Monitor ICS asset application logs that indicate alarm settings have changed, although not all assets will produce such logs.
Consult asset management systems to understand expected alarm settings.
Data about the industrial process may indicate it is operating outside of expected bounds and could help indicate that that an alarm setting has changed. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.
Monitor for alarm setting changes observable in automation or management network protocols.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | Application Log | None |
| Asset Inventory (DC0110) | Asset | None |
| Process History/Live Data (DC0107) | Operational Databases | None |
| Network Traffic Content (DC0085) | Network Traffic | None |