DC0018: Host Status

Logging, messaging, and other artifacts that highlight the health and operational state of host-based security sensors, such as Endpoint Detection and Response (EDR) agents, antivirus software, logging services, and system monitoring tools. Monitoring sensor health is essential for detecting misconfigurations, sensor failures, tampering, or deliberate security control evasion by adversaries.

*Data Collection Measures:*

- Windows Event Logs: - Event ID 1074 (System Shutdown): Detects unexpected system reboots/shutdowns. - Event ID 6006 (Event Log Stopped): Logs when Windows event logging is stopped. - Event ID 16 (Sysmon): Detects configuration state changes that may indicate log tampering. - Event ID 12 (Windows Defender Status Change) – Detects changes in Windows Defender state. - Linux/macOS Monitoring: - `/var/log/syslog`, `/var/log/auth.log`, `/var/log/kern.log` - Journald (journalctl) for kernel and system alerts. - Endpoint Detection and Response (EDR) Tools: - Monitor agent health status, detect sensor tampering, and alert on missing telemetry. - Mobile Threat Intelligence Logs: - Samsung Knox, SafetyNet, iOS Secure Enclave provide sensor health status for mobile endpoints.

EnterpriseDC0018Data ComponentObject v2.1 Modified May 12, 2026, 15:12 UTC (UTC+00:00)

Host Status is the evidence that security tools and logging on endpoints are alive, correctly configured, and still reporting. For leaders, this matters because many detections depend on endpoint sensors, antivirus, logging services, and monitoring tools being healthy. If those controls fail, are misconfigured, or are tampered with, the organization may lose visibility exactly when it needs it for incident response, compliance evidence, and operational resilience.

Executive priority

Treat sensor health as a control assurance issue, not just an IT operations metric. Executives and security leaders should ask whether the organization can prove that endpoint security agents, logging services, and system monitoring tools are running and reporting across critical assets. This supports incident decision-making, audit readiness, managed detection quality, and risk prioritization when visibility gaps appear.

Technical view

SOC, detection engineering, and IR teams should validate that host security sensor health is collected, monitored, and acted on. The supplied ATT&CK description highlights Windows event evidence such as shutdowns, stopped event logging, Sysmon configuration changes, and Windows Defender state changes; Linux/macOS system logs and journald; EDR agent health and missing telemetry alerts; and mobile security-health sources such as Samsung Knox, SafetyNet, and iOS Secure Enclave. Because no ATT&CK detection logic or relationship context is supplied, teams should focus on coverage validation, alert routing, asset correlation, and triage workflows for missing or degraded telemetry.

Likely telemetry

Endpoint security agent health/status messages
EDR missing-telemetry or tamper alerts
Windows Event Logs including Event ID 1074, 6006, Sysmon Event ID 16, and Windows Defender status-change events
Linux/macOS system logs such as /var/log/syslog, /var/log/auth.log, /var/log/kern.log, and journald output
Logging service start/stop and configuration-change records

Detection direction

Validate that security tools generate alerts when host telemetry stops, agents go unhealthy, logging services stop, or sensor configurations change.
Correlate host status changes with asset criticality so outages on domain controllers, production servers, executive endpoints, or other high-value systems are prioritized.
Tune expected maintenance, patching, reboot, and deployment windows to reduce false positives while preserving visibility into unexpected shutdowns or logging interruptions.
Monitor for gaps between asset inventory and reporting sensors; a protected asset should have an expected heartbeat or recent health record.
Review whether host-status alerts reach the SOC or managed detection provider with enough context to distinguish routine operational failures from potential control evasion.

Mitigation priorities

Establish an authoritative inventory of hosts and expected security/logging sensors.
Define required health checks for endpoint protection, EDR, logging services, and system monitoring tools.
Alert on missing telemetry, stopped logging, sensor state changes, and unexpected reboots or shutdowns.
Create operational runbooks for investigating unhealthy or silent sensors, including ownership, escalation, and restoration steps.
Use periodic control validation to confirm that critical assets are reporting and that health alerts are received by the right response teams.

Analyst notes and limits

This data component is valuable because it measures whether other detections can be trusted. In practical assessments, Glexia would use it to test detection readiness, SOC handoff quality, IR visibility, and compliance evidence for endpoint monitoring. The most important local question is not whether host-status data exists somewhere, but whether degraded or missing telemetry is noticed quickly and tied to business-critical assets.

The ATT&CK object does not specify tactics, platforms, relationships, or official detection logic. The description includes example collection measures across Windows, Linux/macOS, EDR tools, and mobile security sources, but local technology coverage, event availability, retention, and alerting quality must be verified in the environment. No claim of active exploitation, attribution, or guaranteed detection is supported by the supplied fields.

Official MITRE ATT&CK definition

Host Status

*Data Collection Measures:*

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 2.1
Created: Oct 20, 2021, 15:05 UTC (UTC+00:00)
Modified: May 12, 2026, 15:12 UTC (UTC+00:00)
Raw hash: 611bc636845be2d0...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	2.1	May 12, 2026, 15:12 UTC (UTC+00:00)	Current bundle	`611bc636845b…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack DC0018
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use