Defender observes anomalous access to remote device management or enterprise mobility management control planes followed by device-state queries, location requests, or management actions inconsistent with user role, historical behavior, or device ownership context.
| Data Component | Name | Channel |
|---|---|---|
| User Account Authentication (DC0002) | saas:MDM | Authentication events to device management or enterprise mobility management consoles |
| Cloud Service Enumeration (DC0083) | saas:MDM | Device lookup, location query, or remote management operation |
| Field | Description |
|---|---|
| RoleDeviationThreshold | Defines acceptable variance between user privileges and management actions |
| GeoAccessAnomalyThreshold | Baseline deviation tolerance for management console access locations |
| DeviceOwnershipBaseline | Expected mapping of users to managed devices |
Defender observes anomalous authentication or session activity targeting remote device management services followed by device-tracking queries, device-state requests, or remote actions inconsistent with established user-device relationships or operational patterns.
| Data Component | Name | Channel |
|---|---|---|
| User Account Authentication (DC0002) | saas:MDM | Authentication events to Apple iCloud or enterprise device management services |
| Cloud Service Enumeration (DC0083) | saas:MDM | Device lookup, location query, or remote management operation |
| Field | Description |
|---|---|
| UserDeviceRelationshipDeviation | Defines acceptable deviation from known user-device mappings |
| SessionAnomalyThreshold | Baseline deviation tolerance for management sessions |
| QueryFrequencyThreshold | Threshold for excessive device tracking or lookup activity |