Defender correlates a causal chain where a device transitions into USB debugging or file transfer mode after a physical connection event, followed by application installation, file replication, or execution originating from the USB interface rather than the application store ecosystem.
| Data Component | Name | Channel |
|---|---|---|
| System Settings (DC0118) | android:MDMLog | device USB mode change (charging to file transfer / debugging / accessory) |
| Application Permission (DC0114) | android:MDMLog | ADB_DEBUGGING_ENABLED |
| Process Creation (DC0032) | MobileEDR:telemetry | application installed from adb, sideload, or unknown USB source |
| File Creation (DC0039) | MobileEDR:telemetry | large file write originating from /mnt/usb or external mounted storage |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between USB connection state change and application installation. |
| AllowedDeveloperDevices | List of devices legitimately allowed to use ADB debugging. |
| AllowedSideloadApps | Approved enterprise apps allowed to install outside Google Play. |
| FileReplicationThreshold | Volume of file writes from mounted external storage considered suspicious. |
Defender correlates a chain where a device establishes a new trusted USB host pairing or enters developer/debug configuration state, followed by device data extraction activity, configuration manipulation, or abnormal application behavior shortly after the pairing event.
| Data Component | Name | Channel |
|---|---|---|
| Protected Configuration (DC0115) | iOS:MDMLog | Developer Mode enabled, supervised-device restriction changed, or trust-related protected device posture changed |
| System Settings (DC0118) | iOS:MDMLog | Trusted computer / host relationship established or relevant device trust setting changed |
| Host Status (DC0018) | iOS:MDMLog | Device risk, compliance, or security posture changes after trusted host pairing or developer-state transition |
| OS API Execution (DC0021) | MobileEDR:telemetry | Observed device-service, trust-service, backup/service interaction, or other privileged framework activity associated with physical host access |
| Field | Description |
|---|---|
| PairingEventWindow | Time window between trusted host pairing and suspicious device behavior. |
| AllowedTrustedHosts | Enterprise-authorized computers permitted to pair with managed devices. |
| DeveloperModePolicy | Whether developer mode is permitted in the organization. |