Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1714: Analytic 1714

Defender correlates an iOS-specific reduced-confidence chain where a managed or supervised device remains active but experiences abrupt loss of network-dependent functionality, repeated session failure, or sustained communication inability without matching configuration changes or ordinary user action. Because direct radio-layer and RF-cause visibility is weaker on iOS, the defender emphasizes device posture, application wake or foreground behavior during service loss, protected network-policy stability, and downstream failure patterns observed in VPN or proxy telemetry.

MobileAN1714AnalyticObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AN1714 is a mobile detection analytic for supervised or managed iOS devices that stay powered and active but suddenly lose network-dependent capability, show repeated session failures, or cannot communicate for a sustained period without a matching configuration change or normal user action. Its business value is in identifying when important managed mobile devices may be operationally impaired even though the device itself still appears present and active.

Executive priority

Prioritize this analytic where iOS devices support executive communications, field operations, regulated workflows, or incident response coordination. The decision point is whether the organization can distinguish an expected connectivity issue from unexplained service loss on managed devices using auditable evidence from device posture, policy state, and VPN or proxy failures. This is relevant to operational resilience, mobile fleet governance, and compliance evidence for managed-device monitoring, but the supplied ATT&CK object does not provide attribution, impact, or exploitation claims.

Technical view

For SOC, mobile security, and IR teams, validate whether supervised or managed iOS devices can be correlated across device posture, application wake or foreground behavior, protected network-policy stability, and downstream VPN or proxy failure patterns. Because the ATT&CK description notes weaker direct radio-layer and RF-cause visibility on iOS, detection should avoid relying on radio-layer evidence that may not exist. The analytic should focus on reduced-confidence correlation: active device state plus abrupt network-dependent functionality loss, repeated session failure, or sustained communication inability, with no corresponding configuration change or ordinary user action.

Likely telemetry

  • Managed or supervised iOS device inventory and posture state
  • Mobile device management records for configuration and policy changes
  • Device activity or last-seen status showing the device remains active
  • Application wake, foreground, or usage-state signals where available
  • VPN connection, authentication, and session failure logs

Detection direction

  • Validate correlation logic that requires device activity plus unexplained network-dependent service loss rather than treating any single VPN or proxy failure as suspicious.
  • Tune for expected causes such as approved configuration changes, policy updates, normal user action, travel, carrier or Wi-Fi issues, and application maintenance windows.
  • Confirm that protected network-policy state is stable before escalating repeated session failures as unexplained.
  • Use downstream VPN or proxy telemetry to compensate for limited direct iOS radio-layer or RF-cause visibility.
  • Document confidence limits: this analytic is described as a reduced-confidence chain and should support triage rather than standalone conclusions.

Mitigation priorities

  • Maintain accurate managed and supervised iOS inventory so the analytic applies only to in-scope devices.
  • Preserve MDM configuration, policy-change, and device posture history for comparison during investigations.
  • Ensure VPN and proxy logs are retained and attributable to device and user identity where policy allows.
  • Define operational baselines for normal iOS connectivity interruptions, session retries, and app foreground behavior.
  • Create an IR triage path for unexplained sustained communication inability on high-priority managed devices.
Analyst notes and limits

This object is a detection analytic in the mobile ATT&CK domain for iOS. It has no supplied tactic, no official detection text beyond the description, and no relationship context. The strongest defensible use is as a correlation and triage pattern for managed or supervised iOS devices experiencing unexplained network-dependent failure while still active.

The supplied fields do not identify associated techniques, threat groups, software, campaigns, or mitigations. They also do not provide a concrete detection query, data source list, or confirmed attacker behavior. Local MDM, VPN, proxy, device posture, and change-management evidence is required to determine whether the pattern is meaningful in a specific environment.

Official MITRE ATT&CK definition

Analytic 1714

Defender correlates an iOS-specific reduced-confidence chain where a managed or supervised device remains active but experiences abrupt loss of network-dependent functionality, repeated session failure, or sustained communication inability without matching configuration changes or ordinary user action. Because direct radio-layer and RF-cause visibility is weaker on iOS, the defender emphasizes device posture, application wake or foreground behavior during service loss, protected network-policy stability, and downstream failure patterns observed in VPN or proxy telemetry.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
b3b4c86f0630655e...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle b3b4c86f0630…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1714
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use