Live Active security incident? Get immediate response
MITRE ATT&CK® Data Component

DC0117: System Notifications

System Notifications represent operating system alerts, warnings, or status messages generated in response to application actions, system state changes, or security events. These notifications may indicate potentially malicious activity or abnormal application behavior.

Examples

- Application requesting sensitive permissions - USB device connected notifications - Security warnings triggered by device configuration changes

Collection Methods

- Mobile OS notification monitoring - Mobile EDR sensors - Device management telemetry

MobileDC0117Data ComponentObject v2.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

System Notifications are mobile operating system alerts and status messages that can reveal risky app behavior, device changes, or security-relevant events. For leaders, the value is not the notification itself; it is whether the organization can capture and preserve these signals when a mobile device shows signs of suspicious permission requests, USB connection activity, or configuration changes.

Executive priority

Treat this as a mobile visibility and evidence-readiness issue. If mobile devices are in scope for business operations, identity access, regulated workflows, or incident response, teams should confirm whether notification-derived evidence is collected through mobile OS monitoring, mobile EDR, or device management telemetry. This helps prioritize gaps in mobile monitoring, investigation workflows, and compliance evidence without assuming the notifications alone prove malicious activity.

Technical view

SOC and IR teams should validate whether mobile notification events are available, normalized, time-synchronized, and retained. Useful review points include alerts for sensitive permission requests, USB device connection notifications, and security warnings caused by device configuration changes. Because ATT&CK provides no official detection logic, teams should treat these notifications as contextual signals to correlate with application inventory, device management state, user activity, and other mobile security telemetry.

Likely telemetry

  • Mobile OS notification monitoring records
  • Mobile EDR sensor events
  • Device management telemetry
  • Alerts or warnings for sensitive permission requests
  • USB device connection notifications

Detection direction

  • Confirm which system notifications are actually captured versus only displayed locally to the user.
  • Correlate notification events with device management status, application behavior, and timing of configuration changes before escalating.
  • Tune for high-risk contexts such as unexpected sensitive permission prompts or security warnings on managed devices.
  • Account for false positives from legitimate app updates, user-approved configuration changes, or authorized peripheral use.
  • Document blind spots where mobile OS restrictions, unmanaged devices, retention limits, or missing mobile EDR coverage prevent collection.

Mitigation priorities

  • Establish mobile telemetry requirements for managed devices, including notification, EDR, and device management evidence where available.
  • Define investigation playbooks for sensitive permission requests, USB connection notifications, and configuration-change warnings.
  • Use device management policy and mobile security tooling to improve visibility and retention of security-relevant mobile events.
  • Review mobile incident response and compliance procedures to ensure notification-derived evidence can be preserved and explained.
Analyst notes and limits

This data component is most useful as supporting evidence. System notifications can indicate abnormal application behavior or security-relevant device changes, but they require correlation to determine significance. The supplied ATT&CK object has no tactics, platforms, detection analytics, or relationship context, so local mobile management architecture determines practical coverage.

ATT&CK does not provide official detection logic, mapped techniques, platform detail, or relationship context for this object in the supplied fields. This take is therefore limited to defensive validation and telemetry planning based on the official description, examples, and collection methods.

Official MITRE ATT&CK definition

System Notifications

System Notifications represent operating system alerts, warnings, or status messages generated in response to application actions, system state changes, or security events. These notifications may indicate potentially malicious activity or abnormal application behavior.

Examples

- Application requesting sensitive permissions - USB device connected notifications - Security warnings triggered by device configuration changes

Collection Methods

- Mobile OS notification monitoring - Mobile EDR sensors - Device management telemetry

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.1
Created
Modified
Raw hash
d006ea5a747ce500...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.1 Current bundle d006ea5a747c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DC0117
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use