Defender correlates an Android-specific causal chain where device connectivity degrades or oscillates across one or more radios, applications lose or repeatedly reattempt network access, and the radio or network failure pattern is inconsistent with ordinary mobility, coverage transition, or user-initiated airplane mode behavior. The defender correlates radio state, connectivity framework behavior, application state, network session failures, and location/network-provider degradation to distinguish network denial effects from routine weak-signal conditions.
| Data Component | Name | Channel |
|---|---|---|
| System Settings (DC0118) | android:MDMLog | No user-initiated airplane mode, radio disablement, or managed network setting change occurred during repeated connectivity degradation |
| Protected Configuration (DC0115) | android:MDMLog | Managed Wi-Fi, VPN, cellular, or location-related policy state remains unchanged while network capability degrades |
| Application State (DC0123) | MobileEDR:telemetry | Foreground or background applications remain active while network-dependent activity stalls, retries, or transitions into repeated failure state |
| OS API Execution (DC0021) | MobileEDR:telemetry | Connectivity manager, telephony, Wi-Fi, network callback, or location-provider framework reports repeated unavailable, disconnected, suspended, or degraded state transitions |
| Application Permission (DC0114) | MobileEDR:telemetry | App with network-, telephony-, Wi-Fi-, or location-adjacent capability is impacted by abrupt repeated service loss while permissions remain unchanged |
| Field | Description |
|---|---|
| TimeWindow | Maximum span for correlating connectivity degradation, application retry behavior, and network-session failure into a single denial event. |
| ExpectedMobilityPopulation | Users or device populations expected to move through low-coverage zones or transit environments that naturally cause network oscillation. |
| AllowedAppList | Apps expected to generate frequent retry behavior or maintain persistent sessions under ordinary weak-signal conditions. |
| ForegroundStateRequired | Whether impacted applications are expected to be actively visible to the user for the analytic to carry high confidence. |
| RecentUserInteractionWindow | Time threshold for determining whether connectivity degradation occurred during active device use versus idle background operation. |
| FailureBurstThreshold | Threshold for repeated disconnects, resets, DNS failures, or transport failures within the correlation window. |
| LocationProviderDependencyList | Apps or services expected to rely on GPS or network-based location and therefore likely to exhibit secondary degradation during jamming. |
| ExpectedCoverageZones | Known sites or geographies with weak legitimate coverage that should be baseline-adjusted. |
Defender correlates an iOS-specific reduced-confidence chain where a managed or supervised device remains active but experiences abrupt loss of network-dependent functionality, repeated session failure, or sustained communication inability without matching configuration changes or ordinary user action. Because direct radio-layer and RF-cause visibility is weaker on iOS, the defender emphasizes device posture, application wake or foreground behavior during service loss, protected network-policy stability, and downstream failure patterns observed in VPN or proxy telemetry.
| Data Component | Name | Channel |
|---|---|---|
| Protected Configuration (DC0115) | iOS:MDMLog | Managed Wi-Fi, VPN, cellular, or location-service policy remains unchanged while device connectivity repeatedly degrades |
| System Settings (DC0118) | iOS:MDMLog | No user-initiated airplane mode or radio-related setting change occurred while applications experience repeated network unavailability |
| Application State (DC0123) | MobileEDR:telemetry | Foreground or background applications remain active while network-dependent activity stalls, retries, or transitions into repeated failure state |
| OS API Execution (DC0021) | MobileEDR:telemetry | Observed network-path, reachability, DNS, transport, or location-provider framework reports repeated unavailable or failed state near active device use |
| Application Permission (DC0114) | MobileEDR:telemetry | Network- or location-dependent app capability state remains unchanged while the app experiences sustained communication failure |
| Field | Description |
|---|---|
| TimeWindow | Maximum span for correlating app activity, posture stability, and repeated network failure into a single denial event. |
| SupervisedOnly | Whether the analytic should only apply to supervised devices with high-confidence MDM policy telemetry. |
| AllowedAppList | Apps expected to retry aggressively or queue offline work during routine coverage degradation. |
| ForegroundStateRequired | Whether the app should be foreground or recently active for the analytic to be treated as high confidence. |
| RecentUserInteractionWindow | Time threshold for determining whether the denial occurred during active user use versus background idle periods. |
| FailureBurstThreshold | Threshold for repeated session failures, resets, timeouts, or DNS failures within the correlation window. |
| ExpectedCoverageZones | Known sites or geographies where benign poor service should be baseline-adjusted. |
| TrustedDestinationAllowList | Expected enterprise destinations whose temporary maintenance or outage should not be treated as device-targeted denial. |