Defender observes a mobile device initiating abnormal or exploit-like network interactions with internal or remote services, followed by process-level instability, privilege boundary shifts, or unexpected execution behaviors indicative of service exploitation outcomes.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Content (DC0085) | NSM:Connections | Outbound connections to internal enterprise services exhibiting anomalous protocol behavior, malformed sessions, or exploit-consistent traffic patterns |
| Host Status (DC0018) | AndroidLogs:Crash | Application or system process crash/restart patterns temporally associated with remote service communications |
| Field | Description |
|---|---|
| ProtocolAnomalyThreshold | Defines deviation tolerance for malformed or exploit-like protocol behavior |
| CrashCorrelationWindow | Temporal linkage between suspicious network activity and process instability |
| EnterpriseServiceBaseline | Environment-specific baseline of expected internal service communications |
Defender observes a mobile device engaging remote or internal services with traffic characteristics inconsistent with normal application behavior, followed by execution anomalies, application instability, or security context deviations consistent with exploitation effects.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Content (DC0085) | NSM:Connections | Outbound connections to internal enterprise services exhibiting anomalous protocol behavior, malformed sessions, or exploit-consistent traffic patterns |
| Host Status (DC0018) | iOS:unifiedlog | Application crash logs, watchdog terminations, or abnormal execution events associated with service communication |
| Field | Description |
|---|---|
| TrafficDeviationThreshold | Defines acceptable protocol and payload variation |