A defender correlates navigation to external web content in a browser or embedded WebView with immediate script-heavy or exploit-preparation network activity, followed by abnormal browser/WebView process behavior, suspicious file or download artifacts, or rapid post-visit capability shifts such as new package install attempts, overlay prompts, permission requests, or outbound command traffic inconsistent with normal browsing.
| Data Component | Name | Channel |
|---|---|---|
| Application Permission (DC0114) | android:MDMLog | New permission prompt, package install attempt, accessibility/overlay special access request, or other post-browse capability escalation following browser/WebView activity |
| OS API Execution (DC0021) | MobileEDR:telemetry | Browser/WebView framework usage indicating external URL load, script execution enablement, file download initiation, intent handoff, or package install prompt sequence |
| Network Traffic Content (DC0085) | NSM:Flow | Application-layer web traffic showing suspicious redirect chains, iframe/ad-tech cascades, user-agent or environment fingerprinting requests, or staged payload retrieval after page visit |
| File Creation (DC0039) | MobileEDR:telemetry | Browser/WebView process creates downloaded payloads, temporary files, dropped archives, or unusual cached web artifacts shortly after visiting external content |
| Process Creation (DC0032) | MobileEDR:telemetry | Browser or WebView-hosting application brought to foreground and navigates to external content, followed by abnormal state transition, crash, restart, or process spawn behavior |
| Field | Description |
|---|---|
| NavigationToExploitWindow | Time window used to correlate web navigation with redirects, fingerprinting, downloads, or post-visit capability changes. |
| AllowedBrowserApps | Allow-list of expected browsers or sanctioned WebView-hosting apps used in the enterprise. |
| RedirectChainThreshold | Threshold for suspicious number of redirects or cross-domain hops during a single browsing session. |
| NewDomainBurstThreshold | Threshold for the number of newly observed domains contacted in a short browsing window. |
| DownloadArtifactThreshold | Threshold for suspicious downloaded or cached artifacts created after navigation. |
| PostVisitCapabilityShiftRequired | Determines whether to require a new install/prompt/permission/overlay event after browsing to raise confidence. |
| AllowedAdTechDomains | Baseline of normal advertising/CDN/tracking domains to reduce false positives from legitimate browsing. |
A defender correlates Safari or embedded web content navigation with short-lived but abnormal web session behavior such as staged redirects, environment fingerprinting, or exploit-preparation fetches, followed by browser/WebView instability, unusual file handling, profile/download prompts, or near-term changes in device or application behavior inconsistent with normal browsing.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Content (DC0085) | NSM:Flow | Application-layer web traffic showing suspicious redirect chains, iframe/ad-tech cascades, user-agent or environment fingerprinting requests, or staged payload retrieval after page visit |
| File Creation (DC0039) | MobileEDR:telemetry | Browser/WebView process creates downloaded payloads, temporary files, dropped archives, or unusual cached web artifacts shortly after visiting external content |
| Process Creation (DC0032) | MobileEDR:telemetry | Browser or WebView-hosting application brought to foreground and navigates to external content, followed by abnormal state transition, crash, restart, or process spawn behavior |
| Application Permission (DC0114) | iOS:MDMLog | Post-browse configuration profile prompt, managed/unmanaged app handoff anomaly, or compliance-relevant state change shortly after browser activity |
| Field | Description |
|---|---|
| NavigationToExploitWindow | Time window linking Safari/WebView navigation to redirects, downloads, crashes, or post-visit state changes. |
| AllowedBrowserApps | Allow-list of expected browsers and sanctioned embedded web container apps. |
| RedirectChainThreshold | Threshold for suspicious redirect depth or cross-domain chaining. |
| FingerprintingRequestThreshold | Threshold for suspicious browser/environment enumeration requests during browsing session. |
| DownloadArtifactThreshold | Threshold for suspicious downloaded files, profiles, or cached artifacts created after page visit. |
| PostVisitBehaviorShiftThreshold | Threshold for abnormal changes in app/device behavior after browsing, such as repeated browser crashes or unexpected handoffs. |
| AllowedAdTechDomains | Baseline of expected ad-tech, CDN, and analytics domains to suppress benign browsing noise. |