DET0186: Automated File and API Collection Detection Across Platforms
DET0186 is a detection strategy for spotting automated collection of files and data through local file activity and APIs. Its business significance is that...
Analyst context for executives and security teams
DET0186 is a detection strategy for spotting automated collection of files and data through local file activity and APIs. Its business significance is that collection often precedes data exposure: if teams cannot see scripted searches, bulk copies, or API-driven data gathering in IaaS, Linux, macOS, and Office Suite environments, incident responders may learn too late what information was staged or taken.
Executive priority
Treat this as a control-evidence question for data protection and incident readiness: can the organization prove it monitors automated collection paths across endpoint, cloud, and productivity environments? Priority should go to high-value repositories, regulated data locations, and cloud/API access where collection can happen without traditional endpoint signals.
Technical view
MITRE provides no official detection text for DET0186, so validation should be tied to the related ATT&CK technique T1119 Automated Collection. SOC and detection teams should test whether they can identify command or scripting activity that searches for and copies files by type, name, or location, especially when repeated at intervals, and whether cloud API, CLI, data pipeline, and Office Suite audit logs expose unusual data enumeration or collection behavior.
Likely telemetry
- Process execution and command-line telemetry for command and scripting interpreters on Linux and macOS
- File access, search, copy, archive, and bulk read/write activity for sensitive directories or repositories
- Cloud control-plane/API audit logs in IaaS environments
- Cloud CLI usage logs where available
- Data pipeline activity logs where used for movement or extraction of data
Detection direction
- Validate visibility against T1119 rather than assuming DET0186 contains ready-made logic; the supplied object has no official detection text.
- Look for automation indicators: repetitive file searches, scripted copy operations, criteria-based collection by extension/name/path, or activity recurring at regular intervals.
- Correlate file activity with process, identity, and API audit logs so cloud/API collection is not missed when endpoint telemetry is absent.
- Tune for legitimate administrative, backup, indexing, eDiscovery, synchronization, and data engineering jobs to reduce false positives.
- Prioritize detections around sensitive business data stores and accounts with broad read permissions, because those are where collection activity is most material.
Mitigation priorities
- Inventory where sensitive data resides across IaaS, Linux, macOS, and Office Suite environments before building coverage claims.
- Ensure audit logging is enabled and retained for endpoint file activity, cloud APIs, Office Suite access, and privileged/service-account use.
- Apply least privilege to users, roles, and service accounts that can enumerate or collect large volumes of data.
- Define baseline behavior for approved backup, sync, eDiscovery, and data pipeline activity so anomalous collection can be distinguished from normal operations.
- Include automated collection scenarios in incident response playbooks to speed scoping of what data may have been accessed or gathered.
Analyst notes and limits
This take is based on the DET0186 name and its relationship to T1119 Automated Collection. The detection strategy object itself has no official description, tactics, platforms, or detection guidance, so the practical guidance is intentionally anchored to the related technique context supplied by MITRE.
Local environment evidence is required to determine actual coverage. This summary does not assert active exploitation, attribution, guaranteed detection, or platform coverage beyond the supplied relationship context for T1119.
Automated File and API Collection Detection Across Platforms
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1119 | Automated Collection | This object detects Automated Collection. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 5567f9fd0681… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0186Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.