Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1874: Analytic 1874

Monitor asset application logs for information that indicate task parameters have changed. Monitor device alarms that indicate controller task parameters have changed, although not all devices produce such alarms. Program Download may be used to enable this technique. Monitor for program downloads which may be noticeable via operational alarms. Asset management systems should be consulted to understand expected program versions. Engineering and asset management software will often maintain a copy of the expected program loaded on a controller and may also record any changes made to controller programs and tasks. Data from these platforms can be used to identify modified controller tasking.

ICSAN1874AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because changes to controller task parameters can affect how industrial processes run. For executives and security leaders, the practical question is whether the organization can tell the difference between authorized engineering changes and unexpected controller task changes before they create operational risk. The supplied ATT&CK text points to application logs, device alarms, asset management records, and expected program versions as the key evidence sources.

Executive priority

Prioritize this as an operational resilience and audit-evidence issue for ICS environments. Leaders should ask whether engineering change records, controller alarms, and asset management baselines are available to the SOC or incident response team, and whether expected controller program versions are documented. The business value is not just detection; it is being able to prove whether a controller change was authorized, when it occurred, and whether operations need to pause, validate, or restore known-good tasking.

Technical view

SOC, detection engineering, and IR teams should validate whether asset application logs record task parameter changes, whether controller or device alarms are generated for those changes, and whether engineering or asset management systems retain expected controller program and task information. The ATT&CK description notes that Program Download may enable this behavior and that program downloads may be visible through operational alarms, so teams should correlate task-parameter-change evidence with program download indicators and asset-management version data where available. No specific platform, tactic, or separate official detection logic was supplied, so local ICS architecture and logging capabilities determine what can be monitored.

Likely telemetry

  • Asset application logs showing controller task parameter changes
  • Device or controller alarms indicating task parameter changes, where supported
  • Operational alarms associated with program downloads
  • Engineering software records of controller programs, tasks, and changes
  • Asset management system records of expected controller program versions

Detection direction

  • Confirm which controllers and engineering tools actually produce task-parameter-change logs or alarms; the ATT&CK text notes not all devices produce such alarms.
  • Correlate reported task changes with authorized engineering activity and expected program versions from asset management systems.
  • Review program download events or operational alarms as related context because Program Download may be used to enable this behavior.
  • Tune detections around change windows, maintenance activity, and engineering workflows to reduce false positives while preserving visibility into unauthorized or unexplained changes.
  • Document blind spots where controller devices, applications, or asset management systems do not retain sufficient change history.

Mitigation priorities

  • Establish and maintain authoritative baselines for expected controller program versions and task configurations.
  • Ensure engineering and asset management software records controller program and task changes and that those records are available for investigation.
  • Enable and retain asset application logs and device alarms for task parameter changes where supported by the environment.
  • Create an operational process to reconcile controller changes against approved maintenance or engineering change records.
  • Include controller task-change review in incident response playbooks for ICS environments.
Analyst notes and limits

This is an ICS ATT&CK detection analytic, external ID AN1874, focused on monitoring for changed controller task parameters. The supplied description explicitly references asset application logs, device alarms, program download context, operational alarms, engineering software, and asset management systems. No relationship context was supplied beyond the description’s reference to Program Download.

The object does not provide platforms, tactics, relationships, or a separate official detection field. Coverage depends on local controller capabilities, engineering tools, asset management maturity, logging retention, and access by SOC or IR teams. This take does not assert active exploitation, attribution, impact, or guaranteed detectability.

Official MITRE ATT&CK definition

Analytic 1874

Monitor asset application logs for information that indicate task parameters have changed. Monitor device alarms that indicate controller task parameters have changed, although not all devices produce such alarms. Program Download may be used to enable this technique. Monitor for program downloads which may be noticeable via operational alarms. Asset management systems should be consulted to understand expected program versions. Engineering and asset management software will often maintain a copy of the expected program loaded on a controller and may also record any changes made to controller programs and tasks. Data from these platforms can be used to identify modified controller tasking.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
ded7ade5e698d3ec...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle ded7ade5e698…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1874
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use