{ "type": "bundle", "id": "bundle--562d6009-a9f0-494b-ba5c-45c75e844223", "spec_version": "2.0", "objects": [ { "type": "x-mitre-analytic", "id": "x-mitre-analytic--1be515a0-2656-4b35-a561-e8157169350d", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0727#AN1860", "external_id": "AN1860" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1860", "description": "Monitor ICS automation network protocols for functions related to reading an operational process state (e.g., \u201cRead\u201d function codes in protocols like DNP3 or Modbus). In some cases, there may be multiple ways to monitor an operational process\u2019 state, one of which is typically used in the operational environment. Monitor for the operating mode being checked in unexpected ways.\nMonitor applications logs for any access attempts to operational databases (e.g., historians) or other sources of operational data within the ICS environment. These devices should be monitored for adversary collection using techniques relevant to the underlying technologies (e.g., Windows, Linux).", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "ics-attack" ], "x_mitre_platforms": [ "None" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "name": "Network Traffic", "channel": "None" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "name": "Application Log", "channel": "None" } ], "x_mitre_deprecated": false } ] }