Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0763: Detection of Loss of View

DET0763 is a detection strategy for identifying Loss of View in ICS environments: situations where operators lose sustained visibility into equipment or pr...

ICSDET0763Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0763 is a detection strategy for identifying Loss of View in ICS environments: situations where operators lose sustained visibility into equipment or process state, potentially requiring local hands-on intervention such as restart or manual operation. For leaders, the key issue is not just monitoring failure; it is whether the organization can distinguish a routine visibility outage from a condition that could hide the true state of operations.

Executive priority

Prioritize this as an operational resilience and incident decision-making concern for ICS environments. Executives and risk owners should ask whether loss of operator visibility is treated as a safety, continuity, and response escalation event, not only as an IT monitoring alert. Because ATT&CK provides no platform-specific or detection-specific detail for this object, coverage decisions should be based on local ICS architecture, operator procedures, and evidence that visibility loss can be detected, triaged, and escalated quickly.

Technical view

SOC, OT monitoring, and incident response teams should validate whether they can detect sustained or permanent reporting and visibility loss associated with the related ICS technique T0829 Loss of View. Since the ATT&CK object does not specify platforms, tactics, or official detection logic, teams should avoid assuming coverage from generic uptime monitoring alone. Validation should focus on whether telemetry can show when operator view, reporting paths, or equipment visibility degrade while the underlying physical process may still be operating.

Likely telemetry

  • ICS operator interface or supervisory system availability and status indicators, where collected
  • Reporting or visibility health signals between control equipment and monitoring systems, where available
  • Alarms or events indicating loss of communications, stale values, unavailable equipment status, or failed reporting paths
  • Operator logs, shift notes, or incident tickets documenting manual intervention, restart, or local operation
  • Network or system health telemetry that can help distinguish broad infrastructure outage from targeted or localized loss of view

Detection direction

  • Confirm whether detection distinguishes transient communications noise from sustained or permanent loss of view requiring escalation.
  • Correlate visibility-loss alerts with process-state evidence where available, because the related technique notes that the physical process may be unaffected while operator visibility is lost.
  • Tune alerting to reduce false positives from maintenance windows, planned restarts, known communications outages, and sensor or interface faults.
  • Validate escalation paths between SOC, OT operations, and incident response teams when operator visibility is degraded but process impact is unclear.
  • Document blind spots caused by unmonitored ICS segments, limited logging from legacy equipment, or lack of centralized evidence for operator view status.

Mitigation priorities

  • Define operational thresholds for when loss of view becomes an incident requiring OT and business escalation.
  • Ensure procedures exist for safe local verification, manual operation, or restart when sustained visibility loss occurs.
  • Maintain evidence collection for visibility health, operator actions, and recovery steps to support incident response and compliance review.
  • Test response playbooks for scenarios where monitoring is unavailable but the physical process may still be running.
  • Use architecture reviews to identify single points of failure in reporting or supervisory visibility paths.
Analyst notes and limits

This take is based on the MITRE detection strategy DET0763 and its relationship to ICS technique T0829 Loss of View. The relationship context is the primary source of decision value because the detection strategy itself has no official description, detection text, tactics, platforms, aliases, or labels supplied.

ATT&CK does not provide platform scope, official detection analytics, data sources, or implementation guidance for this object in the supplied fields. Local ICS design, logging capability, operator procedures, and safety requirements are required to determine practical coverage and priority.

Official MITRE ATT&CK definition

Detection of Loss of View

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
ICS T0829 Loss of View This object detects Loss of View.
Relationship explorer

All related ATT&CK context

detects · Technique T0829: Loss of View ICS
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
699980ad948d9b37...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 699980ad948d…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0763
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use