Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0730: Analytic 0730

Use unified logs to detect unusual DNS responses correlated with subsequent connections to calculated or non-standard ports. Monitor non-browser apps making repeated outbound connections that deviate from expected patterns.

EnterpriseAN0730AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because it focuses on macOS outbound network behavior that may not look suspicious from DNS alone or from connection logs alone. The decision value is correlation: unusual DNS responses followed by connections to calculated or non-standard ports, especially from non-browser applications, can expose activity that bypasses simple domain or port allow/deny assumptions.

Executive priority

Security leaders should treat this as a validation point for macOS visibility and egress monitoring maturity. The key business question is whether the organization can explain and investigate unusual outbound connections from managed Macs before they become an incident-response blind spot. This supports SOC readiness, incident triage, compliance evidence for endpoint/network monitoring, and prioritization of controls around application behavior and outbound traffic governance.

Technical view

For SOC and detection teams, validate that macOS unified logs can be collected, retained, and correlated with outbound network connection telemetry. The analytic is specifically scoped to macOS and looks for unusual DNS responses followed by connections to calculated or non-standard ports, with emphasis on non-browser applications making repeated outbound connections that deviate from expected patterns. Build baselines for expected applications, destinations, ports, and connection frequency before alerting broadly, because developer tools, update agents, VPN clients, and enterprise management software may create legitimate non-browser outbound traffic.

Likely telemetry

  • macOS unified logs containing DNS-related events or resolver activity
  • Endpoint network connection telemetry from macOS hosts
  • Process-to-network connection mappings for non-browser applications
  • Destination domain, IP address, port, and connection timing data
  • Application identity, process name, path, signing/notarization context where locally available

Detection direction

  • Confirm that DNS response events and subsequent outbound connections can be joined by host, process or application context, destination, and time window.
  • Prioritize repeated outbound connections from non-browser applications to non-standard or unusual ports after notable DNS responses.
  • Tune against known-good enterprise software such as management agents, security tools, VPN clients, sync clients, and developer utilities to reduce false positives.
  • Look for deviations from local baselines rather than relying only on a universal list of suspicious ports, because 'non-standard' is environment-dependent.
  • Validate retention and timestamp quality for macOS unified logs; weak endpoint log retention can break the correlation this analytic depends on.

Mitigation priorities

  • Establish reliable macOS log collection and retention before depending on this analytic for coverage.
  • Inventory common non-browser applications that legitimately make outbound connections and document expected ports and destinations.
  • Apply outbound traffic governance where feasible, including review of unusual destination ports and application-level egress patterns.
  • Use endpoint management to maintain application inventory and reduce unknown or unmanaged software that complicates baselining.
  • Create incident triage procedures for unusual macOS outbound behavior, including validation of process identity, destination reputation where available, and business owner confirmation.
Analyst notes and limits

The supplied object is a detection analytic, not a technique or procedure. It provides a concise detection concept but no official detection logic, no tactics, and no relationships. The most useful implementation work is therefore local: confirm telemetry availability, define what 'non-standard' means in the environment, and baseline non-browser application behavior on managed macOS systems.

This take is limited to the supplied ATT&CK fields. It does not assert active exploitation, adversary attribution, impact, or guaranteed detection. The object only specifies macOS and provides no formal detection query, tactic mapping, or relationship context, so local environment evidence is required to operationalize and prioritize the analytic.

Official MITRE ATT&CK definition

Analytic 0730

Use unified logs to detect unusual DNS responses correlated with subsequent connections to calculated or non-standard ports. Monitor non-browser apps making repeated outbound connections that deviate from expected patterns.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
a75b77b63e42c3a2...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle a75b77b63e42…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0730
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use