diff --git a/Logos/Samsung_Knox_Asset_Intelligence.svg b/Logos/Samsung_Knox_Asset_Intelligence.svg index 21504c4e05d..4c780119c25 100644 --- a/Logos/Samsung_Knox_Asset_Intelligence.svg +++ b/Logos/Samsung_Knox_Asset_Intelligence.svg @@ -1,9 +1,9 @@ - + - + diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithCamera.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithCamera.yaml index 6e199b63fe5..4ef23aa1edd 100644 --- a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithCamera.yaml +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithCamera.yaml @@ -10,7 +10,7 @@ requiredDataConnectors: dataTypes: - Samsung_Knox_Audit_CL tactics: [] -techniques: [] +relevantTechniques: [] query: | Samsung_Knox_System_CL| where Name == "PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_CAMERA" and MitreTtp has "KNOX.2" suppressionEnabled: false diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithMic.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithMic.yaml index 1c005d158f6..2a30894db31 100644 --- a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithMic.yaml +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithMic.yaml @@ -10,7 +10,7 @@ requiredDataConnectors: dataTypes: - Samsung_Knox_Audit_CL tactics: [] -techniques: [] +relevantTechniques: [] query: | Samsung_Knox_System_CL | where Name == "PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_MIC" and MitreTtp has "KNOX.2" alertDetailsOverride: diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSecurityLogFull.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSecurityLogFull.yaml index 40f0c74ffe0..073729ce334 100644 --- a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSecurityLogFull.yaml +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSecurityLogFull.yaml @@ -10,7 +10,7 @@ requiredDataConnectors: dataTypes: - Samsung_Knox_Audit_CL tactics: [] -techniques: [] +relevantTechniques: [] query: Samsung_Knox_Audit_CL| where Name == "LOG_IS_FULL" and MitreTtp has "KNOX.1" suppressionEnabled: false suppressionDuration: 5h diff --git a/Solutions/Samsung Knox Asset Intelligence/Data Connectors/SamsungDCDefinition.json b/Solutions/Samsung Knox Asset Intelligence/Data Connectors/SamsungDCDefinition.json index efe91a03a20..b606cc97116 100644 --- a/Solutions/Samsung Knox Asset Intelligence/Data Connectors/SamsungDCDefinition.json +++ b/Solutions/Samsung Knox Asset Intelligence/Data Connectors/SamsungDCDefinition.json @@ -71,7 +71,7 @@ "customs": [ { "name": "Entra App", - "description": "An Entra Application needs to be registered and provisioned with 'Sentinel Contributor'/ 'Microsoft Metrics Publisher' role to setup client secret-based authentication for data transfer. [See the documentation](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app?tabs=client-secret) to learn more about Entra App creation/registration and creating Client Secret credentials" + "description": "An Entra Application needs to be registered and provisioned with 'Microsoft Sentinel Contributor'/ 'Microsoft Metrics Publisher' role to setup client secret-based authentication for data transfer. [See the documentation](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app?tabs=client-secret) to learn more about Entra App creation/registration and creating Client Secret credentials" } ] }, @@ -108,12 +108,29 @@ "description": ">**Note**: : Since this Data Connector is designed to support Client Secret-based authentication to securely transfer data, the user must create the Client Secret as credentials during the Entra application creation and registration. Ensure you copy the Client Secret value as soon as it is generated.\n\n>**IMPORTANT**: Save the Tenant (Directory) ID, Client (Application) ID and Client Secret (Secret Value) values" }, { - "title": "STEP 2 - Obtain Sentinel Data collection Details", - "description": ">**Note**: Once you have installed Samsung Knox Asset Intelligence for Microsoft Sentinel Solution in Sentinel, a Data Collection Rule (DCR) associated with a Data Collection Endpoint (DCE), is auto-generated. To view this information, navigate to [Data Collection Rules](https://portal.azure.com/#browse/microsoft.insights%2Fdatacollectionrules?) and look for DCR with its Name starting with **'samsung-knox-dcr-....'** and click on the DCR to view associated details.\n\n>**IMPORTANT**: Save the values for Immutable ID (DCR) and Data Collection Endpoint" + "title": "STEP 2 - Obtain Microsoft Sentinel Data collection Details", + "description": ">**Note**: Once you have installed Samsung Knox Asset Intelligence for Microsoft Sentinel Solution, a Data Collection Rule (DCR) associated with a Data Collection Endpoint (DCE), is auto-generated. To view this information, navigate to [Data Collection Rules](https://portal.azure.com/#browse/microsoft.insights%2Fdatacollectionrules?) and look for DCR with its Name starting with **'samsung-knox-dcr-....'** and click on the DCR to view associated details.\n\n>**IMPORTANT**: Save the values for Immutable ID (DCR) and Data Collection Endpoint" }, { "title": "STEP 3 - Connect to Samsung Knox Asset Intelligence solution to configure Microsoft Sentinel to push select Knox Security Events as Alerts -", - "description": "1. Login to [Knox Asset Intelligence administration portal](https://central.samsungknox.com/kaiadmin/dai/home) and navigate to **Dashboard Settings**; this is available at the top-right corner of the Portal\n> **Note**: Ensure the login user has access to 'Security' and 'Manage dashboard view and data collection' permissions\n\n2. Click on Security tab to view settings for Security Operations Integration and for Knox Security Logs.\n\n3. In the Security Operations Integration page, toggle on the **'Enable Microsoft Sentinel Integration'** and enter appropriate values in the required fields - \n\n a. For Tenant ID, Client ID and Client Secret, refer to the information saved from Step 1 while registering the Entra application \n\n b. For Sentinel DCE and DCR, refer to the information saved from Step 2 \n\n4. Click on the **'Test Connection'** and ensure the connection is successful.\n\n5. Before you can Save, configure Knox Security Logs by selecting wither Essential or Advanced configuration **(default: Essential)**\n\n6. To complete the Sentinel integration, click **'Save'**" + "description": "1. Login to [Knox Asset Intelligence administration portal](https://central.samsungknox.com/kaiadmin/dai/home) and navigate to **Dashboard Settings**; this is available at the top-right corner of the Portal\n> **Note**: Ensure the login user has access to 'Security' and 'Manage dashboard view and data collection' permissions\n\n2. Click on Security tab to view settings for Security Operations Integration and for Knox Security Logs.\n\n3. In the Security Operations Integration page, toggle on the **'Enable Microsoft Sentinel Integration'** and enter appropriate values in the required fields - \n\n a. For Tenant ID, Client ID and Client Secret, refer to the information saved from Step 1 while registering the Entra application \n\n b. For Microsoft Sentinel DCE and DCR, refer to the information saved from Step 2 \n\n4. Click on the **'Test Connection'** and ensure the connection is successful.\n\n5. Before you can Save, configure Knox Security Logs by selecting wither Essential or Advanced configuration **(default: Essential)**\n\n6. To complete the Microsoft Sentinel integration, click **'Save'**" } - ] + ], + "metadata": { + "id": "790935a7-f8ec-4207-a48f-42a7e4ee0ab7", + "version": "1.0.0", + "kind": "dataConnector", + "source": { + "kind": "solution" + }, + "author": { + "name": "Samsung Knox Asset Intelligence" + }, + "support": { + "name": "Samsung Electronics Co., Ltd.", + "email": "kai.sme@samsung.com", + "tier": "Partner", + "link": "https://www2.samsungknox.com/en/support" + } + } } \ No newline at end of file diff --git a/Solutions/Samsung Knox Asset Intelligence/Package/3.0.0.zip b/Solutions/Samsung Knox Asset Intelligence/Package/3.0.0.zip index a48f92a9bd1..46df9437cb9 100644 Binary files a/Solutions/Samsung Knox Asset Intelligence/Package/3.0.0.zip and b/Solutions/Samsung Knox Asset Intelligence/Package/3.0.0.zip differ diff --git a/Solutions/Samsung Knox Asset Intelligence/Package/mainTemplate.json b/Solutions/Samsung Knox Asset Intelligence/Package/mainTemplate.json index d0c689f4ad7..12d847e89aa 100644 --- a/Solutions/Samsung Knox Asset Intelligence/Package/mainTemplate.json +++ b/Solutions/Samsung Knox Asset Intelligence/Package/mainTemplate.json @@ -208,7 +208,7 @@ "customs": [ { "name": "Entra App", - "description": "An Entra Application needs to be registered and provisioned with 'Sentinel Contributor'/ 'Microsoft Metrics Publisher' role to setup client secret-based authentication for data transfer. [See the documentation](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app?tabs=client-secret) to learn more about Entra App creation/registration and creating Client Secret credentials" + "description": "An Entra Application needs to be registered and provisioned with 'Microsoft Sentinel Contributor'/ 'Microsoft Metrics Publisher' role to setup client secret-based authentication for data transfer. [See the documentation](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app?tabs=client-secret) to learn more about Entra App creation/registration and creating Client Secret credentials" } ] }, @@ -244,14 +244,31 @@ "title": "STEP 1 - Create and register an Entra Application " }, { - "description": ">**Note**: Once you have installed Samsung Knox Asset Intelligence for Microsoft Sentinel Solution in Sentinel, a Data Collection Rule (DCR) associated with a Data Collection Endpoint (DCE), is auto-generated. To view this information, navigate to [Data Collection Rules](https://portal.azure.com/#browse/microsoft.insights%2Fdatacollectionrules?) and look for DCR with its Name starting with **'samsung-knox-dcr-....'** and click on the DCR to view associated details.\n\n>**IMPORTANT**: Save the values for Immutable ID (DCR) and Data Collection Endpoint", - "title": "STEP 2 - Obtain Sentinel Data collection Details" + "description": ">**Note**: Once you have installed Samsung Knox Asset Intelligence for Microsoft Sentinel Solution, a Data Collection Rule (DCR) associated with a Data Collection Endpoint (DCE), is auto-generated. To view this information, navigate to [Data Collection Rules](https://portal.azure.com/#browse/microsoft.insights%2Fdatacollectionrules?) and look for DCR with its Name starting with **'samsung-knox-dcr-....'** and click on the DCR to view associated details.\n\n>**IMPORTANT**: Save the values for Immutable ID (DCR) and Data Collection Endpoint", + "title": "STEP 2 - Obtain Microsoft Sentinel Data collection Details" }, { - "description": "1. Login to [Knox Asset Intelligence administration portal](https://central.samsungknox.com/kaiadmin/dai/home) and navigate to **Dashboard Settings**; this is available at the top-right corner of the Portal\n> **Note**: Ensure the login user has access to 'Security' and 'Manage dashboard view and data collection' permissions\n\n2. Click on Security tab to view settings for Security Operations Integration and for Knox Security Logs.\n\n3. In the Security Operations Integration page, toggle on the **'Enable Microsoft Sentinel Integration'** and enter appropriate values in the required fields - \n\n a. For Tenant ID, Client ID and Client Secret, refer to the information saved from Step 1 while registering the Entra application \n\n b. For Sentinel DCE and DCR, refer to the information saved from Step 2 \n\n4. Click on the **'Test Connection'** and ensure the connection is successful.\n\n5. Before you can Save, configure Knox Security Logs by selecting wither Essential or Advanced configuration **(default: Essential)**\n\n6. To complete the Sentinel integration, click **'Save'**", + "description": "1. Login to [Knox Asset Intelligence administration portal](https://central.samsungknox.com/kaiadmin/dai/home) and navigate to **Dashboard Settings**; this is available at the top-right corner of the Portal\n> **Note**: Ensure the login user has access to 'Security' and 'Manage dashboard view and data collection' permissions\n\n2. Click on Security tab to view settings for Security Operations Integration and for Knox Security Logs.\n\n3. In the Security Operations Integration page, toggle on the **'Enable Microsoft Sentinel Integration'** and enter appropriate values in the required fields - \n\n a. For Tenant ID, Client ID and Client Secret, refer to the information saved from Step 1 while registering the Entra application \n\n b. For Microsoft Sentinel DCE and DCR, refer to the information saved from Step 2 \n\n4. Click on the **'Test Connection'** and ensure the connection is successful.\n\n5. Before you can Save, configure Knox Security Logs by selecting wither Essential or Advanced configuration **(default: Essential)**\n\n6. To complete the Microsoft Sentinel integration, click **'Save'**", "title": "STEP 3 - Connect to Samsung Knox Asset Intelligence solution to configure Microsoft Sentinel to push select Knox Security Events as Alerts -" } - ] + ], + "metadata": { + "id": "790935a7-f8ec-4207-a48f-42a7e4ee0ab7", + "version": "1.0.0", + "kind": "dataConnector", + "source": { + "kind": "solution" + }, + "author": { + "name": "Samsung Knox Asset Intelligence" + }, + "support": { + "name": "Samsung Electronics Co., Ltd.", + "email": "kai.sme@samsung.com", + "tier": "Partner", + "link": "https://www2.samsungknox.com/en/support" + } + } } } }, @@ -405,7 +422,7 @@ "customs": [ { "name": "Entra App", - "description": "An Entra Application needs to be registered and provisioned with 'Sentinel Contributor'/ 'Microsoft Metrics Publisher' role to setup client secret-based authentication for data transfer. [See the documentation](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app?tabs=client-secret) to learn more about Entra App creation/registration and creating Client Secret credentials" + "description": "An Entra Application needs to be registered and provisioned with 'Microsoft Sentinel Contributor'/ 'Microsoft Metrics Publisher' role to setup client secret-based authentication for data transfer. [See the documentation](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app?tabs=client-secret) to learn more about Entra App creation/registration and creating Client Secret credentials" } ] }, @@ -418,11 +435,11 @@ "title": "STEP 1 - Create and register an Entra Application " }, { - "description": ">**Note**: Once you have installed Samsung Knox Asset Intelligence for Microsoft Sentinel Solution in Sentinel, a Data Collection Rule (DCR) associated with a Data Collection Endpoint (DCE), is auto-generated. To view this information, navigate to [Data Collection Rules](https://portal.azure.com/#browse/microsoft.insights%2Fdatacollectionrules?) and look for DCR with its Name starting with **'samsung-knox-dcr-....'** and click on the DCR to view associated details.\n\n>**IMPORTANT**: Save the values for Immutable ID (DCR) and Data Collection Endpoint", - "title": "STEP 2 - Obtain Sentinel Data collection Details" + "description": ">**Note**: Once you have installed Samsung Knox Asset Intelligence for Microsoft Sentinel Solution, a Data Collection Rule (DCR) associated with a Data Collection Endpoint (DCE), is auto-generated. To view this information, navigate to [Data Collection Rules](https://portal.azure.com/#browse/microsoft.insights%2Fdatacollectionrules?) and look for DCR with its Name starting with **'samsung-knox-dcr-....'** and click on the DCR to view associated details.\n\n>**IMPORTANT**: Save the values for Immutable ID (DCR) and Data Collection Endpoint", + "title": "STEP 2 - Obtain Microsoft Sentinel Data collection Details" }, { - "description": "1. Login to [Knox Asset Intelligence administration portal](https://central.samsungknox.com/kaiadmin/dai/home) and navigate to **Dashboard Settings**; this is available at the top-right corner of the Portal\n> **Note**: Ensure the login user has access to 'Security' and 'Manage dashboard view and data collection' permissions\n\n2. Click on Security tab to view settings for Security Operations Integration and for Knox Security Logs.\n\n3. In the Security Operations Integration page, toggle on the **'Enable Microsoft Sentinel Integration'** and enter appropriate values in the required fields - \n\n a. For Tenant ID, Client ID and Client Secret, refer to the information saved from Step 1 while registering the Entra application \n\n b. For Sentinel DCE and DCR, refer to the information saved from Step 2 \n\n4. Click on the **'Test Connection'** and ensure the connection is successful.\n\n5. Before you can Save, configure Knox Security Logs by selecting wither Essential or Advanced configuration **(default: Essential)**\n\n6. To complete the Sentinel integration, click **'Save'**", + "description": "1. Login to [Knox Asset Intelligence administration portal](https://central.samsungknox.com/kaiadmin/dai/home) and navigate to **Dashboard Settings**; this is available at the top-right corner of the Portal\n> **Note**: Ensure the login user has access to 'Security' and 'Manage dashboard view and data collection' permissions\n\n2. Click on Security tab to view settings for Security Operations Integration and for Knox Security Logs.\n\n3. In the Security Operations Integration page, toggle on the **'Enable Microsoft Sentinel Integration'** and enter appropriate values in the required fields - \n\n a. For Tenant ID, Client ID and Client Secret, refer to the information saved from Step 1 while registering the Entra application \n\n b. For Microsoft Sentinel DCE and DCR, refer to the information saved from Step 2 \n\n4. Click on the **'Test Connection'** and ensure the connection is successful.\n\n5. Before you can Save, configure Knox Security Logs by selecting wither Essential or Advanced configuration **(default: Essential)**\n\n6. To complete the Microsoft Sentinel integration, click **'Save'**", "title": "STEP 3 - Connect to Samsung Knox Asset Intelligence solution to configure Microsoft Sentinel to push select Knox Security Events as Alerts -" } ], @@ -588,10 +605,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { - "lookbackDuration": "5h", "enabled": false, + "matchingMethod": "AllEntities", "reopenClosedIncident": false, - "matchingMethod": "AllEntities" + "lookbackDuration": "5h" }, "createIncident": true } @@ -689,10 +706,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { - "lookbackDuration": "5h", "enabled": false, + "matchingMethod": "AllEntities", "reopenClosedIncident": false, - "matchingMethod": "AllEntities" + "lookbackDuration": "5h" }, "createIncident": true } @@ -790,10 +807,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { - "lookbackDuration": "5h", "enabled": false, + "matchingMethod": "AllEntities", "reopenClosedIncident": false, - "matchingMethod": "AllEntities" + "lookbackDuration": "5h" }, "createIncident": true } @@ -891,10 +908,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { - "lookbackDuration": "5h", "enabled": false, + "matchingMethod": "AllEntities", "reopenClosedIncident": false, - "matchingMethod": "AllEntities" + "lookbackDuration": "5h" }, "createIncident": true } @@ -986,10 +1003,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { - "lookbackDuration": "5h", "enabled": false, + "matchingMethod": "AllEntities", "reopenClosedIncident": false, - "matchingMethod": "AllEntities" + "lookbackDuration": "5h" }, "createIncident": true } @@ -1084,10 +1101,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { - "lookbackDuration": "5h", "enabled": false, + "matchingMethod": "AllEntities", "reopenClosedIncident": false, - "matchingMethod": "AllEntities" + "lookbackDuration": "5h" }, "createIncident": true } @@ -1185,10 +1202,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { - "lookbackDuration": "5h", "enabled": false, + "matchingMethod": "AllEntities", "reopenClosedIncident": false, - "matchingMethod": "AllEntities" + "lookbackDuration": "5h" }, "createIncident": true } diff --git a/Workbooks/Images/Logos/Samsung_Knox_Asset_Intelligence.svg b/Workbooks/Images/Logos/Samsung_Knox_Asset_Intelligence.svg index 21504c4e05d..4c780119c25 100644 --- a/Workbooks/Images/Logos/Samsung_Knox_Asset_Intelligence.svg +++ b/Workbooks/Images/Logos/Samsung_Knox_Asset_Intelligence.svg @@ -1,9 +1,9 @@ - + - +