cti/mobile-attack/x-mitre-analytic/x-mitre-analytic--1e8d1470-1e76-4f6f-b2c9-633800c4478a.json

{
    "type": "bundle",
    "id": "bundle--dfae080b-e2fc-4ed8-bf5d-661101891ed4",
    "spec_version": "2.0",
    "objects": [
        {
            "type": "x-mitre-analytic",
            "id": "x-mitre-analytic--1e8d1470-1e76-4f6f-b2c9-633800c4478a",
            "created": "2025-10-21T15:10:28.402Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "revoked": false,
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/detectionstrategies/DET0639#AN1714",
                    "external_id": "AN1714"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "modified": "2026-03-12T17:09:47.656Z",
            "name": "Analytic 1714",
            "description": "Defender correlates an iOS-specific reduced-confidence chain where a managed or supervised device remains active but experiences abrupt loss of network-dependent functionality, repeated session failure, or sustained communication inability without matching configuration changes or ordinary user action. Because direct radio-layer and RF-cause visibility is weaker on iOS, the defender emphasizes device posture, application wake or foreground behavior during service loss, protected network-policy stability, and downstream failure patterns observed in VPN or proxy telemetry.",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "x_mitre_deprecated": false,
            "x_mitre_version": "1.1",
            "x_mitre_attack_spec_version": "3.3.0",
            "x_mitre_domains": [
                "mobile-attack"
            ],
            "x_mitre_platforms": [
                "iOS"
            ],
            "x_mitre_log_source_references": [
                {
                    "x_mitre_data_component_ref": "x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2",
                    "name": "iOS:MDMLog",
                    "channel": "Managed Wi-Fi, VPN, cellular, or location-service policy remains unchanged while device connectivity repeatedly degrades"
                },
                {
                    "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
                    "name": "iOS:MDMLog",
                    "channel": "No user-initiated airplane mode or radio-related setting change occurred while applications experience repeated network unavailability"
                },
                {
                    "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
                    "name": "MobileEDR:telemetry",
                    "channel": "Foreground or background applications remain active while network-dependent activity stalls, retries, or transitions into repeated failure state"
                },
                {
                    "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
                    "name": "MobileEDR:telemetry",
                    "channel": "Observed network-path, reachability, DNS, transport, or location-provider framework reports repeated unavailable or failed state near active device use"
                },
                {
                    "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
                    "name": "MobileEDR:telemetry",
                    "channel": "Network- or location-dependent app capability state remains unchanged while the app experiences sustained communication failure"
                }
            ],
            "x_mitre_mutable_elements": [
                {
                    "field": "TimeWindow",
                    "description": "Maximum span for correlating app activity, posture stability, and repeated network failure into a single denial event."
                },
                {
                    "field": "SupervisedOnly",
                    "description": "Whether the analytic should only apply to supervised devices with high-confidence MDM policy telemetry."
                },
                {
                    "field": "AllowedAppList",
                    "description": "Apps expected to retry aggressively or queue offline work during routine coverage degradation."
                },
                {
                    "field": "ForegroundStateRequired",
                    "description": "Whether the app should be foreground or recently active for the analytic to be treated as high confidence."
                },
                {
                    "field": "RecentUserInteractionWindow",
                    "description": "Time threshold for determining whether the denial occurred during active user use versus background idle periods."
                },
                {
                    "field": "FailureBurstThreshold",
                    "description": "Threshold for repeated session failures, resets, timeouts, or DNS failures within the correlation window."
                },
                {
                    "field": "ExpectedCoverageZones",
                    "description": "Known sites or geographies where benign poor service should be baseline-adjusted."
                },
                {
                    "field": "TrustedDestinationAllowList",
                    "description": "Expected enterprise destinations whose temporary maintenance or outage should not be treated as device-targeted denial."
                }
            ]
        }
    ]
}