Defender correlates an app process performing a burst of OS/device attribute lookups (build, hardware, SDK level, system properties) with near-term execution branching (feature gating, module load, permission workflow changes) and/or immediate outbound communications, indicating environment evaluation used to shape follow-on actions.
| Data Component | Name | Channel |
|---|---|---|
| OS API Execution (DC0021) | android:logcat | Application accesses android.os.Build fields or device configuration APIs (MODEL, MANUFACTURER, VERSION.SDK_INT, HARDWARE) |
| Field | Description |
|---|---|
| TimeWindowSeconds | Correlation window for system-info collection burst → outbound transmission (e.g., 60–900s). |
| MinSystemInfoSignals | Minimum number of distinct system-attribute reads/queries within window to count as ‘broad fingerprinting’ (tune to telemetry fidelity). |
| DistinctAttributeThreshold | How many distinct attribute categories (build fields, cpu, locale, patch level, network identifiers) must be observed. |
| BackgroundOnly | If true, require the burst occurs while app is background to reduce noise from legitimate settings/about-device screens. |
| AllowlistedPackages | Legitimate device management, diagnostics, carrier services, and enterprise security apps expected to collect device inventory. |
| NewDomainWindowSeconds | Window for ‘newly contacted domain’ enrichment after fingerprinting burst. |
| SmallPostByteRange | Approximate payload size range used for ‘fingerprint submit’ heuristic (environment dependent). |
Defender correlates an app querying device model and iOS version (often limited to UIDevice-visible attributes) with subsequent behavior divergence (capability gating, alternate code paths) and/or near-term outbound connections, suggesting device fingerprinting for decision-making rather than normal telemetry.
| Data Component | Name | Channel |
|---|---|---|
| OS API Execution (DC0021) | iOS:unifiedlog | Application invokes UIDevice queries (model, systemVersion, name) |
| Field | Description |
|---|---|
| QueryFrequencyThreshold | Baseline-dependent threshold for distinguishing normal app telemetry from discovery behavior |
| QueryToExecutionDeviationWindow | Defines acceptable delay between device queries and execution changes |
| DeviceModelBaseline | Allows tuning for environments with homogeneous vs heterogeneous device fleets |