A defender observes an application establishing application-layer network sessions (e.g., HTTP(S), WebSocket, DNS, SMTP/IMAP) with destinations and request patterns that deviate from the enterprise baseline for that app category, especially when sessions occur during background execution or while the device is locked and exhibit beacon-like periodicity, anomalous SNI/Host patterns, or suspicious request/response size symmetry consistent with command polling and tasking over legitimate-looking protocols.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Flow (DC0078) | NSM:Flow | Application-layer protocol traffic exhibiting beacon-like periodicity, anomalous session structure, or protocol misuse patterns |
| Network Traffic Content (DC0085) | NSM:Flow | Application-layer indicators observable via enterprise network controls (HTTP method, URI path pattern class, TLS SNI, JA3/ALPN when available, DNS qname/type) showing anomalous or low-and-slow command polling behavior |
| OS API Execution (DC0021) | MobileEDR:telemetry | Framework-based networking usage spikes or uncommon networking stacks observed by agent telemetry (e.g., repeated URLSession/OkHttp-like patterns) without corresponding foreground/user interaction |
| Field | Description |
|---|---|
| BeaconIntervalVarianceThreshold | Defines acceptable periodicity variance for network communications |
| ConnectionFrequencyThreshold | Baseline-dependent threshold for anomalous connection rates |
| PayloadEntropyThreshold | Defines anomaly conditions for encoded or structured payload content |
A defender observes an application generating application-layer communications that blend with normal traffic (HTTP(S), WebSocket, DNS, mail protocols) but show deviations from enterprise baselines for that bundle ID—such as persistent background network sessions, regular low-volume polling intervals, anomalous SNI/Host destinations, uncommon DNS patterns, or uniform request/response sizing—suggesting command and control over legitimate-looking protocols without relying on tool signatures.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Flow (DC0078) | NSM:Flow | Application-layer protocol traffic exhibiting beacon-like periodicity, anomalous session structure, or protocol misuse patterns |
| Network Traffic Content (DC0085) | NSM:Flow | Application-layer indicators observable via enterprise network controls (HTTP method, URI path pattern class, TLS SNI, JA3/ALPN when available, DNS qname/type) showing anomalous or low-and-slow command polling behavior |
| OS API Execution (DC0021) | MobileEDR:telemetry | Framework-based networking usage spikes or uncommon networking stacks observed by agent telemetry (e.g., repeated URLSession/OkHttp-like patterns) without corresponding foreground/user interaction |
| Field | Description |
|---|---|
| CadenceAnomalyThreshold | Defines acceptable deviation in protocol communication timing |
| SessionPersistenceThreshold | Baseline deviation tolerance for long-lived sessions |
| AppNetworkBehaviorBaseline | Expected mapping of application functionality to protocol usage |