Detects indirect evidence of host-side indicator removal by correlating (1) local artifact creation or compromise-state-relevant activity, (2) later disappearance, alteration, or reporting loss for those artifacts or state indicators, and (3) continued application or device activity under reduced visibility. Because iOS provides weaker direct visibility into some Android-style artifact and jailbreak-indicator manipulation patterns, the defender relies more on app-private artifact lifecycle changes, managed posture shifts, and continued runtime or network activity after expected evidence disappears.
| Data Component | Name | Channel |
|---|---|---|
| Application Permission (DC0114) | Application Vetting | None |
| System Settings (DC0118) | User Interface | None |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between artifact disappearance, posture change, and continued activity |
| ArtifactTypeSet | Host artifacts and state indicators monitored for suspicious removal, alteration, or disappearance |
| ExpectedTelemetrySources | Baseline sources expected to continue exposing artifact presence or compromise-relevant state |
| TelemetryGapThreshold | Threshold defining abnormal loss of artifact visibility or managed-state continuity |
| ExpectedManagementChanges | Known legitimate posture or inventory changes that may remove or update artifacts |
| UplinkBytesThreshold | Outbound traffic threshold used to confirm meaningful continued activity after indicator removal |
Correlates (1) application activity that creates, modifies, or accesses local artifacts relevant to detection or device compromise state, (2) subsequent deletion, alteration, renaming, relocation, or visibility suppression of those artifacts, including files, application presence, media, or root-compromise indicators, and (3) continued application execution, reduced telemetry quality, or outbound activity after the artifact state changes. The defender observes a causal chain where host-side evidence is first manipulated and expected visibility or reporting degrades while the initiating application remains active.
| Data Component | Name | Channel |
|---|---|---|
| Application Permission (DC0114) | android:MDMLog | device posture or compromise-state indicators change unexpectedly, including rooted or non-compliant status disappearance, after prior app or system activity suggesting persistence on device |
| android:MDMLog | managed application state changes unexpectedly through uninstall, disappearance from expected inventory, or install-state mismatch after prior suspicious activity | |
| OS API Execution (DC0021) | MobileEDR:telemetry | application invokes package, settings, or privileged framework operations capable of disabling security software, altering security enforcement, or interfering with reporting before telemetry loss |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between artifact change, visibility degradation, and continued execution or network activity |
| ArtifactTypeSet | Types of host artifacts monitored for suspicious removal or alteration, such as files, installed-app presence, hidden media, or compromise markers |
| ExpectedTelemetrySources | Baseline sources expected to continue reflecting artifacts or compromise state |
| TelemetryGapThreshold | Threshold defining abnormal loss of artifact visibility or reporting continuity |
| AllowedAppList | Legitimate apps expected to delete or alter artifacts as part of normal lifecycle or cleanup behavior |
| UplinkBytesThreshold | Outbound traffic threshold used to confirm meaningful activity after indicator removal |