messaging_apple-push

Explanation

The messaging_apple-push NDM is designed to detect the presence of messaging applications on a network. It detects network traffic associated with Apple's Push Notification Service (APNS), specifically when it is used for the messaging app iMessage.

What to Look For

To investigate the messaging_apple-push NDM event, you should look for network traffic associated with Apple's Push Notification Service. This may be seen through various application and protocol signatures, such as SSL/TLS traffic over port 443 or HTTP/2 traffic. Additionally, you should examine endpoints for the presence of the iMessage application or any other messaging applications associated with APNS traffic. This NDM event is triggered when APNS traffic is discovered on the network, indicating that messaging applications may be in use and potentially exposing sensitive information.