Skip to content

DET0788 Detection of Point & Tag Identification

Item Value
ID DET0788
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T0861 (Point & Tag Identification)

Analytics

ICS

AN1920

Monitor ICS automation protocols for anomalies related to reading point or tag data, such as new assets using these functions, changes in volume or timing, or unusual information being queried. Many protocols provide multiple ways to achieve the same result (e.g., functions with/without an acknowledgment or functions that operate on a single point vs. multiple points). Monitor for changes in the functions used. Monitor asset application logs which may provide information about requests for points or tags. Look for anomalies related to reading point or tag data, such as new assets using these functions, changes in volume or timing, or unusual information being queried. Many devices provide multiple ways to achieve the same result (e.g., functions with/without an acknowledgment or functions that operate on a single point vs. multiple points). Monitor for changes in the functions used.

Log Sources
Data Component Name Channel
Network Traffic Content (DC0085) Network Traffic None
Application Log Content (DC0038) Application Log None
Mutable Elements
Field Description