DET0734: Detection of Automated Collection
DET0734 is a detection strategy for identifying automated collection in industrial control system environments. The business significance is that automated...
Analyst context for executives and security teams
DET0734 is a detection strategy for identifying automated collection in industrial control system environments. The business significance is that automated enumeration or data gathering can give an intruder a faster map of control-system assets, interfaces, servers, and devices before later actions. For leaders, the key question is whether the organization can see unusual scripted or tool-driven collection activity across industrial protocols and control-system interfaces, rather than relying only on endpoint or perimeter visibility.
Executive priority
Prioritize this as an operational resilience and incident-readiness issue for ICS environments. If adversaries can automate discovery and collection through native control protocols or available control-system tools, defenders may lose early warning before risk escalates to operational disruption. Executives should ask whether SOC and OT teams have agreed evidence sources, escalation paths, and audit-ready monitoring expectations for automated collection behavior in industrial networks.
Technical view
The supplied ATT&CK object has no official detection text, platforms, or tactics, so validation should be anchored to the relationship: this strategy detects T0802 Automated Collection. SOC, detection engineering, and IR teams should review whether they can identify abnormal enumeration or bulk information gathering using native control protocols and control-system tools, including activity such as OPC-based enumeration where applicable to the local environment. Focus on deviations from expected engineering, maintenance, asset-management, and monitoring workflows rather than assuming all automation is malicious.
Likely telemetry
- Industrial network protocol traffic and metadata, especially where native control protocols are used
- Logs or records from control-system interfaces, servers, engineering workstations, historians, or management tools where available
- Asset inventory and communication baselines showing normal servers, devices, and polling/enumeration patterns
- Remote access, authentication, and session records tied to systems that can interact with industrial protocols
- Alert and case data correlating unusual collection volume, breadth, timing, or source systems
Detection direction
- Validate whether monitoring can distinguish routine ICS polling, asset inventory, backup, and engineering activity from unusual automated enumeration or broad collection.
- Use the related technique context to tune for script-like or tool-driven gathering across multiple attached or communicating servers and devices.
- Account for false positives from legitimate maintenance, commissioning, inventory scans, monitoring platforms, and vendor support activity.
- Look for blind spots where native control protocol activity is not parsed, retained, or correlated with identity/session context.
- Ensure OT and SOC teams share baselines for expected collection behavior, because ATT&CK provides no platform-specific detection guidance for this object.
Mitigation priorities
- Establish or update ICS communication baselines for systems that are allowed to enumerate or collect industrial environment information.
- Restrict and review access to systems or interfaces that can use native control protocols to enumerate connected servers and devices.
- Define change-management and maintenance windows so legitimate automated collection can be recognized and investigated appropriately.
- Improve logging and retention for industrial protocol activity, control-system interfaces, and remote access paths where local architecture supports it.
- Prepare IR playbooks that treat unexpected automated collection as a potential early warning requiring containment scoping, not only alert closure.
Analyst notes and limits
This take is based on DET0734 and its relationship to T0802 Automated Collection in the ICS ATT&CK domain. The most useful defensive work is environmental: identify where native control protocols and control-system tools can enumerate attached devices, then confirm that monitoring, baselines, and escalation procedures cover those paths.
The official object supplies no description, detection text, platforms, or tactics. Recommendations are therefore conservative and derived only from the related T0802 description and the detection-strategy relationship. Local architecture, protocol use, logging capability, and operational procedures are required to determine practical coverage.
Detection of Automated Collection
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0802 | Automated Collection | This object detects Automated Collection. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 5ef5eac03e9e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0734Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.