Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0866: Detection of Search Threat Vendor Data

DET0866 is a detection strategy for identifying reconnaissance behavior where an adversary searches threat intelligence or threat vendor reporting for data...

EnterpriseDET0866Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0866 is a detection strategy for identifying reconnaissance behavior where an adversary searches threat intelligence or threat vendor reporting for data about their own or similar operations. The business significance is not direct system compromise; it is that attackers may use public or closed-source defensive reporting to understand what defenders know, retire exposed infrastructure, alter tooling, or avoid known detections. For leaders, this matters because threat intelligence publication, information sharing, and vendor portal access can influence adversary adaptation and incident response timing.

Executive priority

Treat this as a governance and readiness issue around threat intelligence, disclosure, and monitoring of reconnaissance signals. Executives should ask who can access sensitive threat reporting, what logging exists for threat intelligence portals or internal intelligence repositories, and whether incident response plans account for adversaries potentially learning from published indicators and reports. This can support decisions about intelligence handling, compliance evidence for access control and monitoring, and prioritization of SOC workflows that watch for pre-attack reconnaissance rather than only post-compromise activity.

Technical view

The ATT&CK object provides no official detection text, platforms, or tactics for DET0866, but it is related to T1681: Search Threat Vendor Data under reconnaissance on the PRE platform. SOC and detection engineering teams should therefore validate whether they have visibility into access patterns around internal threat intelligence repositories, vendor intelligence portals, case management systems, and published indicator sets where applicable. Detection logic should focus on suspicious or anomalous searches, downloads, queries, or access to threat reporting, especially when tied to accounts, source networks, or usage patterns that do not match expected analyst or business activity.

Likely telemetry

  • Authentication and access logs for threat intelligence platforms, vendor portals, and internal intelligence repositories
  • Search, query, download, export, and API activity logs from intelligence tools or knowledge bases
  • Identity context for users, service accounts, roles, MFA status, and source locations accessing threat reporting
  • Web proxy, secure web gateway, or DNS telemetry showing access to threat intelligence vendor sites where policy permits monitoring
  • Case management, ticketing, or collaboration platform audit logs for sensitive incident or intelligence content

Detection direction

  • First confirm whether the organization has any authoritative telemetry source for searches and downloads of threat intelligence content; without it, coverage for this strategy is likely limited.
  • Baseline normal users and workflows, such as SOC analysts, threat intelligence teams, incident responders, and vulnerability teams, to reduce false positives from legitimate research activity.
  • Look for anomalous access patterns: unusual accounts, new geographies or source networks, excessive searches, bulk downloads, API scraping, or access to reporting unrelated to the user’s role.
  • Correlate access to sensitive intelligence with identity signals such as failed logins, impossible travel, newly created tokens, role changes, or lack of MFA where available.
  • Use the relationship to T1681 to keep this framed as reconnaissance/PRE activity; detection should not assume host compromise or malware execution unless separate telemetry supports it.

Mitigation priorities

  • Apply least-privilege access to threat intelligence repositories, vendor portals, incident reports, and sensitive indicator collections.
  • Require strong authentication and account lifecycle controls for users and service accounts that can access intelligence content.
  • Enable and retain audit logging for search, view, download, export, and API activity in intelligence and case-management systems.
  • Define handling rules for sensitive indicators and reports, including when to publish broadly versus restrict during active investigations.
  • Include threat intelligence access review in incident response and compliance readiness activities so the organization can show who accessed sensitive reporting and when.
Analyst notes and limits

This take is based on a sparse ATT&CK detection strategy object. The only substantive context supplied is the relationship to T1681, Search Threat Vendor Data, a reconnaissance technique on PRE. The practical defensive value is in validating visibility and governance around access to threat intelligence content, not in assuming a specific endpoint, network, or cloud detection pattern.

MITRE supplied no official description, detection guidance, platforms, tactics, or labels for DET0866. Recommendations here are conservative inferences from the relationship to T1681 and require local validation against the organization’s actual intelligence platforms, vendor access model, logging capabilities, and disclosure practices.

Official MITRE ATT&CK definition

Detection of Search Threat Vendor Data

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1681 Search Threat Vendor Data This object detects Search Threat Vendor Data.
Relationship explorer

All related ATT&CK context

detects · Technique T1681: Search Threat Vendor Data Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
d1b283d39e28764c...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle d1b283d39e28…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0866
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use