cti/ics-attack/x-mitre-analytic/x-mitre-analytic--2388dc31-ba9a-4c12-b4b9-28bbc981c73e.json

{
    "type": "bundle",
    "id": "bundle--c4d7c518-b047-49ef-8f75-dfcef792ad93",
    "spec_version": "2.0",
    "objects": [
        {
            "type": "x-mitre-analytic",
            "id": "x-mitre-analytic--2388dc31-ba9a-4c12-b4b9-28bbc981c73e",
            "created": "2025-10-21T15:10:28.402Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/detectionstrategies/DET0726#AN1859",
                    "external_id": "AN1859"
                },
                {
                    "source_name": "Nzyme Alerts Intro",
                    "description": "Koopmann, Lennart. (n.d.). Nzyme Alerts Introduction. Retrieved November 17, 2024.",
                    "url": "https://docs.nzyme.org/wifi/monitoring/network-monitoring/"
                },
                {
                    "source_name": "Wireless Intrusion Detection",
                    "description": "Tomko, A.; Rieser, C; Buell, H.; Zeret, D.; Turner, W.. (2007, March). Wireless Intrusion Detection. Retrieved September 26, 2022.",
                    "url": "https://apps.dtic.mil/sti/pdfs/ADA466332.pdf"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "modified": "2025-10-21T15:10:28.402Z",
            "name": "Analytic 1859",
            "description": "Monitor login sessions for new or unexpected devices or sessions on wireless networks.\nMonitor application logs for new or unexpected devices or sessions on wireless networks.\nNew or irregular network traffic flows may indicate potentially unwanted devices or sessions on wireless networks. In Wi-Fi networks monitor for changes such as rogue access points or low signal strength, indicating a device is further away from the access point then expected and changes in the physical layer signal.(Citation: Nzyme Alerts Intro) (Citation: Wireless Intrusion Detection) Network traffic content will provide important context, such as hardware (e.g., MAC) addresses, user accounts, and types of messages sent.",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "x_mitre_version": "1.0",
            "x_mitre_attack_spec_version": "3.3.0",
            "x_mitre_domains": [
                "ics-attack"
            ],
            "x_mitre_platforms": [
                "None"
            ],
            "x_mitre_log_source_references": [
                {
                    "x_mitre_data_component_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5",
                    "name": "Logon Session",
                    "channel": "None"
                },
                {
                    "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
                    "name": "Application Log",
                    "channel": "None"
                },
                {
                    "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
                    "name": "Network Traffic",
                    "channel": "None"
                }
            ],
            "x_mitre_deprecated": false
        }
    ]
}