A defender correlates a sudden carrier identity/service state change (SIM/line identifier change or unexpected loss of cellular service) with near-term device messaging/telephony disruption and a concurrent shift in authentication traffic patterns—such as a spike in SMS-based verification flows or account recovery activity from the same user’s identities—indicating the user’s number may have been transferred to a different SIM/device (SIM swap impact).
| Data Component | Name | Channel |
|---|---|---|
| System Settings (DC0118) | MobileEDR:telemetry | Cellular service state transitions (in-service→no-service), SIM state change, carrier/operator identifier change, or baseband/telephony stack state change observed by agent telemetry |
| OS API Execution (DC0021) | MobileEDR:telemetry | Agent-observable telephony subscription/state API signals indicating SIM/eSIM subscription change (vendor-agnostic: 'telephony subscription changed') |
| Application Permission (DC0114) | android:MDMLog | Device inventory changes involving phone number/line identifier fields (when available), eSIM profile presence, or compliance signal indicating SIM profile change |
| Network Traffic Content (DC0085) | NSM:Flow | Near-term increase in traffic to identity endpoints associated with SMS MFA, account recovery, or OTP verification (IdP, banking, crypto), correlated to SIM/service loss |
| NSM:Flow | Abrupt shift from cellular egress to Wi-Fi-only egress, or new VPN/proxy session establishment following cellular service loss |
| Field | Description |
|---|---|
| ServiceLossDurationThreshold | Minimum duration of unexpected cellular service loss before considering it suspicious (reduces noise from transient coverage issues). |
| SimStateChangeTypes | Which SIM-related state changes to alert on (SIM removed, SIM refresh, operator changed, eSIM profile changed). |
| SwapCorrelationWindow | Time window to correlate SIM/service state change with downstream identity traffic anomalies (e.g., 30m–6h). |
| IdentityEndpointAllowList | Baseline of expected IdP/banking/crypto identity endpoints for the org; used to reduce false positives. |
| AuthTrafficSpikeThreshold | Threshold for increase in OTP/MFA/account recovery traffic volume relative to user baseline. |
| UserTravelContext | Optional enrichment—treat carrier changes as lower risk during known travel/roaming windows. |
A defender correlates an unexpected change in cellular subscription state (eSIM/SIM profile change, carrier/operator change, or sudden persistent loss of cellular service) with near-term disruption signals and a rapid increase in authentication-related network activity consistent with SMS verification or account recovery flows, suggesting the user’s number has been ported to an adversary-controlled SIM/device (SIM swap impact).
| Data Component | Name | Channel |
|---|---|---|
| System Settings (DC0118) | MobileEDR:telemetry | Cellular service state transitions (in-service→no-service), SIM state change, carrier/operator identifier change, or baseband/telephony stack state change observed by agent telemetry |
| Application Permission (DC0114) | iOS:MDMLog | Managed device inventory change indicating cellular plan/eSIM profile updates (where available via supervised iOS + MDM reporting) |
| OS API Execution (DC0021) | MobileEDR:telemetry | Agent-observable telephony subscription/state API signals indicating SIM/eSIM subscription change (vendor-agnostic: 'telephony subscription changed') |
| Network Traffic Content (DC0085) | NSM:Flow | Near-term increase in traffic to identity endpoints associated with SMS MFA, account recovery, or OTP verification (IdP, banking, crypto), correlated to SIM/service loss |
| NSM:Flow | Abrupt shift from cellular egress to Wi-Fi-only egress, or new VPN/proxy session establishment following cellular service loss |
| Field | Description |
|---|---|
| SupervisedInventoryAvailability | Tuning based on whether supervised iOS + MDM provides sufficient subscription/eSIM visibility; otherwise rely on agent + network signals. |
| ServiceLossDurationThreshold | Minimum persistent no-service duration required to reduce false positives from normal carrier fluctuations. |
| SwapCorrelationWindow | Time window to link subscription disruption with identity/auth network anomalies. |
| AuthTrafficSpikeThreshold | Threshold for suspicious increase in OTP/MFA/account recovery traffic relative to device/user baseline. |
| RoamingExpectedRegions | Tuning to reduce false positives when the user is traveling or roaming across carrier networks. |
| IdentityEndpointAllowList | Baseline list of expected identity endpoints (IdP, banking, crypto) for the device/user population |