AN2034: Analytic 2034

Detects consent grants, password resets, role changes, external sharing, or token creation shortly after user interaction with messages, invites, or help desk workflows. Emphasis is placed on unusual requester relationships, new device context, or off-hours approvals.

EnterpriseAN2034AnalyticObject v1.0 Modified May 12, 2026, 16:30 UTC (UTC+00:00)

This analytic is about catching risky SaaS identity or collaboration changes that happen soon after a user engages with a message, invite, or help desk workflow. For leaders, the value is correlation: a consent grant, password reset, role change, external share, or token creation may be more material when it follows unusual user interaction, a new device context, or an off-hours approval. This matters because these events can affect account control, data access, and SaaS governance even when each event looks explainable in isolation.

Executive priority

Prioritize this as a SaaS identity and workflow-control validation item. Security leaders should ask whether the organization can connect user interaction events to downstream administrative or access changes, and whether approvals from unusual requester relationships, new devices, or off-hours activity receive additional review. The business decision value is strongest for incident response readiness, compliance evidence around privileged/access changes, and reducing blind spots in help desk or collaboration workflows.

Technical view

For SOC and detection teams, validate whether SaaS logs can correlate message, invite, or help desk interactions with follow-on consent grants, password resets, role changes, external sharing, and token creation. Because ATT&CK provides no separate detection logic for this analytic, implementation should focus on time-window correlation, identity context, requester/approver relationship context, device novelty, and time-of-day anomalies. Triage should distinguish expected service desk activity and approved business collaboration from unusual sequences that combine user interaction with sensitive access changes.

Likely telemetry

SaaS audit logs for consent grants, role changes, external sharing, and token creation
Identity or directory logs for password resets and privilege or role updates
Help desk workflow records, requester and approver metadata, and approval timestamps
Messaging or collaboration event logs for message and invite interactions
Device context such as new device indicators or session metadata where available

Detection direction

Validate that logs preserve a common identity, timestamp, and workflow reference sufficient to correlate user interaction with later SaaS access changes.
Tune correlation windows around events occurring shortly after messages, invites, or help desk workflows, while accounting for normal business and support processes.
Prioritize alerts with unusual requester relationships, new device context, off-hours approvals, or multiple sensitive changes in close succession.
Review false positives from legitimate onboarding, access request, collaboration, and support desk activity.
Identify blind spots where SaaS applications, help desk systems, or collaboration tools are not centrally logged or cannot be joined by identity/session context.

Mitigation priorities

Ensure sensitive SaaS actions such as consent grants, password resets, role changes, external sharing, and token creation are logged and retained.
Require governed approval paths for high-risk access and administrative changes, especially in help desk workflows.
Apply additional review or step-up controls for off-hours approvals, new device context, or unusual requester/approver relationships where policy supports it.
Maintain auditable records linking requests, approvals, and resulting access changes for IR and compliance readiness.
Regularly test whether SOC playbooks can reconstruct the interaction-to-change sequence across SaaS, identity, messaging, and help desk data.

Analyst notes and limits

The object is a detection analytic for the SaaS platform scope. Its decision value comes from correlating otherwise common administrative or collaboration events with preceding user interaction and contextual anomalies. No relationship context or tactic mapping was supplied, so this take avoids mapping it to specific ATT&CK techniques or adversary behaviors beyond the official description.

Official detection logic was not provided, and no relationships were supplied. Local SaaS applications, identity providers, help desk platforms, logging coverage, retention, and workflow design will determine whether this analytic can be implemented effectively. This summary does not assert active exploitation, attribution, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Analytic 2034

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Apr 16, 2026, 16:27 UTC (UTC+00:00)
Modified: May 12, 2026, 16:30 UTC (UTC+00:00)
Raw hash: 65b50a613f21465a...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	May 12, 2026, 16:30 UTC (UTC+00:00)	Current bundle	`65b50a613f21…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN2034
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use