment priority should favor resilient Initial Access detection, evidence collection, and response readiness over attempting to alert on every high-volume precursor signal.

Technical view

The supplied ATT&CK analytic applies to the PRE platform and explicitly notes high false-positive potential and possible activity outside target-organization visibility. SOC and detection engineering teams should validate what evidence is actually observable, then map compensating detections to adjacent lifecycle stages such as Initial Access. Detection content should be tuned to avoid excessive noise, documented with known visibility limits, and correlated with more actionable internal telemetry rather than treated as a standalone high-confidence signal.

Likely telemetry

  • External threat intelligence or exposure monitoring relevant to pre-compromise activity
  • Initial Access telemetry from identity, email, endpoint, network, cloud, or remote access controls where present in the local environment
  • Alert and case-management records showing whether noisy precursor signals are correlated with later-stage evidence
  • Logging coverage inventories that distinguish internal telemetry from activity outside organizational visibility

Detection direction

  • Validate whether the activity described by this analytic is observable in the organization’s environment or primarily depends on third-party/external visibility.
  • Avoid standalone alerting strategies that generate high-volume, low-context findings without correlation to stronger evidence.
  • Prioritize correlation with related lifecycle stages, particularly Initial Access, as suggested by the official description.
  • Document false-positive expectations, visibility gaps, and escalation criteria so SOC analysts do not over-prioritize weak precursor signals.
  • Review detection metrics for alert fatigue and missed context rather than only counting rule deployment.

Mitigation priorities

  • First, establish a clear visibility map showing which PRE-stage signals are collected internally, externally, or not at all.
  • Strengthen monitoring and response workflows for Initial Access and other related lifecycle stages that can provide more reliable evidence.
  • Use threat intelligence and exposure monitoring as context-enrichment sources, not as sole proof of compromise unless supported by local evidence.
  • Maintain incident response playbooks that account for uncertain or externally observed signals and define when to investigate further.
  • Use compliance and governance reporting to explain known visibility limits and compensating controls.
Analyst notes and limits

This object is a detection analytic, not a technique description. The most important defensive takeaway is the official warning about high occurrence, high false positives, and potential lack of target-organization visibility. Because no relationships, tactics, or official detection logic were supplied, the best use is as guidance for coverage validation and compensating detection design.

The supplied ATT&CK fields do not include a specific detection query, related technique relationships, tactics, or detailed data sources. Any final detection strategy must be based on the organization’s actual telemetry, external visibility sources, and Initial Access monitoring coverage.

Official MITRE ATT&CK definition

Analytic 2022

Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.

Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
08a0e985a027eaca...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 08a0e985a027…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN2022
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use