diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Application_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Application_CL.json new file mode 100644 index 00000000000..6f07954f4d6 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Application_CL.json @@ -0,0 +1,76 @@ +{ + "properties": { + "schema": { + "name": "Samsung_Knox_Application_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "DateTime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "PrimaryImei", + "type": "string" + }, + { + "name": "DeviceImei1", + "type": "string" + }, + { + "name": "DeviceImei2", + "type": "string" + }, + { + "name": "DeviceSerialNumber", + "type": "string" + }, + { + "name": "DeviceWifimac", + "type": "string" + }, + { + "name": "DeviceModel", + "type": "string" + }, + { + "name": "EventGuid", + "type": "long" + }, + { + "name": "Name", + "type": "string" + }, + { + "name": "Version", + "type": "string" + }, + { + "name": "Severity", + "type": "string" + }, + { + "name": "MitreTtp", + "type": "dynamic" + }, + { + "name": "Profile", + "type": "string" + }, + { + "name": "PkgName", + "type": "string" + }, + { + "name": "AccessibilityApi", + "type": "string" + }, + { + "name": "RestrictedPerms", + "type": "dynamic" + } + ] + }, + "plan": "Analytics" + } + } \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Audit_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Audit_CL.json new file mode 100644 index 00000000000..0dcb6d7eb1f --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Audit_CL.json @@ -0,0 +1,92 @@ +{ + "properties": { + "schema": { + "name": "Samsung_Knox_Audit_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "DateTime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "PrimaryImei", + "type": "string" + }, + { + "name": "DeviceImei1", + "type": "string" + }, + { + "name": "DeviceImei2", + "type": "string" + }, + { + "name": "DeviceSerialNumber", + "type": "string" + }, + { + "name": "DeviceWifimac", + "type": "string" + }, + { + "name": "DeviceModel", + "type": "string" + }, + { + "name": "EventGuid", + "type": "long" + }, + { + "name": "Name", + "type": "string" + }, + { + "name": "Version", + "type": "string" + }, + { + "name": "Severity", + "type": "string" + }, + { + "name": "MitreTtp", + "type": "dynamic" + }, + { + "name": "Profile", + "type": "string" + }, + { + "name": "UserId", + "type": "int" + }, + { + "name": "AdmUserId", + "type": "int" + }, + { + "name": "AdmPkgName", + "type": "string" + }, + { + "name": "FailureReason", + "type": "string" + }, + { + "name": "Action", + "type": "string" + }, + { + "name": "KeyMask", + "type": "int" + }, + { + "name": "PkgName", + "type": "string" + } + ] + }, + "plan": "Analytics" + } + } \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Network_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Network_CL.json new file mode 100644 index 00000000000..4def94f521d --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Network_CL.json @@ -0,0 +1,140 @@ +{ + "properties": { + "schema": { + "name": "Samsung_Knox_Network_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "DateTime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "PrimaryImei", + "type": "string" + }, + { + "name": "DeviceImei1", + "type": "string" + }, + { + "name": "DeviceImei2", + "type": "string" + }, + { + "name": "DeviceSerialNumber", + "type": "string" + }, + { + "name": "DeviceWifimac", + "type": "string" + }, + { + "name": "DeviceModel", + "type": "string" + }, + { + "name": "EventGuid", + "type": "long" + }, + { + "name": "Name", + "type": "string" + }, + { + "name": "Version", + "type": "string" + }, + { + "name": "Severity", + "type": "string" + }, + { + "name": "MitreTtp", + "type": "dynamic" + }, + { + "name": "Profile", + "type": "string" + }, + { + "name": "Protocol", + "type": "int" + }, + { + "name": "SourcePort", + "type": "int" + }, + { + "name": "RemotePort", + "type": "int" + }, + { + "name": "SourceAddr", + "type": "string" + }, + { + "name": "RemoteAddr", + "type": "string" + }, + { + "name": "EventDetectedTime", + "type": "DateTime" + }, + { + "name": "Family", + "type": "int" + }, + { + "name": "PkgName", + "type": "string" + }, + { + "name": "InterfaceName", + "type": "string" + }, + { + "name": "Tid", + "type": "int" + }, + { + "name": "Pid", + "type": "int" + }, + { + "name": "Ppid", + "type": "int" + }, + { + "name": "Uid", + "type": "int" + }, + { + "name": "Gid", + "type": "int" + }, + { + "name": "ExitCode", + "type": "int" + }, + { + "name": "Syscall", + "type": "int" + }, + { + "name": "Path", + "type": "string" + }, + { + "name": "Ja3Fingerprint", + "type": "string" + }, + { + "name": "SocketType", + "type": "int" + } + ] + }, + "plan": "Analytics" + } + } \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Process_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Process_CL.json new file mode 100644 index 00000000000..c6210a8b19e --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Process_CL.json @@ -0,0 +1,148 @@ +{ + "properties": { + "schema": { + "name": "Samsung_Knox_Process_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "DateTime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "PrimaryImei", + "type": "string" + }, + { + "name": "DeviceImei1", + "type": "string" + }, + { + "name": "DeviceImei2", + "type": "string" + }, + { + "name": "DeviceSerialNumber", + "type": "string" + }, + { + "name": "DeviceWifimac", + "type": "string" + }, + { + "name": "DeviceModel", + "type": "string" + }, + { + "name": "EventGuid", + "type": "long" + }, + { + "name": "Name", + "type": "string" + }, + { + "name": "Version", + "type": "string" + }, + { + "name": "Severity", + "type": "string" + }, + { + "name": "MitreTtp", + "type": "dynamic" + }, + { + "name": "Profile", + "type": "string" + }, + { + "name": "Tid", + "type": "int" + }, + { + "name": "Pid", + "type": "int" + }, + { + "name": "Ppid", + "type": "int" + }, + { + "name": "Uid", + "type": "int" + }, + { + "name": "Gid", + "type": "int" + }, + { + "name": "ExitCode", + "type": "int" + }, + { + "name": "Syscall", + "type": "int" + }, + { + "name": "Path", + "type": "string" + }, + { + "name": "Cwd", + "type": "string" + }, + { + "name": "CmdLine", + "type": "string" + }, + { + "name": "Euid", + "type": "int" + }, + { + "name": "Egid", + "type": "int" + }, + { + "name": "Fsuid", + "type": "int" + }, + { + "name": "Fsgid", + "type": "int" + }, + { + "name": "Suid", + "type": "int" + }, + { + "name": "Sgid", + "type": "int" + }, + { + "name": "OwnerUid", + "type": "int" + }, + { + "name": "OwnerGid", + "type": "int" + }, + { + "name": "Atime", + "type": "DateTime" + }, + { + "name": "Mtime", + "type": "DateTime" + }, + { + "name": "Ctime", + "type": "DateTime" + } + ] + }, + "plan": "Analytics" + } + } \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_System_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_System_CL.json new file mode 100644 index 00000000000..e47c5d0ac12 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_System_CL.json @@ -0,0 +1,240 @@ +{ + "properties": { + "schema": { + "name": "Samsung_Knox_System_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "DateTime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "PrimaryImei", + "type": "string" + }, + { + "name": "DeviceImei1", + "type": "string" + }, + { + "name": "DeviceImei2", + "type": "string" + }, + { + "name": "DeviceSerialNumber", + "type": "string" + }, + { + "name": "DeviceWifimac", + "type": "string" + }, + { + "name": "DeviceModel", + "type": "string" + }, + { + "name": "EventGuid", + "type": "long" + }, + { + "name": "Name", + "type": "string" + }, + { + "name": "Version", + "type": "string" + }, + { + "name": "Severity", + "type": "string" + }, + { + "name": "MitreTtp", + "type": "dynamic" + }, + { + "name": "Profile", + "type": "string" + }, + { + "name": "BLBuildVersion", + "type": "string" + }, + { + "name": "BLBuildId", + "type": "string" + }, + { + "name": "BLBuildType", + "type": "string" + }, + { + "name": "KernelBuildId", + "type": "string" + }, + { + "name": "KernelBuildType", + "type": "string" + }, + { + "name": "SystemBuildId0", + "type": "string" + }, + { + "name": "SystemBuildId1", + "type": "string" + }, + { + "name": "SystemBuildId2", + "type": "string" + }, + { + "name": "BLMode", + "type": "string" + }, + { + "name": "RebootReason", + "type": "string" + }, + { + "name": "SecureBoot", + "type": "string" + }, + { + "name": "BLEventTarget", + "type": "string" + }, + { + "name": "BLEvent", + "type": "string" + }, + { + "name": "BLRP", + "type": "string" + }, + { + "name": "KernelRP", + "type": "string" + }, + { + "name": "SystemRP", + "type": "string" + }, + { + "name": "ArpDevice", + "type": "string" + }, + { + "name": "WpState", + "type": "string" + }, + { + "name": "WbFuse", + "type": "string" + }, + { + "name": "WbReason", + "type": "string" + }, + { + "name": "ImgStatus", + "type": "string" + }, + { + "name": "KernelState", + "type": "string" + }, + { + "name": "CustomCount", + "type": "string" + }, + { + "name": "AvbBootState", + "type": "string" + }, + { + "name": "AvbDeviceLocked", + "type": "string" + }, + { + "name": "AvbOsVersion", + "type": "string" + }, + { + "name": "AvbOsPatchLevel", + "type": "string" + }, + { + "name": "AvbVendorPatchLevel", + "type": "string" + }, + { + "name": "AvbBootPatchLevel", + "type": "string" + }, + { + "name": "VbMetaType", + "type": "string" + }, + { + "name": "UnlockCount", + "type": "string" + }, + { + "name": "EmStatus", + "type": "string" + }, + { + "name": "EmFuseHistory", + "type": "string" + }, + { + "name": "EmTokens", + "type": "string" + }, + { + "name": "KGState", + "type": "string" + }, + { + "name": "KGFuse", + "type": "string" + }, + { + "name": "FrpState", + "type": "string" + }, + { + "name": "CCModeState", + "type": "string" + }, + { + "name": "MDMState", + "type": "string" + }, + { + "name": "EDLCount", + "type": "string" + }, + { + "name": "RPMBState", + "type": "string" + }, + { + "name": "FOTACount", + "type": "string" + }, + { + "name": "ODINCount", + "type": "string" + }, + { + "name": "AvbVerityMode", + "type": "string" + } + ] + }, + "plan": "Analytics" + } + } \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_User_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_User_CL.json new file mode 100644 index 00000000000..873b97c3c46 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_User_CL.json @@ -0,0 +1,80 @@ +{ + "properties": { + "schema": { + "name": "Samsung_Knox_User_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "DateTime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "PrimaryImei", + "type": "string" + }, + { + "name": "DeviceImei1", + "type": "string" + }, + { + "name": "DeviceImei2", + "type": "string" + }, + { + "name": "DeviceSerialNumber", + "type": "string" + }, + { + "name": "DeviceWifimac", + "type": "string" + }, + { + "name": "DeviceModel", + "type": "string" + }, + { + "name": "EventGuid", + "type": "long" + }, + { + "name": "Name", + "type": "string" + }, + { + "name": "Version", + "type": "int" + }, + { + "name": "Severity", + "type": "string" + }, + { + "name": "MitreTtp", + "type": "dynamic" + }, + { + "name": "Profile", + "type": "string" + }, + { + "name": "PkgName", + "type": "string" + }, + { + "name": "Url", + "type": "string" + }, + { + "name": "ConfidenceScore", + "type": "double" + }, + { + "name": "UrlType", + "type": "int" + } + ] + }, + "plan": "Analytics" + } + } \ No newline at end of file diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithCamera.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithCamera.yaml index 8f0b08ab6fc..6e199b63fe5 100644 --- a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithCamera.yaml +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithCamera.yaml @@ -9,6 +9,8 @@ requiredDataConnectors: - connectorId: SamsungDCDefinition dataTypes: - Samsung_Knox_Audit_CL +tactics: [] +techniques: [] query: | Samsung_Knox_System_CL| where Name == "PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_CAMERA" and MitreTtp has "KNOX.2" suppressionEnabled: false diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithMic.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithMic.yaml index d395ba149c9..1c005d158f6 100644 --- a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithMic.yaml +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithMic.yaml @@ -9,6 +9,8 @@ requiredDataConnectors: - connectorId: SamsungDCDefinition dataTypes: - Samsung_Knox_Audit_CL +tactics: [] +techniques: [] query: | Samsung_Knox_System_CL | where Name == "PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_MIC" and MitreTtp has "KNOX.2" alertDetailsOverride: diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSecurityLogFull.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSecurityLogFull.yaml index 0c3b4938abe..40f0c74ffe0 100644 --- a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSecurityLogFull.yaml +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSecurityLogFull.yaml @@ -9,6 +9,8 @@ requiredDataConnectors: - connectorId: SamsungDCDefinition dataTypes: - Samsung_Knox_Audit_CL +tactics: [] +techniques: [] query: Samsung_Knox_Audit_CL| where Name == "LOG_IS_FULL" and MitreTtp has "KNOX.1" suppressionEnabled: false suppressionDuration: 5h