From 4d0fc2ef2726584d662ac8e6d53ba0ad9eded9c0 Mon Sep 17 00:00:00 2001 From: "jaspreet.ss" Date: Thu, 19 Dec 2024 17:42:42 -0800 Subject: [PATCH] updated AnalyticsRule, fix validations and repackage --- .../Samsung_Knox_Application_CL.json | 145 +++++++++--------- .../CustomTables/Samsung_Knox_Audit_CL.json | 13 +- .../CustomTables/Samsung_Knox_Network_CL.json | 13 +- .../CustomTables/Samsung_Knox_Process_CL.json | 13 +- .../CustomTables/Samsung_Knox_System_CL.json | 13 +- .../CustomTables/Samsung_Knox_User_CL.json | 13 +- ...pplicationPrivilegeEscalationOrChange.yaml | 12 +- ...SamsungKnoxKeyguardDisabledFeatureSet.yaml | 11 +- ...SamsungKnoxMobileDeviceBootCompromise.yaml | 14 +- .../SamsungKnoxPasswordLockout.yaml | 7 +- ...oxPeripheralAccessDetectionWithCamera.yaml | 9 +- ...gKnoxPeripheralAccessDetectionWithMic.yaml | 16 +- .../SamsungKnoxSecurityLogFull.yaml | 7 +- .../SamsungKnoxSuspiciousURLs.yaml | 9 +- .../Samsung_Knox_Application_CL.json | 145 +++++++++--------- .../CustomTables/Samsung_Knox_Audit_CL.json | 13 +- .../CustomTables/Samsung_Knox_Network_CL.json | 13 +- .../CustomTables/Samsung_Knox_Process_CL.json | 13 +- .../CustomTables/Samsung_Knox_System_CL.json | 13 +- .../CustomTables/Samsung_Knox_User_CL.json | 13 +- .../Package/3.0.0.zip | Bin 13398 -> 13418 bytes .../Package/createUiDefinition.json | 2 +- .../Package/mainTemplate.json | 94 ++++++------ 23 files changed, 282 insertions(+), 319 deletions(-) diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Application_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Application_CL.json index 6f07954f4d6..79ac039bed1 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Application_CL.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Application_CL.json @@ -1,76 +1,71 @@ { - "properties": { - "schema": { - "name": "Samsung_Knox_Application_CL", - "columns": [ - { - "name": "TimeGenerated", - "type": "DateTime", - "isDefaultDisplay": true, - "description": "The timestamp (UTC) reflecting the time in which the event was generated." - }, - { - "name": "PrimaryImei", - "type": "string" - }, - { - "name": "DeviceImei1", - "type": "string" - }, - { - "name": "DeviceImei2", - "type": "string" - }, - { - "name": "DeviceSerialNumber", - "type": "string" - }, - { - "name": "DeviceWifimac", - "type": "string" - }, - { - "name": "DeviceModel", - "type": "string" - }, - { - "name": "EventGuid", - "type": "long" - }, - { - "name": "Name", - "type": "string" - }, - { - "name": "Version", - "type": "string" - }, - { - "name": "Severity", - "type": "string" - }, - { - "name": "MitreTtp", - "type": "dynamic" - }, - { - "name": "Profile", - "type": "string" - }, - { - "name": "PkgName", - "type": "string" - }, - { - "name": "AccessibilityApi", - "type": "string" - }, - { - "name": "RestrictedPerms", - "type": "dynamic" - } - ] - }, - "plan": "Analytics" - } - } \ No newline at end of file + "Name": "Samsung_Knox_Application_CL", + "Properties": [ + { + "name": "TimeGenerated", + "type": "DateTime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "PrimaryImei", + "type": "string" + }, + { + "name": "DeviceImei1", + "type": "string" + }, + { + "name": "DeviceImei2", + "type": "string" + }, + { + "name": "DeviceSerialNumber", + "type": "string" + }, + { + "name": "DeviceWifimac", + "type": "string" + }, + { + "name": "DeviceModel", + "type": "string" + }, + { + "name": "EventGuid", + "type": "long" + }, + { + "name": "Name", + "type": "string" + }, + { + "name": "Version", + "type": "string" + }, + { + "name": "Severity", + "type": "string" + }, + { + "name": "MitreTtp", + "type": "dynamic" + }, + { + "name": "Profile", + "type": "string" + }, + { + "name": "PkgName", + "type": "string" + }, + { + "name": "AccessibilityApi", + "type": "string" + }, + { + "name": "RestrictedPerms", + "type": "dynamic" + } + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Audit_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Audit_CL.json index 0dcb6d7eb1f..b2626a7fb0e 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Audit_CL.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Audit_CL.json @@ -1,8 +1,6 @@ { - "properties": { - "schema": { - "name": "Samsung_Knox_Audit_CL", - "columns": [ + "Name": "Samsung_Knox_Audit_CL", + "Properties": [ { "name": "TimeGenerated", "type": "DateTime", @@ -85,8 +83,5 @@ "name": "PkgName", "type": "string" } - ] - }, - "plan": "Analytics" - } - } \ No newline at end of file + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Network_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Network_CL.json index 4def94f521d..e1b0821d9c0 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Network_CL.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Network_CL.json @@ -1,8 +1,6 @@ { - "properties": { - "schema": { - "name": "Samsung_Knox_Network_CL", - "columns": [ + "Name": "Samsung_Knox_Network_CL", + "Properties": [ { "name": "TimeGenerated", "type": "DateTime", @@ -133,8 +131,5 @@ "name": "SocketType", "type": "int" } - ] - }, - "plan": "Analytics" - } - } \ No newline at end of file + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Process_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Process_CL.json index c6210a8b19e..34466c665a0 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Process_CL.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Process_CL.json @@ -1,8 +1,6 @@ { - "properties": { - "schema": { - "name": "Samsung_Knox_Process_CL", - "columns": [ + "Name": "Samsung_Knox_Process_CL", + "Properties": [ { "name": "TimeGenerated", "type": "DateTime", @@ -141,8 +139,5 @@ "name": "Ctime", "type": "DateTime" } - ] - }, - "plan": "Analytics" - } - } \ No newline at end of file + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_System_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_System_CL.json index e47c5d0ac12..a78e820adde 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_System_CL.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_System_CL.json @@ -1,8 +1,6 @@ { - "properties": { - "schema": { - "name": "Samsung_Knox_System_CL", - "columns": [ + "Name": "Samsung_Knox_System_CL", + "Properties": [ { "name": "TimeGenerated", "type": "DateTime", @@ -233,8 +231,5 @@ "name": "AvbVerityMode", "type": "string" } - ] - }, - "plan": "Analytics" - } - } \ No newline at end of file + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_User_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_User_CL.json index 873b97c3c46..af00349213c 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_User_CL.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_User_CL.json @@ -1,8 +1,6 @@ { - "properties": { - "schema": { - "name": "Samsung_Knox_User_CL", - "columns": [ + "Name": "Samsung_Knox_User_CL", + "Properties": [ { "name": "TimeGenerated", "type": "DateTime", @@ -73,8 +71,5 @@ "name": "UrlType", "type": "int" } - ] - }, - "plan": "Analytics" - } - } \ No newline at end of file + ] +} \ No newline at end of file diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxApplicationPrivilegeEscalationOrChange.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxApplicationPrivilegeEscalationOrChange.yaml index 0b659f86ef4..f751b6f2660 100644 --- a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxApplicationPrivilegeEscalationOrChange.yaml +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxApplicationPrivilegeEscalationOrChange.yaml @@ -2,19 +2,22 @@ id: 215e89ca-cdbc-4661-b8b2-7041f6ecc7fb name: Knox Application Privilege Escalation or Change version: 1.0.0 kind: NRT -description: When a Knox mobile app has transitioned from an acceptable uid/esuid/fsuid to a different, non-App id. +description: | + When a Knox mobile app has transitioned from an acceptable uid/esuid/fsuid to a different, non-App id. severity: High status: Available requiredDataConnectors: - connectorId: SamsungDCDefinition dataTypes: - - Samsung_Knox_Audit_CL + - Samsung_Knox_Process_CL tactics: - PrivilegeEscalation relevantTechniques: - T1548 query: | - Samsung_Knox_Process_CL | where Name == "PROCESS_PRIVILEGE_ESCALATION" and MitreTtp has "T1548" + Samsung_Knox_Process_CL + | where Name == "PROCESS_PRIVILEGE_ESCALATION" + | where MitreTtp has "T1548" suppressionEnabled: false suppressionDuration: 5h incidentConfiguration: @@ -25,5 +28,4 @@ incidentConfiguration: lookbackDuration: 5h matchingMethod: AllEntities eventGroupingSettings: - aggregationKind: SingleAlert - + aggregationKind: SingleAlert \ No newline at end of file diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxKeyguardDisabledFeatureSet.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxKeyguardDisabledFeatureSet.yaml index 7eaf5422bcc..a9b7145c531 100644 --- a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxKeyguardDisabledFeatureSet.yaml +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxKeyguardDisabledFeatureSet.yaml @@ -10,11 +10,13 @@ requiredDataConnectors: dataTypes: - Samsung_Knox_Audit_CL tactics: -- InitialAccess + - InitialAccess relevantTechniques: -- T1461 + - T1461 query: | - Samsung_Knox_Audit_CL | where Name == "TAG_KEYGUARD_DISABLED_FEATURES_SET" and MitreTtp has "T1461" + Samsung_Knox_Audit_CL + | where Name == "TAG_KEYGUARD_DISABLED_FEATURES_SET" + and MitreTtp has "T1461" suppressionEnabled: false suppressionDuration: 5h incidentConfiguration: @@ -25,5 +27,4 @@ incidentConfiguration: lookbackDuration: 5h matchingMethod: AllEntities eventGroupingSettings: - aggregationKind: SingleAlert - + aggregationKind: SingleAlert \ No newline at end of file diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxMobileDeviceBootCompromise.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxMobileDeviceBootCompromise.yaml index 3924e3eb31d..eedc0798921 100644 --- a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxMobileDeviceBootCompromise.yaml +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxMobileDeviceBootCompromise.yaml @@ -2,7 +2,8 @@ id: fae7e371-aee8-4d3f-8311-2255a45a30b3 name: Knox Mobile Device Boot Compromise version: 1.0.0 kind: NRT -description: When Knox device boot binary is at risk of compromise. +description: | + 'When Knox device boot binary is at risk of compromise.' severity: High status: Available requiredDataConnectors: @@ -10,11 +11,13 @@ requiredDataConnectors: dataTypes: - Samsung_Knox_System_CL tactics: -- Persistence + - Persistence relevantTechniques: -- T1645 + - T1645 query: | - Samsung_Knox_System_CL | where Name == "BOOT_COMPROMISED_SOFTWARE_BINARY" and MitreTtp has "T1645" + Samsung_Knox_System_CL + | where Name == "BOOT_COMPROMISED_SOFTWARE_BINARY" + and MitreTtp has "T1645" suppressionEnabled: false suppressionDuration: 5h incidentConfiguration: @@ -25,5 +28,4 @@ incidentConfiguration: lookbackDuration: 5h matchingMethod: AllEntities eventGroupingSettings: - aggregationKind: SingleAlert - + aggregationKind: SingleAlert \ No newline at end of file diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPasswordLockout.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPasswordLockout.yaml index 3d042a87dbf..b6cf11d8b1a 100644 --- a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPasswordLockout.yaml +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPasswordLockout.yaml @@ -2,7 +2,8 @@ id: fbff0a97-1972-4df8-a78c-254ccb9879ef name: Knox Password Lockout version: 1.0.0 kind: NRT -description: When maximum password attempts have reached and the Knox device is locked out. This is based on the threshold set by the MDM policy. +description: | + 'When maximum password attempts have reached and the Knox device is locked out. This is based on the threshold set by the MDM policy.' severity: High status: Available requiredDataConnectors: @@ -14,7 +15,9 @@ tactics: relevantTechniques: - T1110 query: | - Samsung_Knox_User_CL | where Name == "PASSWORD_LOCKOUT" and MitreTtp has "T1110" + Samsung_Knox_User_CL + | where Name == "PASSWORD_LOCKOUT" + and MitreTtp has "T1110" suppressionEnabled: false suppressionDuration: 5h incidentConfiguration: diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithCamera.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithCamera.yaml index 4ef23aa1edd..9b8c00649a8 100644 --- a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithCamera.yaml +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithCamera.yaml @@ -2,17 +2,20 @@ id: cd526f4d-dbe9-4149-8a0a-9ec43c3abb16 name: Knox Peripheral Access Detection with Camera version: 1.0.0 kind: NRT -description: When Knox device camera access has been detected through system policy when such access is disabled. +description: | + 'When Knox device camera access has been detected through system policy when such access is disabled.' severity: High status: Available requiredDataConnectors: - connectorId: SamsungDCDefinition dataTypes: - - Samsung_Knox_Audit_CL + - Samsung_Knox_System_CL tactics: [] relevantTechniques: [] query: | - Samsung_Knox_System_CL| where Name == "PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_CAMERA" and MitreTtp has "KNOX.2" + Samsung_Knox_System_CL + | where Name == "PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_CAMERA" + and MitreTtp has "KNOX.2" suppressionEnabled: false suppressionDuration: 5h incidentConfiguration: diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithMic.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithMic.yaml index 2a30894db31..afa510d85c6 100644 --- a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithMic.yaml +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithMic.yaml @@ -1,18 +1,21 @@ id: e4032fd2-4d05-4302-b7c0-f3f0380e2313 -name: Knox Peripheral Access Detection with Mic +name: Knox Peripheral Access Detection with Mic version: 1.0.0 kind: NRT -description: When Knox device microphone access has been detected through system policy when such access is disabled. +description: | + 'When Knox device microphone access has been detected through system policy when such access is disabled.' severity: High status: Available requiredDataConnectors: - connectorId: SamsungDCDefinition dataTypes: - - Samsung_Knox_Audit_CL + - Samsung_Knox_System_CL tactics: [] relevantTechniques: [] query: | - Samsung_Knox_System_CL | where Name == "PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_MIC" and MitreTtp has "KNOX.2" + Samsung_Knox_System_CL + | where Name == "PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_MIC" + and MitreTtp has "KNOX.2" alertDetailsOverride: alertDynamicProperties: [] suppressionEnabled: false @@ -26,4 +29,7 @@ incidentConfiguration: matchingMethod: AllEntities eventGroupingSettings: aggregationKind: SingleAlert - +properties: + schema: + - "Name" + - "MitreTtp" \ No newline at end of file diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSecurityLogFull.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSecurityLogFull.yaml index 3edba390cf9..cd0f7f3835c 100644 --- a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSecurityLogFull.yaml +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSecurityLogFull.yaml @@ -2,7 +2,8 @@ id: bf9be360-7f08-48b2-8e9d-ca240c48b404 name: Knox Security Log Full version: 1.0.0 kind: NRT -description: When Security Log is full on a Knox device. +description: | + 'When Security Log is full on a Knox device.' severity: High status: Available requiredDataConnectors: @@ -12,7 +13,9 @@ requiredDataConnectors: tactics: [] relevantTechniques: [] query: | - Samsung_Knox_Audit_CL| where Name == "LOG_IS_FULL" and MitreTtp has "KNOX.1" + Samsung_Knox_Audit_CL + | where Name == "LOG_IS_FULL" + and MitreTtp has "KNOX.1" suppressionEnabled: false suppressionDuration: 5h incidentConfiguration: diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSuspiciousURLs.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSuspiciousURLs.yaml index de17f6d1d68..a8d19e14931 100644 --- a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSuspiciousURLs.yaml +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSuspiciousURLs.yaml @@ -1,8 +1,9 @@ id: 18d4d4f3-6605-4fd2-968c-82c171409c1c -name: Knox Suspicious URL Accessed Events +name: Knox Suspicious URL Accessed Events version: 1.0.0 kind: NRT -description: When a Knox device user clicks on URLs or links detected as suspicious (potentially phishing or malicious) with a high degree of confidence. +description: | + 'When a Knox device user clicks on URLs or links detected as suspicious (potentially phishing or malicious) with a high degree of confidence.' severity: High status: Available requiredDataConnectors: @@ -14,7 +15,9 @@ tactics: relevantTechniques: - T1566 query: | - Samsung_Knox_User_CL | where Name == "SUSPICIOUS_URL_ACCESSED" and ConfidenceScore > 0.9 + Samsung_Knox_User_CL + | where Name == "SUSPICIOUS_URL_ACCESSED" + and ConfidenceScore > 0.9 suppressionEnabled: false suppressionDuration: 5h incidentConfiguration: diff --git a/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Application_CL.json b/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Application_CL.json index 6f07954f4d6..79ac039bed1 100644 --- a/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Application_CL.json +++ b/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Application_CL.json @@ -1,76 +1,71 @@ { - "properties": { - "schema": { - "name": "Samsung_Knox_Application_CL", - "columns": [ - { - "name": "TimeGenerated", - "type": "DateTime", - "isDefaultDisplay": true, - "description": "The timestamp (UTC) reflecting the time in which the event was generated." - }, - { - "name": "PrimaryImei", - "type": "string" - }, - { - "name": "DeviceImei1", - "type": "string" - }, - { - "name": "DeviceImei2", - "type": "string" - }, - { - "name": "DeviceSerialNumber", - "type": "string" - }, - { - "name": "DeviceWifimac", - "type": "string" - }, - { - "name": "DeviceModel", - "type": "string" - }, - { - "name": "EventGuid", - "type": "long" - }, - { - "name": "Name", - "type": "string" - }, - { - "name": "Version", - "type": "string" - }, - { - "name": "Severity", - "type": "string" - }, - { - "name": "MitreTtp", - "type": "dynamic" - }, - { - "name": "Profile", - "type": "string" - }, - { - "name": "PkgName", - "type": "string" - }, - { - "name": "AccessibilityApi", - "type": "string" - }, - { - "name": "RestrictedPerms", - "type": "dynamic" - } - ] - }, - "plan": "Analytics" - } - } \ No newline at end of file + "Name": "Samsung_Knox_Application_CL", + "Properties": [ + { + "name": "TimeGenerated", + "type": "DateTime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "PrimaryImei", + "type": "string" + }, + { + "name": "DeviceImei1", + "type": "string" + }, + { + "name": "DeviceImei2", + "type": "string" + }, + { + "name": "DeviceSerialNumber", + "type": "string" + }, + { + "name": "DeviceWifimac", + "type": "string" + }, + { + "name": "DeviceModel", + "type": "string" + }, + { + "name": "EventGuid", + "type": "long" + }, + { + "name": "Name", + "type": "string" + }, + { + "name": "Version", + "type": "string" + }, + { + "name": "Severity", + "type": "string" + }, + { + "name": "MitreTtp", + "type": "dynamic" + }, + { + "name": "Profile", + "type": "string" + }, + { + "name": "PkgName", + "type": "string" + }, + { + "name": "AccessibilityApi", + "type": "string" + }, + { + "name": "RestrictedPerms", + "type": "dynamic" + } + ] +} \ No newline at end of file diff --git a/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Audit_CL.json b/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Audit_CL.json index 0dcb6d7eb1f..b2626a7fb0e 100644 --- a/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Audit_CL.json +++ b/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Audit_CL.json @@ -1,8 +1,6 @@ { - "properties": { - "schema": { - "name": "Samsung_Knox_Audit_CL", - "columns": [ + "Name": "Samsung_Knox_Audit_CL", + "Properties": [ { "name": "TimeGenerated", "type": "DateTime", @@ -85,8 +83,5 @@ "name": "PkgName", "type": "string" } - ] - }, - "plan": "Analytics" - } - } \ No newline at end of file + ] +} \ No newline at end of file diff --git a/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Network_CL.json b/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Network_CL.json index 4def94f521d..e1b0821d9c0 100644 --- a/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Network_CL.json +++ b/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Network_CL.json @@ -1,8 +1,6 @@ { - "properties": { - "schema": { - "name": "Samsung_Knox_Network_CL", - "columns": [ + "Name": "Samsung_Knox_Network_CL", + "Properties": [ { "name": "TimeGenerated", "type": "DateTime", @@ -133,8 +131,5 @@ "name": "SocketType", "type": "int" } - ] - }, - "plan": "Analytics" - } - } \ No newline at end of file + ] +} \ No newline at end of file diff --git a/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Process_CL.json b/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Process_CL.json index c6210a8b19e..34466c665a0 100644 --- a/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Process_CL.json +++ b/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Process_CL.json @@ -1,8 +1,6 @@ { - "properties": { - "schema": { - "name": "Samsung_Knox_Process_CL", - "columns": [ + "Name": "Samsung_Knox_Process_CL", + "Properties": [ { "name": "TimeGenerated", "type": "DateTime", @@ -141,8 +139,5 @@ "name": "Ctime", "type": "DateTime" } - ] - }, - "plan": "Analytics" - } - } \ No newline at end of file + ] +} \ No newline at end of file diff --git a/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_System_CL.json b/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_System_CL.json index e47c5d0ac12..a78e820adde 100644 --- a/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_System_CL.json +++ b/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_System_CL.json @@ -1,8 +1,6 @@ { - "properties": { - "schema": { - "name": "Samsung_Knox_System_CL", - "columns": [ + "Name": "Samsung_Knox_System_CL", + "Properties": [ { "name": "TimeGenerated", "type": "DateTime", @@ -233,8 +231,5 @@ "name": "AvbVerityMode", "type": "string" } - ] - }, - "plan": "Analytics" - } - } \ No newline at end of file + ] +} \ No newline at end of file diff --git a/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_User_CL.json b/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_User_CL.json index 873b97c3c46..af00349213c 100644 --- a/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_User_CL.json +++ b/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_User_CL.json @@ -1,8 +1,6 @@ { - "properties": { - "schema": { - "name": "Samsung_Knox_User_CL", - "columns": [ + "Name": "Samsung_Knox_User_CL", + "Properties": [ { "name": "TimeGenerated", "type": "DateTime", @@ -73,8 +71,5 @@ "name": "UrlType", "type": "int" } - ] - }, - "plan": "Analytics" - } - } \ No newline at end of file + ] +} \ No newline at end of file diff --git a/Solutions/Samsung Knox Asset Intelligence/Package/3.0.0.zip b/Solutions/Samsung Knox Asset Intelligence/Package/3.0.0.zip index 684d8d99c6b9053ac7879c2b629188b65a4e40f5..a4a75db35df7426f8708eef859da5aee3636f1ce 100644 GIT binary patch delta 4393 zcmZvgXD}RG-^LfKEuuw>7P5%d`)W&s2%@*O2(nlb(R-G)2oXISy(C(K)mfbz(IQH8 zqGh$HN%R_dl6&TTX5N|Sd^l(3%=PL2yRJEBt|^x-7d9h3GT?Op06+zpio;onlKOCo zg8%^9WHvd*>Upyl6I7{81xY}MM&Zi(VG4DftR($A9;iCDnV9bc&YWZxpfRh3Y`60zty|DC5^PPezE7woKu2e zFqz&%NCzoO=0yh}GFR7Gy0{&wnK`{LHVx}_R*`-LhoyVpQXNl!DP_lQ_-TSQ`bw*p zMCQx0(1#gX2WQYE`N4M?j5qqMr0F<%Hj{pH=hzzw@@IDFGI)9ylR60ssmNO~*@V6+ zR!Do+OZ6-$?8q2QmK^xVts>%pCrfWB3IpBS#2wPLM`=*xmA7L;a<3TMhpei^nX7plOr&rjWM*qd-|8gTVpg{>mNn6Iw4 z-)axC8O7w-3Ovr0bbT;&JZ*R*oT0m6^*YtbsJSmEH{tkfP&esnm)& zXMzrds{20k`k}qPm_23);!-;%NpRBYdY>$L8X0dQ=C#@>d>3wCadP)DocB#es()u_ zSnIs2l>K}nUt=}9(U&Cjuxp(-J(r2|fRlXTed*`dOlrF>oBFFW2kuMq8l2dpj(2f! zq)#+xQovoe#!YNgd1`idr*-Z0Q<_V)kC}MH$_{7nv^<5x_jNt9dk_^>}${>eY09DJ@IAplj&4c1+#S_jb zQ4i^w;=uwFQ3=!mB3OqTyw}V@ExqaUidveBh5U&tbLr3Cw$xwlHJASA395(+)_F@Jf>-U-3mmuDSemK)76=a|%zNw8cJYPA`U_?H zLOERvV##LGs-B>;nW)+UXsa}8xJWP-S+Qn~E1AIhJ8O%` z-B!CRzpDWJ6!PZM;qTdHpO37EKi1pwJok#XKR%slXx83vTxzR$&-)Pk-5Du2-bBgRMdP4U>YQi^);qm~k>eu1l#pY~unhRJ zW?A9aizdv;I1Wbz#>|xA61^vWC=1Lq=vqas3I7xyib7t-8nUm@8CDAmE2dCS(@?yO zULnX@J{WqjN;AYem}BQYmD5+8WDLF7VYp{H8};Gvli@~Z`aj8DtOfZJvV{XMgHd$k zW#;0NkHqzM{K3<++;&fB_5&s(?$@(YKF@R9Uf*+4cGwV$qQP8lcG2ZK+8QAEf zqJ=nn$%6B*htQOcsCu#m3q>{$S*}m+&``ZSbN1R_m5K2k*<6Ruv8PSGCpFzSF<>yN z8wgLzcutZEvaD5nij_Pw z(~7LNkNkg?VkS@Kb7pBP=f+Pl~PT4Wx-wSO8EvOgx`b%JP_ z$UD<*nKmiA9P=11#ssLFDh)$I)$UBS2KgRrsQv$!X8B7=eh^`F;CGudv>2{9V zP2YEuw+GI8W;;jM)`re{_LdS16BcA`Vyoz7bvF6>*2n06ozU0Tj92;$DIr0ru2a~(ln2kop)!g=xkuNYVS*;13m9kx+#0?r)<~qJth71GWwG*L6!qTz0l`o z72~^>?GAB$r`_{HDk)``UbZYRyWxQ<5d-zT9WC@ropUVfwc^;L;)qCf`Yu%9JC^=L zYBg3X2uFiC?Q<%verYlCG!%Dwz1|VS+4Y5Qaw#Z2Q5K&4`DlBvTWAgjZ0%Ii2c@L7 zd1KRTck_d1snU5Kv1a3xyL;P|GJyOthOerT z;$_@W8XZ>7)Hdj#=Z<|}YJw`ry0I{rcD3umfjuswI!}C%L;~n|e1~FQ(nbYuMptPE zq4m`B@Gwlc=CR1VYZuZE zZEkH+X>P7izh}cFN9ImwiD#Ne0Oobuy=<>8!#__+sZo2p5!0|4;DD_ZU&EBXB)WZRmY4zml zqZ+R=i_#PKHYiuD*cu3HTu9%X_$?JbOx8k}xs^a%TwdtT^k96>DB^CmED8*F)*@{| z2s~Qzz}}B6Tg=U|UEs>j$+gSQ;j!c4UbM+=!?c{&V7z<}j!(z0dX^Y*y50EZU4s}) zu`o+=Ws_VQd%pxh+6ODeC?`*rVnb@n6i;(%%OOh3o`P!|0n-$ggwzN;lcp7GMW%>S z5L06*-0XI7s;9ZE@xM})xn^Q%xVV#WW9f#GJxL=ZKIDz&6Zgi)2Cqasb4GY89%H_B znC~)GAh>P(Dw@ST->e+NV8qDw1v)g@%RC}* z>nMSVJwLo_a|bM_(jiRi${{W_tG@*lExI>jZ1JP@8yUpd9%jFASy=PqLZ zFzFkq3%5EQQOXH#7fF7@EFU3IYMzfc$V2Qw$%D5Dd5GOLqrcR(2oYaZ%g|>ly98WIhxN&qjrBj3W?uTQI`4S$Kf{qK1mbh zk7dh`vxh2i#c&n_Vb24TwB}3XUvbb)FGaw)TKAtOdm_Qz3fk^Y^EWYz1LX$=u`37k z+H4m>3YZJZ9rbcNJsaxH5~fj6O<56kdND*CogD3)93>8QUI~Ns=7LZ6#%F(*$?1LF zb}CzgV2haGf3`YylHiX761|+Yu%f@VPhEd0kPC!ESU*sg3RGR!HzU>ibNm^AeaRo& zUxR0=UAF^x>f*YEMl(1)|GK_);{ZdM-K-d9+5pTBW%>$4U&V~RYvg$uw~!Vu?`OIY zbh1{UzcV%WvA=#pA{^QitoS)h=uTEDS(ZT}y$LHkMIHCnm{dO&pbrrwXAbN28d108 zqS7+?gmmTY_{i}kXoe20-)K_;BffkB{#R6`ic>gt zB>*l(Iz-&YFrCYgjyE~a;TajCjY}PGNs7Re)rr6V-u;>O*;Z&f)a!TmPjj1X&ECaN zQI)|Z2`wkmM0`JS({alr+T~r|LJe+m6!=q#K2Clf(A8x+8zRG(#f+I-c~&q;Db2wl zo^UBS4VMdgCFU*!;ke^N!ofak8cM-R`*^SSa2aJ!z8*6elRytw(r|OApG*TZ)ErYj z3~g6YgF#^z=pZs1D)jcoXFCbMuQdK8vq=YZCDZp@)P(5F3eWS&4HTYX`AF>+}npe{15IBG~4oHbSLndZOgM$@xd&>@)#Io3F0AJwe!%gI zf&=(L&Id=Ppmtdgb;@v$M_t%>fRrY0+tzFD$301PBjMk?5u+!fcmA~(b!*NP^e{np|GHD)jcOAV6>j0u%9Gw3o{ST=Q8X~W~EJMJyva>B1^7JAy88pUZ_-%=gN z|Ez?Q-U%^vXnc|K{K&OY6J#QQo896WnerY&9q97py=D;75L~vtl`O|@2IDPm{K*FK zS!Or-zQ>}RPOY(C8>1)hwDACK>fdnsD~Mtv`sIqR<0}G2WPPQI-^)o}rA+6@hVKP2 z=|yJZnN9>3ulJMHU9uM&qkO4AS2V3D7vFH^?90_KNu# z)n-SNYkyv3|3xhkWvtpQYH0PD$t&mV~Tr>i~pYTt$GK> z*wO^jr3XD2ncj&vDlr6|&$(kDMp{0S8%)yu_fq;b?K&Ec9Jn&}5&ofW=?n(rG%xi` zA4h@ohA6~fB#NRgQpF|&55qPfU%K~ikp%;Oa0qhrsaQ;_#}}-zv+n^%E|idXypk5! z1(%hXV__RE@ml)bB1Q4kzs@KHx)l=tOes=}Jja*zz0f81?dshNB`@MloV&ES{0JqT zbgYk=+Z3j%w0sAn6sOON9WOKrI6IItvE?_~6J2~&@i`c}g2iBimS1b@c5w0Wd92{h zq&YDNn019?4K-Ot@0YclA6ILWw$%jjpl>bjQGO`dO1;IiVYKanF>L!)Ks!?1q5ZS+-q-c}L6drGlav zG1l1RX~(TSIXO(w<)`12MtUTq*UA1zyMddOf%5+CJO2AiwIl&B{%Jw}Zxv#ZI8j+J K#b=qnH~#_a_(DYh delta 4387 zcmZvgWl+=&*T#2QU}kh)8#b(%lPEqKK4) zq%;UFk3RE$d1l`8@yzw%n%|i-=ghV3IOoWqrwJjX1A#y!ATkZC*}pGiu6fBoAj%{L zQJSW&Mv*flX|Vi6LfaPUuQ|?1Rt$j2vzTA69C5gH%MR}jZ-+}fjeYyl9RWJQ16lj_ z$uBc9ueFYnJjZBRB2C$!jV(PfkClZpOpKw>*O)eGjmDNVJ30SSqUP1&&=-Q(s0M@k zYx%r&N1K>yzx?E-(+D4Msv9S<`hV$z- zp_q+hPd2vQTw^}M9!KrM^-}Q(_v~)18b?hzI2z_^f^H`d* zBhXI1I`Q4ZzIjXNrmR?c2PNRSI?egRB9JniLdoLA&6$j(Zd3D3Sp}x4eLVhNcbtv+ zSeS!};2knCL;ZpcA<}uHu@rhOjsdUi5SoCeMkz@V6O4PO3)MGv)j7r%)So}QBpqn0 zWyZX83bMRBy=}p#QhN5N)~xUs>oY%f|3Hb;!_OjJ1rk#^67j#m!-MKT*R-BOLWaOw zm~^YgjEwD6MgI4IbpuNkl!T!@2Bm$ zT3D4m>;>O8ATG0~9j#cH3dT}KUDcCNWXuH);g{Y?_M)jtHgehf-MHO;Y%GC`l4dG< z&%J2_OIen>y*+V_$J(hM%GAzaEPNFw^E(tQ1uMl3{htx>nl`46xMJ>lW^^TJws0C& z2|1%~`k)DyXSK#kLj1t0*jflLxpg_ORa!PJd0RjXb_>D`F2WKMih}vEGK6AMH`@*2 ziZkqDK7%VBZ}XO76|(RCUNM23HdCe?V7S#(1y2I~(0=HKHCqNVo?1Stz&F1p(}LQ$85ci`KtAtaKWS33a>wc@3)OwnwlgJtfZstQuV5Q zTxXrjQ|B^%Yd;xVi^|VP&~mVL;AM=QA7l=%F$0BJojSqM_D$jt%%?_5((fr^7#x_%1eD3m6YHrSFv&=xZ-lXmjTDEb=88 z3CVhpUCu<*k4Ur$p>c&AG4@sK(%5|BV1kYeEC-ZBoW!2L+5-EJiRwOmE01!ZDc%?F zS3YOYwsdmyc~x_m{^VdIG|%I(WM|lIzWIaN7HX-zsyKHD8wxcCJ7K>;83@`XvFA`; zIFk71I5dguafA%1SYKx9?c7(wOJP_E5`{b0Z1jo)jT2{uh}0Kn=%7r~Rh5c@<*WC= z`7stt!VY|?z$SRj97x}vCokmfJ)*;;JM;?TXVI~T5ykT&o+1a8 zqwo#t4P3SO4$j_a=-=!Y&q(r1U3+bRouW@{#+F7TV)Q>U+%|Z^TI?vN^iuoa;5`G` z((GkZpzdP{CLIpa5~`8ijQ2e{VjB5%IS)?gdx-$N&kAwES%PVqLSziIw--yf2A0*2 z?jV}oWN9I9r&U_q;5l|ayH7Y7STEs!6t41N)5p8QEp~L{!7RmRoqY z_!IDoh|wk(xqla3PlEY%8S{$(a#An5(OrtH@(SJ9H+c2skzsyNS;rTd-$oxNt|zZl z$%JX zwPL>Z`plVuGxW?KK(7=0*2dP6%?;{i`(k(6H@sWb3l}&0#dp2zqtk&UG8z0h zN)AEGs^CdG-PJ|y3NhZ+%l_U&oQjO2mK;v-a_Q=bAO3y3qLg8djN z{c1F&6%$QkKhM2D?`WzlX_XmJbK|k47q9W_P_#gt>o~W+i#RHfB`jfIizhLc>LqWT zkr00=BNqM2?WmY?yb2L+ zq|#a_3{VfDTeCB>(ZkbM=i2AsLZvZ8FE*>d->tn~`j?H@|B+90;}c`Lh4k^eCI zA@nzTJJMs_lxj5!BsV|<3~^jUv#$)`gmIRd*XH+}*aUN?KgA6Ld(^M995FsP-A zr>h~IYD`)e{98SGVzvF;89F@ z0Z&q{GP!JJfi0IcqtQrl zD7tu)0bM+puJ%ei9eq&MvHO^5u}v1=02~76A~j_T`zbcFxV+!EW{UgDG%Cva$~Jn-RuNF24=%lB=A*X8r0;lRjK|?wGNdNPyzF#FnibqxC4Z&d zZ`>A5jTO`D=uC`#m})>KsRJFl??lB-L^+4yEx64D<3{hAvS(4ol~m3Kh@#1;S%kMuL=QP%=W9L0bR7xyYYMrJ^5`bD?e7aGUto(Wa%PW3#?$a8RaT1 zeZlZYSLEjc0-f1bOy9DznFD2jtLzUKWx=0>Q!sP7ef8fF_v9JIrGjqv2oIZdUXzKG zgf(cWmxncMgf^@ylKD)#gf@H`RW$ztfZS;uJ|;t2V9Xo&2Y@t<8{RFi=~;RLn#$xXaNi5FsuF z0yCZJ#=7!WttTv6rN?f23Gw4ce8jc-r;KT}BC5t=X3MMU9t3EbuX>GtrEfPK;? z^&neei)k@*V;8<%)p=Ya;kCYScV$35(mnp`NQRSCASlKME=;=r;^cDwWcGW^{P3i(3!PZz^vx!*Y@-%YgL>Er(wF3iZJC~8goHBM^Lk$P0I=~2|Y{C z{%g|D+4C$*bWh|Ghle~owW8h+0A<5iS5ImEVUjHJp{~g{NA}e=Mlt8_8062mALycV zP6E58XhO&zh0bx#!!ehaN7on27rV#nlt0VM_JTI(P{#dKsDvjHXqdgFNE)+$dqIDL}cxjfgZqzsQxpzBW^_X zUkKKJAQ&VfSC#>A1y3B1tK$B&;xB}sIl8gFk8U~8l(^{Ia8q`_AJtokWyx#VAEc|n zbn0hnU2(*QlzL}q-JM8}=#8WPmT@_?#OeOhPjLF@I49%NPW%gtzMwjII$yL)Yj-EsKoy>$;XrgeiF>q>98Mo+$tl^q_V_~Z*Ln?tT>~+MUBb)go z40xp{I!ure*$z84NZ1&fHr;h(GV`Kn_vvBz5yd1meDKE*y9;t`5TUv{;);>^v)D?v zdJ!~$DC==Ok)+u7xuFH|5DF_+3UN0ugoql^DmJ6x9*rzS9d5U2ojIo_~PIE@Gfd zFPfpCNz0-%4h`%0NfepX4;|eLX+67zb6-1AxOtcMJb^Pd zQb<>95K1W&<89{q21u+014#c>A2p3G zCImv@8Ee3N{oN_BagkuXLol1@}Asm0h% zr`EJLVecB9Cpk%G4VQ1o32S-S?726-d+prMD#`ObS}Bg0G#1u(^j@P*0cQ2us-y8M z3b`N6!J8Rn5uEf1wS9Oh0{CB#-az#U2jVGM%m4rY diff --git a/Solutions/Samsung Knox Asset Intelligence/Package/createUiDefinition.json b/Solutions/Samsung Knox Asset Intelligence/Package/createUiDefinition.json index b43f921e192..b8d6847a406 100644 --- a/Solutions/Samsung Knox Asset Intelligence/Package/createUiDefinition.json +++ b/Solutions/Samsung Knox Asset Intelligence/Package/createUiDefinition.json @@ -216,7 +216,7 @@ { "name": "analytic6", "type": "Microsoft.Common.Section", - "label": "Knox Peripheral Access Detection with Mic", + "label": "Knox Peripheral Access Detection with Mic", "elements": [ { "name": "analytic6-text", diff --git a/Solutions/Samsung Knox Asset Intelligence/Package/mainTemplate.json b/Solutions/Samsung Knox Asset Intelligence/Package/mainTemplate.json index bc775f69ccf..53df6fb0cfd 100644 --- a/Solutions/Samsung Knox Asset Intelligence/Package/mainTemplate.json +++ b/Solutions/Samsung Knox Asset Intelligence/Package/mainTemplate.json @@ -599,17 +599,17 @@ "description": "When a Knox mobile app has transitioned from an acceptable uid/esuid/fsuid to a different, non-App id.", "displayName": "Knox Application Privilege Escalation or Change", "enabled": false, - "query": "Samsung_Knox_Process_CL | where Name == \"PROCESS_PRIVILEGE_ESCALATION\" and MitreTtp has \"T1548\"\n", + "query": "Samsung_Knox_Process_CL \n| where Name == \"PROCESS_PRIVILEGE_ESCALATION\"\n| where MitreTtp has \"T1548\"\n", "severity": "High", "suppressionDuration": "PT1H", "suppressionEnabled": false, "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SamsungDCDefinition", "dataTypes": [ - "Samsung_Knox_Audit_CL" - ] + "Samsung_Knox_Process_CL" + ], + "connectorId": "SamsungDCDefinition" } ], "tactics": [ @@ -624,10 +624,10 @@ "incidentConfiguration": { "createIncident": true, "groupingConfiguration": { - "lookbackDuration": "5h", - "matchingMethod": "AllEntities", "reopenClosedIncident": false, - "enabled": false + "enabled": false, + "lookbackDuration": "5h", + "matchingMethod": "AllEntities" } } } @@ -700,17 +700,17 @@ "description": "Indicates that an admin has set disabled keyguard features on a Knox device.", "displayName": "Knox Keyguard Disabled Feature Set", "enabled": false, - "query": "Samsung_Knox_Audit_CL | where Name == \"TAG_KEYGUARD_DISABLED_FEATURES_SET\" and MitreTtp has \"T1461\"\n", + "query": "Samsung_Knox_Audit_CL \n| where Name == \"TAG_KEYGUARD_DISABLED_FEATURES_SET\" \nand MitreTtp has \"T1461\"\n", "severity": "High", "suppressionDuration": "PT1H", "suppressionEnabled": false, "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SamsungDCDefinition", "dataTypes": [ "Samsung_Knox_Audit_CL" - ] + ], + "connectorId": "SamsungDCDefinition" } ], "tactics": [ @@ -725,10 +725,10 @@ "incidentConfiguration": { "createIncident": true, "groupingConfiguration": { - "lookbackDuration": "5h", - "matchingMethod": "AllEntities", "reopenClosedIncident": false, - "enabled": false + "enabled": false, + "lookbackDuration": "5h", + "matchingMethod": "AllEntities" } } } @@ -801,17 +801,17 @@ "description": "When Knox device boot binary is at risk of compromise.", "displayName": "Knox Mobile Device Boot Compromise", "enabled": false, - "query": "Samsung_Knox_System_CL | where Name == \"BOOT_COMPROMISED_SOFTWARE_BINARY\" and MitreTtp has \"T1645\"\n", + "query": "Samsung_Knox_System_CL \n| where Name == \"BOOT_COMPROMISED_SOFTWARE_BINARY\"\nand MitreTtp has \"T1645\"\n", "severity": "High", "suppressionDuration": "PT1H", "suppressionEnabled": false, "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SamsungDCDefinition", "dataTypes": [ "Samsung_Knox_System_CL" - ] + ], + "connectorId": "SamsungDCDefinition" } ], "tactics": [ @@ -826,10 +826,10 @@ "incidentConfiguration": { "createIncident": true, "groupingConfiguration": { - "lookbackDuration": "5h", - "matchingMethod": "AllEntities", "reopenClosedIncident": false, - "enabled": false + "enabled": false, + "lookbackDuration": "5h", + "matchingMethod": "AllEntities" } } } @@ -902,17 +902,17 @@ "description": "When maximum password attempts have reached and the Knox device is locked out. This is based on the threshold set by the MDM policy.", "displayName": "Knox Password Lockout", "enabled": false, - "query": "Samsung_Knox_User_CL | where Name == \"PASSWORD_LOCKOUT\" and MitreTtp has \"T1110\"\n", + "query": "Samsung_Knox_User_CL \n| where Name == \"PASSWORD_LOCKOUT\"\nand MitreTtp has \"T1110\"\n", "severity": "High", "suppressionDuration": "PT1H", "suppressionEnabled": false, "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SamsungDCDefinition", "dataTypes": [ "Samsung_Knox_User_CL" - ] + ], + "connectorId": "SamsungDCDefinition" } ], "tactics": [ @@ -927,10 +927,10 @@ "incidentConfiguration": { "createIncident": true, "groupingConfiguration": { - "lookbackDuration": "5h", - "matchingMethod": "AllEntities", "reopenClosedIncident": false, - "enabled": false + "enabled": false, + "lookbackDuration": "5h", + "matchingMethod": "AllEntities" } } } @@ -1003,17 +1003,17 @@ "description": "When Knox device camera access has been detected through system policy when such access is disabled.", "displayName": "Knox Peripheral Access Detection with Camera", "enabled": false, - "query": "Samsung_Knox_System_CL| where Name == \"PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_CAMERA\" and MitreTtp has \"KNOX.2\"\n", + "query": "Samsung_Knox_System_CL \n| where Name == \"PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_CAMERA\" \nand MitreTtp has \"KNOX.2\"\n", "severity": "High", "suppressionDuration": "PT1H", "suppressionEnabled": false, "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SamsungDCDefinition", "dataTypes": [ - "Samsung_Knox_Audit_CL" - ] + "Samsung_Knox_System_CL" + ], + "connectorId": "SamsungDCDefinition" } ], "eventGroupingSettings": { @@ -1022,10 +1022,10 @@ "incidentConfiguration": { "createIncident": true, "groupingConfiguration": { - "lookbackDuration": "5h", - "matchingMethod": "AllEntities", "reopenClosedIncident": false, - "enabled": false + "enabled": false, + "lookbackDuration": "5h", + "matchingMethod": "AllEntities" } } } @@ -1096,19 +1096,19 @@ "location": "[parameters('workspace-location')]", "properties": { "description": "When Knox device microphone access has been detected through system policy when such access is disabled.", - "displayName": "Knox Peripheral Access Detection with Mic", + "displayName": "Knox Peripheral Access Detection with Mic", "enabled": false, - "query": "Samsung_Knox_System_CL | where Name == \"PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_MIC\" and MitreTtp has \"KNOX.2\"\n", + "query": "Samsung_Knox_System_CL\n| where Name == \"PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_MIC\"\nand MitreTtp has \"KNOX.2\"\n", "severity": "High", "suppressionDuration": "PT1H", "suppressionEnabled": false, "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SamsungDCDefinition", "dataTypes": [ - "Samsung_Knox_Audit_CL" - ] + "Samsung_Knox_System_CL" + ], + "connectorId": "SamsungDCDefinition" } ], "eventGroupingSettings": { @@ -1120,10 +1120,10 @@ "incidentConfiguration": { "createIncident": true, "groupingConfiguration": { - "lookbackDuration": "5h", - "matchingMethod": "AllEntities", "reopenClosedIncident": false, - "enabled": false + "enabled": false, + "lookbackDuration": "5h", + "matchingMethod": "AllEntities" } } } @@ -1164,7 +1164,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", "contentKind": "AnalyticsRule", - "displayName": "Knox Peripheral Access Detection with Mic", + "displayName": "Knox Peripheral Access Detection with Mic", "contentProductId": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", "id": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" @@ -1196,17 +1196,17 @@ "description": "When a Knox device user clicks on URLs or links detected as suspicious (potentially phishing or malicious) with a high degree of confidence.", "displayName": "Knox Suspicious URL Accessed Events", "enabled": false, - "query": "Samsung_Knox_User_CL | where Name == \"SUSPICIOUS_URL_ACCESSED\" and ConfidenceScore > 0.9\n", + "query": "Samsung_Knox_User_CL \n| where Name == \"SUSPICIOUS_URL_ACCESSED\" \nand ConfidenceScore > 0.9\n", "severity": "High", "suppressionDuration": "PT1H", "suppressionEnabled": false, "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SamsungDCDefinition", "dataTypes": [ "Samsung_Knox_User_CL" - ] + ], + "connectorId": "SamsungDCDefinition" } ], "tactics": [ @@ -1221,10 +1221,10 @@ "incidentConfiguration": { "createIncident": true, "groupingConfiguration": { - "lookbackDuration": "5h", - "matchingMethod": "AllEntities", "reopenClosedIncident": false, - "enabled": false + "enabled": false, + "lookbackDuration": "5h", + "matchingMethod": "AllEntities" } } }