Defender observes an application establishing recurrent HTTPS or FCM-based communication sessions exhibiting structured cadence, asymmetric request/response sizes, or persistent low-volume polling inconsistent with declared application functionality, potentially embedding command data within web protocol traffic.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Content (DC0085) | NSM:Flow | HTTPS sessions exhibiting periodic request cadence or structured payload exchanges inconsistent with application baseline |
| Field | Description |
|---|---|
| BeaconIntervalVarianceThreshold | Defines acceptable deviation in HTTPS polling cadence |
| PayloadSymmetryThreshold | Defines acceptable ratio between request and response sizes |
| AppNetworkRoleBaseline | Expected mapping between application category and network endpoints |
Defender observes an application establishing recurrent HTTPS or APNS-related communications exhibiting structured cadence, abnormal session persistence, or notification-triggered network bursts inconsistent with user interaction patterns or declared application behavior.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Content (DC0085) | NSM:Flow | HTTPS sessions exhibiting periodic request cadence or structured payload exchanges inconsistent with application baseline |
| Field | Description |
|---|---|
| NotificationWakeFrequencyThreshold | Baseline deviation tolerance for background wake events |
| HTTPSCadenceAnomalyThreshold | Acceptable deviation in recurring web traffic timing |
| SessionPersistenceThreshold | Threshold for abnormal TLS session duration |