cti/ics-attack/x-mitre-analytic/x-mitre-analytic--11a350cf-1ea0-4065-877b-c3bb410bf3a0.json

{
    "type": "bundle",
    "id": "bundle--6ba2af73-eb6f-444a-93ab-e3127a73b918",
    "spec_version": "2.0",
    "objects": [
        {
            "type": "x-mitre-analytic",
            "id": "x-mitre-analytic--11a350cf-1ea0-4065-877b-c3bb410bf3a0",
            "created": "2025-10-21T15:10:28.402Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/detectionstrategies/DET0784#AN1916",
                    "external_id": "AN1916"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "modified": "2025-10-21T15:10:28.402Z",
            "name": "Analytic 1916",
            "description": "Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.\nMonitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique\u2019s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.\nMonitor application logs for changes to settings and other events associated with network protocols that may be used to block communications.\nMonitor for a loss of network communications, which may indicate this technique is being used.\nMonitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist alarms may still be visible even if command messages are blocked.",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "x_mitre_version": "1.0",
            "x_mitre_attack_spec_version": "3.3.0",
            "x_mitre_domains": [
                "ics-attack"
            ],
            "x_mitre_platforms": [
                "None"
            ],
            "x_mitre_log_source_references": [
                {
                    "x_mitre_data_component_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f",
                    "name": "Process",
                    "channel": "None"
                },
                {
                    "x_mitre_data_component_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95",
                    "name": "Operational Databases",
                    "channel": "None"
                },
                {
                    "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
                    "name": "Application Log",
                    "channel": "None"
                },
                {
                    "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
                    "name": "Network Traffic",
                    "channel": "None"
                },
                {
                    "x_mitre_data_component_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e",
                    "name": "Operational Databases",
                    "channel": "None"
                }
            ],
            "x_mitre_deprecated": false
        }
    ]
}