Security events list
Last updated April 20th, 2026
The following table provides additional security event details, expanding on the descriptions provided on the Security events summary page.
Some security events are Android OS and device model dependent. While configuring Security Log settings, refer to the Dependencies information of each event description to ensure that your devices are supported.
Essential security events
High severity
| BOOT_COMPROMISED_SOFTWARE_BINARY |
| Indicates the device boot binary is at risk of compromise |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| High |
System |
T1645 |
Yes |
View
Dependencies: none
Notes: none
Properties:
- ArpDevice (String)
- AvbBootPatchLevel (String)
- AvbBootState (String)
- AvbDeviceLocked (String)
- AvbOsPatchLevel (String)
- AvbOsVersion (String)
- AvbVendorPatchLevel (String)
- AvbVerityMode (String)
- BLBuildId (String)
- BLBuildType (String)
- BLEvent (String)
- BLEventTarget (String)
- BLMode (String)
- BLRP (String)
- CCModeState (String)
- CustomCount (String)
- EDLCount (String)
- EmFuseHistory (String)
- EmStatus (String)
- EmTokens (String)
- FOTACount (String)
- FrpState (String)
- ImgStatus (String)
- KernelBuildId (String)
- KernelBuildType (String)
- KernelRP (String)
- KernelState (String)
- KGFuse (String)
- KGState (String)
- MDMState (String)
- ODINCount (String)
- RebootReason (String)
- RPMBState (String)
- SecureBoot (String)
- SystemBuildId0 (String)
- SystemBuildId1 (String)
- SystemBuildId2 (String)
- SystemRP (String)
- UnlockCount (String)
- VbMetaType (String)
- WbFuse (String)
- WbReason (String)
- WpState (String)
|
| LOG_IS_FULL |
| Indicates the on-device Knox Security Log is full |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| High |
Audit |
KNOX.1 |
Yes |
View
Dependencies: none
Notes: none
Properties: none
|
| PASSWORD_LOCKOUT |
| Indicates when the device is locked out after the user has reached the maximum password attempts |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| High |
User |
T1110 |
No |
View
Dependencies: none
Notes: none
Properties: none
|
| PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_CAMERA |
| Indicates when the device camera access has been detected while it is disabled by a system policy |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| High |
System |
KNOX.2 |
No |
View
Dependencies: none
Not supported on the following device models:
- SM-A042
- SM-A045
- SM-A055 / M055 / E055
- SM-A057
- SM-A065 / M065
- SM-A066 / M066 /E066
- SM-A075 / M075 / E075
- SM-A076
- SM-A145
- SM-A146 / S146
- SM-A155
- SM-A156 / S156
- SM-A165
- SM-A166 / S166
- SM-A175
- SM-A176 / M* / E* / S*
- SM-A253
- SM-A266 / S266
- SM-M145 / E145
- SM-M146 / E146
- SM-M156 / E156
- SM-M166 / E166
- SM-M55* / E556 / C5560
- SM-X21*
- SM-X11*
- SM-X13*
Notes: none
Properties: none
|
| PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_MIC |
| Indicates when the device microphone access has been detected while it is disabled by a system policy |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| High |
System |
KNOX.2 |
No |
View
Dependencies:
Not supported on the following device models:
- SM-A042
- SM-A045
- SM-A055 / M055 / E055
- SM-A057
- SM-A065 / M065
- SM-A066 / M066 /E066
- SM-A075 / M075 / E075
- SM-A076
- SM-A145
- SM-A146 / S146
- SM-A155
- SM-A156 / S156
- SM-A165
- SM-A166 / S166
- SM-A175
- SM-A176 / M* / E* / S*
- SM-A253
- SM-A266 / S266
- SM-M145 / E145
- SM-M146 / E146
- SM-M156 / E156
- SM-M166 / E166
- SM-M55* / E556 / C5560
- SM-X21*
- SM-X11*
- SM-X13*
- SM-A236V
- SM-A256B
- SM-A336B
- SM-A346B
- SM-A356B
- SM-A536B
- SM-A546B
- SM-A736B
- SM-M336B
- SM-E346B
- SM-M356B
- SM-E366B
- SM-M536B
- SM-E546B
- SM-P620_
- SM-T636B
- SM-X306B
- SM-X406B
- SM-X826B
- SM-X926B
- SM-X736B
- SM-X936B
- SM-X516B
- SM-X616B
- SM-G556B
- SM-G736B
Notes: none
Properties: none
|
Medium severity
| TAG_ADB_SHELL_INTERACTIVE |
| Indicates an ADB interactive shell was opened via "adb shell" |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Medium |
Audit |
T1623 |
No |
View
Dependencies: none
Notes: none
Properties: none
|
Low severity
| BOOT_STATE |
| Indicates the device boot state |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
System |
- |
Yes |
View
Dependencies: none
Notes: none
Properties:
- ArpDevice (String)
- AvbBootPatchLevel (String)
- AvbBootState (String)
- AvbDeviceLocked (String)
- AvbOsPatchLevel (String)
- AvbOsVersion (String)
- AvbVendorPatchLevel (String)
- AvbVerityMode (String)
- BLBuildId (String)
- BLBuildType (String)
- BLEvent (String)
- BLEventTarget (String)
- BLMode (String)
- BLRP (String)
- CCModeState (String)
- CustomCount (String)
- EDLCount (String)
- EmFuseHistory (String)
- EmStatus (String)
- EmTokens (String)
- FOTACount (String)
- FrpState (String)
- ImgStatus (String)
- KernelBuildId (String)
- KernelBuildType (String)
- KernelRP (String)
- KernelState (String)
- KGFuse (String)
- KGState (String)
- MDMState (String)
- ODINCount (String)
- RebootReason (String)
- RPMBState (String)
- SecureBoot (String)
- SystemBuildId0 (String)
- SystemBuildId1 (String)
- SystemBuildId2 (String)
- SystemRP (String)
- UnlockCount (String)
- VbMetaType (String)
- WbFuse (String)
- WbReason (String)
- WpState (String)
|
| KEY_INPUT_CAPTURE_CAPABILITY |
| Indicates when the key input capture permission for an app is enabled |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Application |
T1417 |
No |
View
Dependencies: none
Notes: none
Properties:
- PkgName (String)
- AccessibilityApi (String)
- RestrictedPerms [((String)]
|
| PREVENT_APP_REMOVAL_CAPABILITY |
| Indicates when an app removal is prevented |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Application |
T1629 |
No |
View
Dependencies: none
Notes: none
Properties:
- PkgName (String)
- AccessibilityApi (String)
- RestrictedPerms [((String)]
|
| TAG_ADMIN_HAS_REQUESTED_FULL_WIPE_OF_DEVICE |
| Indicates an administrator requested full wipe of device |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Audit |
T1630 |
No |
View
Dependencies: none
Notes: none
Properties:
- UserId (Integer)
- AdmPkgName (Integer)
|
| TAG_FAILED_TO_WIPE_USER_DATA |
| Indicates the process of wiping user data on the device failed for a specific reason |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Audit |
T1630 |
No |
View
Dependencies: none
Notes: none
Properties:
|
| TAG_WIPING_DATA_IS_NOT_ALLOWED_FOR_THIS_USER |
| Indicates the process of wiping data (factory reset) is not allowed for this user |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Audit |
T1630 |
No |
View
Dependencies: none
Notes: none
Properties: none
|
| USER_INTERACTION_CONTROL_CAPABILITY |
| Indicates when the user screen control permission in an app is enabled |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Application |
T1516 |
No |
View
Dependencies: none
Notes: none
Properties:
- PkgName (String)
- AccessibilityApi (String)
- RestrictedPerms [((String)]
|
Advanced security events
High severity
| PROCESS_PRIVILEGE_ESCALATION |
| Indicates when an app has transitioned from an acceptable uid/esuid/fsuid to a non-app id |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| High |
Process |
T1548, T1543 |
No |
View
Dependencies:
Device models compatible with 32-bit apps (ABI) are not supported. These include:
- SM-A736
- SM-F711
- SM-F926
- SM-G990
- SM-G991
- SM-G996
- SM-G736
- SM-G998
- SM-M446
- SM-T630
- SM-T636
Notes: none
Properties:
- Atime (Long)
- CmdLine (String)
- Ctime (Long)
- Cwd (String)
- Egid (Integer)
- Euid (Integer)
- ExitCode (Integer)
- Fsgid (Integer)
- Fsuid (Integer)
- Gid (Integer)
- Hash (String)
- ModifiedEgid (Integer)
- ModifiedEuid (Integer)
- ModifiedFsgid (Integer)
- ModifiedFsuid (Integer)
- ModifiedGid (Integer)
- ModifiedUid (Integer)
- Mtime (Long)
- OwnerGid (Integer)
- OwnerUid (Integer)
- Path (String)
- Pid (Integer)
- PkgName (String)
- Ppid (Integer)
- SeTag (String)
- Sgid (Integer)
- StartTime (Long)
- Suid (Integer)
- Syscall (Integer)
- Tid (Integer)
- Uid (Integer)
|
Medium severity
| SUSPICIOUS_URL_ACCESSED |
| Indicates when the user tapped or clicked on a potentially suspicious URL on the device |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Medium |
User |
T1566, T1660 |
No |
View
Dependencies:
32-bit device models are not supported
Notes: none
Properties:
- ConfidenceScore (Real)
- PkgName (String)
- Url (String)
- UrlType (Integer)
|
Low severity
| ACCESS_CALL_LOG_PERMISSION |
| Indicates when an app has permission to access call logs on launch |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Application |
T1636 |
No |
View
Dependencies: none
Notes: none
Properties:
- PkgName (String)
- AccessibilityApi (String)
- RestrictedPerms [((String)]
|
| ACCESS_NOTIFICATION_PERMISSION |
| Indicates when permission to access/manage notifications in an app is enabled |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Application |
T1517 |
No |
View
Dependencies: none
Notes: none
Properties:
- PkgName (String)
- AccessibilityApi (String)
- RestrictedPerms [((String)]
|
| RESTRICTED_PERMISSION |
| Indicates the launched app has 'restricted permission' |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Application |
- |
No |
View
Dependencies: none
Notes: none
Properties: none
|
| SCREEN_CAPTURE_CAPABILITY |
| Indicates when the use of device screen capture permission for an app is enabled |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Application |
T1513 |
No |
View
Dependencies: none
Notes: none
Properties: none
|
| SUSPICIOUS_URL_DETECTED |
| Indicates when the user has copied a potentially suspicious URL on the device |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
User |
T1566, T1660 |
No |
View
Dependencies:
32-bit device models are not supported
Notes: none
Properties:
- ConfidenceScore (Real)
- PkgName (String)
- Url (String)
- UrlType (Integer)
|
| TAG_ADB_SHELL_CMD |
| Indicates that a shell command was issued over ADB via adb shell |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Audit |
- |
No |
View
Dependencies: none
Notes:
Potentially high volume event, triggered when the device is being used with a USB cable or in wireless debug mode.
Properties:
|
| TAG_ADD_UNTRUSTED |
| Indicates an administrator added a certificate to the trusted database |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Audit |
- |
No |
View
Dependencies: none
Notes: none
Properties:
- AdmPkgName (String)
- Issuer (String)
- Subject (String)
- UserId (Integer)
|
| TAG_ADMIN_HAS_ADDED_SSID_TO_THE_RESTRICTION_ALLOWLIST |
| Indicates an administrator added an SSID to the restriction allowlist |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Audit |
- |
No |
View
Dependencies: none
Notes: none
Properties:
- AdmPkgName (String)
- Ssid (String)
- UserId (Integer)
|
| TAG_ADMIN_HAS_ADDED_TO_CAMERA_ALLOWLIST |
| Indicates an administrator added a package and signature to the camera allowlist |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Audit |
- |
No |
View
Dependencies: none
Notes: none
Properties:
- AdmPkgName (String)
- PkgName (String)
- Signature (String)
- UserId (Integer)
|
| TAG_ADMIN_HAS_ALLOWED_CAMERA |
| Indicates an administrator allowed the camera |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Audit |
- |
No |
View
Dependencies: none
Notes: none
Properties:
- AdmPkgName (String)
- UserId (Integer)
|
| TAG_ADMIN_HAS_ALLOWED_MICROPHONE |
| Indicates an administrator allowed the microphone |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Audit |
- |
No |
View
Dependencies: none
Notes: none
Properties:
- AdmPkgName (String)
- UserId (Integer)
|
| TAG_ADMIN_HAS_ALLOWED_TO_INSTALL_APPLICATION |
| Indicates an administrator allowed application installation |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Audit |
- |
No |
View
Dependencies: none
Notes: none
Properties:
- AdmPkgName (String)
- PkgName (String)
- UserId (Integer)
|
| TAG_ADMIN_HAS_CHANGED_LOCK_SCREEN_STATE_TO_DISABLED |
| Indicates an administrator changed the lock screen state to disabled |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Audit |
- |
No |
View
Dependencies: none
Notes: none
Properties:
- AdmPkgName (String)
- UserId (Integer)
|
| TAG_ADMIN_HAS_CHANGED_NFC_STATE_CHANGE |
| Indicates an administrator has allowed the NFC state change |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Audit |
- |
No |
View
Dependencies: none
Notes: none
Properties:
- AdmPkgName (String)
- Allow (String)
- UserId (Integer)
|
| TAG_ADMIN_HAS_CHANGED_SCREEN_LOCK_TIME_OUT |
| Indicates an administrator changed the screen lock timeout |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Audit |
- |
No |
View
Dependencies: none
Notes: none
Properties:
- AdmPkgName (String)
- Timeout (Integer)
- UserId (Integer)
|
| TAG_ADMIN_HAS_DISALLOWED_MICROPHONE |
| Indicates an administrator disallowed the microphone |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Audit |
- |
No |
View
Dependencies: none
Notes: none
Properties:
- AdmPkgName (String)
- UserId (Integer)
|
| TAG_ADMIN_HAS_ENABLED_BLUETOOTH_DISCOVERABLE_STATE |
| Indicates an administrator enabled Bluetooth discoverable state |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Audit |
- |
No |
View
Dependencies: none
Notes: none
Properties:
- AdmPkgName (String)
- UserId (Integer)
|
| TAG_ADMIN_HAS_ENABLED_WIFI_DIRECT |
| Indicates an administrator enabled Wi-Fi Direct |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Audit |
- |
No |
View
Dependencies: none
Notes: none
Properties: none
|
| TAG_ADMIN_HAS_LOCKED_WORKSPACE |
| Indicates an administrator locked the workspace |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Audit |
- |
No |
View
Dependencies: none
Notes: none
Properties:
- AdmPkgName (String)
- UserId (Integer)
|
| TAG_ADMIN_HAS_REMOVED_ALL_SSID_FROM_THE_RESTRICTION_BLOCKLIST |
| Indicates an administrator removed all SSIDs from the restriction blocklist |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Audit |
- |
No |
View
Dependencies: none
Notes: none
Properties:
- AdmPkgName (String)
- UserId (Integer)
|
| TAG_ADMIN_HAS_REMOVED_SSID_FROM_THE_RESTRICTION_BLOCKLIST |
| Indicates an administrator removed an SSID from the restriction blocklist |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Audit |
- |
No |
View
Dependencies: none
Notes: none
Properties:
- AdmPkgName (String)
- Ssid (String)
- UserId (Integer)
|
| TAG_ADMIN_HAS_SUCCESSFULLY_LOCKED_WORKSPACE |
| Indicates an administrator successfully locked the workspace |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Audit |
- |
No |
View
Dependencies: none
Notes: none
Properties:
- AdmPkgName (String)
- UserId (Integer)
|
| TAG_ADMIN_HAS_SUCCESSFULLY_UNLOCKED_WORKSPACE |
| Indicates an administrator successfully unlocked the workspace |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Audit |
- |
No |
View
Dependencies: none
Notes: none
Properties:
- AdmPkgName (String)
- UserId (Integer)
|
| TAG_ADMIN_HAS_UNLOCKED_WORKSPACE |
| Indicates an administrator unlocked the workspace |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Audit |
- |
No |
View
Dependencies: none
Notes: none
Properties:
- AdmPkgName (String)
- UserId (Integer)
|
| TAG_APPLICATION_ACTION_FAILED_BECAUSE_OF_SIGNATURE_VERIFICATION_FAILURE |
| Indicates the application action has failed because of signature verification failure |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Audit |
- |
No |
View
Dependencies: none
Notes: none
Properties:
- Action (String)
- PkgName (String)
- Reason (String)
- UserId (Integer)
|
| TAG_APPLICATION_INSTALLATION_NOT_ALLOWED_BECAUSE_SIGNED_UNTRUSTED_CA |
| Indicates an app installation is not allowed because it is signed by an untrusted CA |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Audit |
- |
No |
View
Dependencies: none
Notes: none
Properties:
- PkgName (String)
- UserId (Integer)
|
| TAG_APPLICATION_INSTALLATION_NOT_ALLOWED_BY_ADMIN_BLOCKLIST |
| Indicates the application is being blocked from installation by a device policy enforced by an administrator |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Application |
- |
No |
View
Dependencies: none
Notes: none
Properties:
- AdmPkgName (String)
- PkgName (String)
- Policy (String)
- UserId (Integer)
|
| TAG_APPLICATION_INSTALLATION_NOT_ALLOWED_BY_ADMIN_INSTALLER_BLOCKLIST |
| Indicates that an administrator has blocked the installation of an application from a specific installer |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Application |
- |
No |
View
Dependencies: none
Notes: none
Properties:
- AdmPkgName (String)
- PkgName (String)
- Policy (String)
- UserId (Integer)
|
| TAG_BACKUP_SERVICE_TOGGLED |
| Indicates an administrator has enabled or disabled the backup service |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Audit |
- |
No |
View
Dependencies: none
Notes: none
Properties:
- AdmPkgName (String)
- AdmUserId (Integer)
- Enabled (Boolean)
|
| TAG_BIND_TO_VPN_FAILED_COULD_NOT_FIND_PACKAGE |
| Indicates when a bind to the VPN vendor service failed as the vendor package could not be found |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Network |
- |
No |
View
Dependencies: none
Notes: none
Properties:
- PkgName (String)
- UserId (Integer)
|
| TAG_BLUETOOTH_CONNECTION |
| Indicates the device attempts to connect to a Bluetooth device |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Audit |
- |
No |
View
Dependencies: none
Notes: none
Properties:
- MacAddr (String)
- Reason (String)
- Result (Boolean)
|
| TAG_CERT_AUTHORITY_INSTALLED |
| Indicates a new root certificate has been installed into the system's trusted credential storage |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Audit |
- |
No |
View
Dependencies: none
Notes: none
Properties:
- Result (Boolean)
- Subject (String)
- UserId (Integer)
|
| TAG_CERT_AUTHORITY_REMOVED |
| Indicates a new root certificate has been removed from the system's trusted credential storage |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Audit |
- |
No |
View
Dependencies: none
Notes: none
Properties:
- Result (Boolean)
- Subject (String)
- UserId (Integer)
|
| TAG_ERROR_OCCURRED_WHILE_VALIDATING_PROFILE_INFORMATION_FOR_VENDOR |
| Indicates that during VPN profile creation, an error occurred while validating the vendor |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Audit |
- |
No |
View
Dependencies: none
Notes: none
Properties:
- PkgName (String)
- UserId (Integer)
|
| TAG_KEY_INTEGRITY_VIOLATION |
| Indicates a failed cryptographic key integrity check |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Audit |
- |
No |
View
Dependencies: none
Notes: none
Properties:
- Alias (String)
- Uid (Integer)
|
| TAG_KEYGUARD_DISMISS_AUTH_ATTEMPT |
| Indicates there has been an authentication attempt to dismiss the keyguard |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Audit |
- |
No |
View
Dependencies: none
Notes: none
Properties:
- Result (Boolean)
- Strong (Boolean)
|
| TAG_LOG_BUFFER_SIZE_CRITICAL |
| Indicates that the audit log buffer has reached 90% of its capacity |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Audit |
- |
No |
View
Dependencies: none
Notes: none
Properties: none
|
| TAG_MEDIA_MOUNT |
| Indicates removable media has been mounted on the device |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Audit |
- |
No |
View
Dependencies: none
Notes: none
Properties:
- MountPoint (String)
- VolLabel (String)
|
| TAG_MEDIA_UNMOUNT |
| Indicates that removable media was unmounted from the device |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Audit |
- |
No |
View
Dependencies: none
Notes: none
Properties:
- MountPoint (String)
- VolLabel (String)
|
| TAG_MICROPHONE_ENABLED |
| Indicates the microphone is enabled |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Audit |
- |
No |
View
Dependencies: none
Notes: none
Properties:
- PkgName (String)
- UserId (Integer)
|
| TAG_PACKAGE_INSTALLED |
| Indicates a package is installed |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Application |
- |
No |
View
Dependencies: none
Notes: none
Properties:
- PkgName (String)
- VerCode (Long)
- UserId (Integer)
|
| TAG_PACKAGE_NAME_HAS_BEEN_ACTIVATED_AS_ADMIN |
| Indicates the application was activated as an administrator |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Audit |
- |
No |
View
Dependencies: none
Notes: none
Properties:
- AdmPkgName (String)
- UserId (Integer)
|
| TAG_PACKAGE_NAME_HAS_BEEN_REMOVED_AS_ADMIN |
| Indicates the application was removed as an administrator |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Audit |
- |
No |
View
Dependencies: none
Notes: none
Properties:
- AdmPkgName (String)
- UserId (Integer)
|
| TAG_PACKAGE_UNINSTALLED |
| Indicates a package is uninstalled |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Application |
- |
No |
View
Dependencies: none
Notes: none
Properties:
- PkgName (String)
- VerCode (Long)
- UserId (Integer)
|
| TAG_PACKAGE_UPDATED |
| Indicates a package is updated |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Application |
- |
No |
View
Dependencies: none
Notes: none
Properties:
- PkgName (String)
- VerCode (Long)
- UserId (Integer)
|
| TAG_PASSWORD_CHANGED |
| Indicates the user has just changed their lock screen password |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
User |
- |
No |
View
Dependencies: none
Notes: none
Properties:
- PwComplexity (String)
- UserId (Integer)
|
| TAG_PASSWORD_COMPLEXITY_REQUIRED |
| Indicates an administrator has set a password complexity requirement, using the platform's pre-defined complexity levels |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Audit |
- |
No |
View
Dependencies: none
Notes: none
Properties:
- AdmPkgName (String)
- AdmUserId (Integer)
- PwComplexity (String)
- UserId (Integer)
|
| TAG_PASSWORD_COMPLEXITY_SET |
| Indicates an administrator has set a requirement for password complexity |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Audit |
- |
No |
View
Dependencies: none
Notes: none
Properties:
- AdmPkgName (String)
- AdmUserId (Integer)
- MinPwLength (Integer)
- MinNumOfLetters (Integer)
- MinNumOfNonLetters (Integer)
- MinNumOfDigits (Integer)
- MinNumOfUpperLetters (Integer)
- MinNumOfLowerLetters (Integer)
- MinNumOfSymbols (Integer)
- PwComplexity (String)
- PwConstraint (String)
- UserId (Integer)
|
| TAG_REMOTE_LOCK |
| Indicates an administrator remotely locked the device or profile |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Audit |
- |
No |
View
Dependencies: none
Notes: none
Properties:
- AdmPkgName (String)
- AdmUserId (Integer)
- UserId (Integer)
|
| TAG_REMOVE_UNTRUSTED |
| Indicates an administrator removed a certificate from the untrusted database |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Audit |
- |
No |
View
Dependencies: none
Notes: none
Properties:
- AdmPkgName (String)
- Issuer (String)
- Subject (String)
- UserId (Integer)
|
| TAG_SYNC_RECV_FILE |
| Indicates a file was pulled from the device via the adb daemon, for example via adb pull |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Audit |
- |
No |
View
Dependencies: none
Notes: none
Properties:
|
| TAG_SYNC_SEND_FILE |
| Indicates a file was pushed to the device via the adb daemon, for example via adb push |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Audit |
- |
No |
View
Dependencies: none
Notes: none
Properties:
|
| TAG_WIPE_FAILURE |
| Indicates a failure to wipe the device or user data |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Audit |
- |
No |
View
Dependencies: none
Notes: none
Properties: none
|
| VIDEO_CAPTURE_PERMISSION |
| Indicates when the video capture permission is requested by the app |
| Severity |
Type |
MITRE Technique IDs |
Default? |
Additional details |
| Low |
Application |
T1512 |
No |
View
Dependencies: none
Notes: none
Properties:
- PkgName (String)
- AccessibilityApi (String)
- RestrictedPerms [((String)]
|