Skip to content

DET0777 Detection of Modify Alarm Settings

Item Value
ID DET0777
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T0838 (Modify Alarm Settings)

Analytics

ICS

AN1909

Monitor ICS asset application logs that indicate alarm settings have changed, although not all assets will produce such logs. Consult asset management systems to understand expected alarm settings. Data about the industrial process may indicate it is operating outside of expected bounds and could help indicate that that an alarm setting has changed. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections. Monitor for alarm setting changes observable in automation or management network protocols.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) Application Log None
Asset Inventory (DC0110) Asset None
Process History/Live Data (DC0107) Operational Databases None
Network Traffic Content (DC0085) Network Traffic None
Mutable Elements
Field Description