DET0915: Detection of Online Edit
DET0915 is a detection strategy for identifying Online Edit activity against PLC logic in an ICS environment. The business significance is that online edit...
Analyst context for executives and security teams
DET0915 is a detection strategy for identifying Online Edit activity against PLC logic in an ICS environment. The business significance is that online edits can change controller behavior while the process continues running, which may reduce obvious downtime signals and make unauthorized changes harder to notice. For leaders, this is less about a single alert and more about proving that engineering change activity is governed, observable, and reviewable before it can affect operational resilience or safety-sensitive processes.
Executive priority
Prioritize this as an operational resilience and change-control visibility issue. Executives should ask whether PLC program changes made through engineering workstations are logged, reviewed, and attributable to authorized personnel. The key decision value is whether the organization can distinguish approved maintenance from suspicious online edits quickly enough to support incident response, audit evidence, and safe operational decision-making.
Technical view
The supplied ATT&CK object has no official detection text, platforms, or tactics, so validation should be anchored to the related technique: Online Edit, where a PLC program is updated without stopping the controller and typically requires access to a workstation with vendor-specific PLC programming software. SOC, OT, and IR teams should verify whether they can observe PLC programming sessions, engineering workstation activity, controller change events, and change-management records well enough to correlate an online edit to an approved work order and user/session context.
Likely telemetry
- Engineering workstation logs and user/session activity
- Vendor-specific PLC programming software activity where available
- PLC/controller change or program transfer events
- Network communications between engineering workstations and PLCs
- Change-management tickets, maintenance windows, and approval records
Detection direction
- Validate that online edit events can be distinguished from normal engineering maintenance, not merely that PLC communication is visible.
- Correlate PLC change activity with approved maintenance windows, change tickets, and authenticated engineering workstation usage.
- Review blind spots around vendor-specific programming tools, unmanaged engineering laptops, shared accounts, and controller activity that is not forwarded to central monitoring.
- Tune detections to reduce false positives from legitimate online edits while preserving enough context for rapid review of unexpected timing, source workstation, user, or target controller.
- Because ATT&CK provides no official detection guidance for this detection strategy, local ICS architecture and vendor logging capabilities must drive the final analytic design.
Mitigation priorities
- Establish and enforce formal approval workflows for PLC online edits, including emergency change procedures.
- Limit access to engineering workstations and vendor-specific PLC programming software to authorized personnel.
- Maintain an accurate inventory of PLCs, engineering workstations, and users permitted to perform online edits.
- Centralize or otherwise preserve logs and records that can prove who changed what, when, and under which authorization.
- Periodically test incident response playbooks for unauthorized or unexplained PLC program changes.
Analyst notes and limits
This take is based on the DET0915 detection strategy metadata and its relationship to ATT&CK technique T0843.002 Online Edit. Since the detection strategy itself does not include an official description, detection text, platforms, or tactics, recommendations are framed as validation questions and telemetry requirements rather than confirmed ATT&CK-prescribed analytics.
No active exploitation, attribution, platform scope, or guaranteed detection coverage is asserted. Practical implementation depends on the specific PLC vendors, engineering tools, controller logging, network architecture, and local change-management maturity.
Detection of Online Edit
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0843.002 | Online Edit Sub-technique | This object detects Online Edit. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 2368b240fe3e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0915Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.