From 830e380ae71ca70b35aceb086ed4643eddf72d7a Mon Sep 17 00:00:00 2001 From: Sean McClelland Date: Wed, 18 Dec 2024 22:54:50 -0800 Subject: [PATCH 1/2] Samsung Solution: Fix Analytics Rules Validation Samsung Knox Asset Intelligence Sentinel Solution Analytics Rules changes to fix issues reported during validation. Add missing fields for Analytics Rules that did not have tactics or techniques. --- .../SamsungKnoxPeripheralAccessDetectionWithCamera.yaml | 2 ++ .../SamsungKnoxPeripheralAccessDetectionWithMic.yaml | 2 ++ .../Analytic Rules/SamsungKnoxSecurityLogFull.yaml | 2 ++ 3 files changed, 6 insertions(+) diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithCamera.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithCamera.yaml index 8f0b08ab6fc..6e199b63fe5 100644 --- a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithCamera.yaml +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithCamera.yaml @@ -9,6 +9,8 @@ requiredDataConnectors: - connectorId: SamsungDCDefinition dataTypes: - Samsung_Knox_Audit_CL +tactics: [] +techniques: [] query: | Samsung_Knox_System_CL| where Name == "PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_CAMERA" and MitreTtp has "KNOX.2" suppressionEnabled: false diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithMic.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithMic.yaml index d395ba149c9..1c005d158f6 100644 --- a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithMic.yaml +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithMic.yaml @@ -9,6 +9,8 @@ requiredDataConnectors: - connectorId: SamsungDCDefinition dataTypes: - Samsung_Knox_Audit_CL +tactics: [] +techniques: [] query: | Samsung_Knox_System_CL | where Name == "PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_MIC" and MitreTtp has "KNOX.2" alertDetailsOverride: diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSecurityLogFull.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSecurityLogFull.yaml index 0c3b4938abe..40f0c74ffe0 100644 --- a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSecurityLogFull.yaml +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSecurityLogFull.yaml @@ -9,6 +9,8 @@ requiredDataConnectors: - connectorId: SamsungDCDefinition dataTypes: - Samsung_Knox_Audit_CL +tactics: [] +techniques: [] query: Samsung_Knox_Audit_CL| where Name == "LOG_IS_FULL" and MitreTtp has "KNOX.1" suppressionEnabled: false suppressionDuration: 5h From e7e97f77facdef1eaabcbe9e393c4c2434ad1089 Mon Sep 17 00:00:00 2001 From: Sean McClelland Date: Wed, 18 Dec 2024 23:02:03 -0800 Subject: [PATCH 2/2] Add Samsung Solution Custom Table to KqlValidation Add Samsung Knox's Sentinel Solution Custom tables to Azure Sentinel's KqlvalidationsTests Custom Tables list to help pass validation. --- .../Samsung_Knox_Application_CL.json | 76 ++++++ .../CustomTables/Samsung_Knox_Audit_CL.json | 92 +++++++ .../CustomTables/Samsung_Knox_Network_CL.json | 140 ++++++++++ .../CustomTables/Samsung_Knox_Process_CL.json | 148 +++++++++++ .../CustomTables/Samsung_Knox_System_CL.json | 240 ++++++++++++++++++ .../CustomTables/Samsung_Knox_User_CL.json | 80 ++++++ 6 files changed, 776 insertions(+) create mode 100644 .script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Application_CL.json create mode 100644 .script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Audit_CL.json create mode 100644 .script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Network_CL.json create mode 100644 .script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Process_CL.json create mode 100644 .script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_System_CL.json create mode 100644 .script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_User_CL.json diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Application_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Application_CL.json new file mode 100644 index 00000000000..6f07954f4d6 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Application_CL.json @@ -0,0 +1,76 @@ +{ + "properties": { + "schema": { + "name": "Samsung_Knox_Application_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "DateTime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "PrimaryImei", + "type": "string" + }, + { + "name": "DeviceImei1", + "type": "string" + }, + { + "name": "DeviceImei2", + "type": "string" + }, + { + "name": "DeviceSerialNumber", + "type": "string" + }, + { + "name": "DeviceWifimac", + "type": "string" + }, + { + "name": "DeviceModel", + "type": "string" + }, + { + "name": "EventGuid", + "type": "long" + }, + { + "name": "Name", + "type": "string" + }, + { + "name": "Version", + "type": "string" + }, + { + "name": "Severity", + "type": "string" + }, + { + "name": "MitreTtp", + "type": "dynamic" + }, + { + "name": "Profile", + "type": "string" + }, + { + "name": "PkgName", + "type": "string" + }, + { + "name": "AccessibilityApi", + "type": "string" + }, + { + "name": "RestrictedPerms", + "type": "dynamic" + } + ] + }, + "plan": "Analytics" + } + } \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Audit_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Audit_CL.json new file mode 100644 index 00000000000..0dcb6d7eb1f --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Audit_CL.json @@ -0,0 +1,92 @@ +{ + "properties": { + "schema": { + "name": "Samsung_Knox_Audit_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "DateTime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "PrimaryImei", + "type": "string" + }, + { + "name": "DeviceImei1", + "type": "string" + }, + { + "name": "DeviceImei2", + "type": "string" + }, + { + "name": "DeviceSerialNumber", + "type": "string" + }, + { + "name": "DeviceWifimac", + "type": "string" + }, + { + "name": "DeviceModel", + "type": "string" + }, + { + "name": "EventGuid", + "type": "long" + }, + { + "name": "Name", + "type": "string" + }, + { + "name": "Version", + "type": "string" + }, + { + "name": "Severity", + "type": "string" + }, + { + "name": "MitreTtp", + "type": "dynamic" + }, + { + "name": "Profile", + "type": "string" + }, + { + "name": "UserId", + "type": "int" + }, + { + "name": "AdmUserId", + "type": "int" + }, + { + "name": "AdmPkgName", + "type": "string" + }, + { + "name": "FailureReason", + "type": "string" + }, + { + "name": "Action", + "type": "string" + }, + { + "name": "KeyMask", + "type": "int" + }, + { + "name": "PkgName", + "type": "string" + } + ] + }, + "plan": "Analytics" + } + } \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Network_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Network_CL.json new file mode 100644 index 00000000000..4def94f521d --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Network_CL.json @@ -0,0 +1,140 @@ +{ + "properties": { + "schema": { + "name": "Samsung_Knox_Network_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "DateTime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "PrimaryImei", + "type": "string" + }, + { + "name": "DeviceImei1", + "type": "string" + }, + { + "name": "DeviceImei2", + "type": "string" + }, + { + "name": "DeviceSerialNumber", + "type": "string" + }, + { + "name": "DeviceWifimac", + "type": "string" + }, + { + "name": "DeviceModel", + "type": "string" + }, + { + "name": "EventGuid", + "type": "long" + }, + { + "name": "Name", + "type": "string" + }, + { + "name": "Version", + "type": "string" + }, + { + "name": "Severity", + "type": "string" + }, + { + "name": "MitreTtp", + "type": "dynamic" + }, + { + "name": "Profile", + "type": "string" + }, + { + "name": "Protocol", + "type": "int" + }, + { + "name": "SourcePort", + "type": "int" + }, + { + "name": "RemotePort", + "type": "int" + }, + { + "name": "SourceAddr", + "type": "string" + }, + { + "name": "RemoteAddr", + "type": "string" + }, + { + "name": "EventDetectedTime", + "type": "DateTime" + }, + { + "name": "Family", + "type": "int" + }, + { + "name": "PkgName", + "type": "string" + }, + { + "name": "InterfaceName", + "type": "string" + }, + { + "name": "Tid", + "type": "int" + }, + { + "name": "Pid", + "type": "int" + }, + { + "name": "Ppid", + "type": "int" + }, + { + "name": "Uid", + "type": "int" + }, + { + "name": "Gid", + "type": "int" + }, + { + "name": "ExitCode", + "type": "int" + }, + { + "name": "Syscall", + "type": "int" + }, + { + "name": "Path", + "type": "string" + }, + { + "name": "Ja3Fingerprint", + "type": "string" + }, + { + "name": "SocketType", + "type": "int" + } + ] + }, + "plan": "Analytics" + } + } \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Process_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Process_CL.json new file mode 100644 index 00000000000..c6210a8b19e --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Process_CL.json @@ -0,0 +1,148 @@ +{ + "properties": { + "schema": { + "name": "Samsung_Knox_Process_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "DateTime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "PrimaryImei", + "type": "string" + }, + { + "name": "DeviceImei1", + "type": "string" + }, + { + "name": "DeviceImei2", + "type": "string" + }, + { + "name": "DeviceSerialNumber", + "type": "string" + }, + { + "name": "DeviceWifimac", + "type": "string" + }, + { + "name": "DeviceModel", + "type": "string" + }, + { + "name": "EventGuid", + "type": "long" + }, + { + "name": "Name", + "type": "string" + }, + { + "name": "Version", + "type": "string" + }, + { + "name": "Severity", + "type": "string" + }, + { + "name": "MitreTtp", + "type": "dynamic" + }, + { + "name": "Profile", + "type": "string" + }, + { + "name": "Tid", + "type": "int" + }, + { + "name": "Pid", + "type": "int" + }, + { + "name": "Ppid", + "type": "int" + }, + { + "name": "Uid", + "type": "int" + }, + { + "name": "Gid", + "type": "int" + }, + { + "name": "ExitCode", + "type": "int" + }, + { + "name": "Syscall", + "type": "int" + }, + { + "name": "Path", + "type": "string" + }, + { + "name": "Cwd", + "type": "string" + }, + { + "name": "CmdLine", + "type": "string" + }, + { + "name": "Euid", + "type": "int" + }, + { + "name": "Egid", + "type": "int" + }, + { + "name": "Fsuid", + "type": "int" + }, + { + "name": "Fsgid", + "type": "int" + }, + { + "name": "Suid", + "type": "int" + }, + { + "name": "Sgid", + "type": "int" + }, + { + "name": "OwnerUid", + "type": "int" + }, + { + "name": "OwnerGid", + "type": "int" + }, + { + "name": "Atime", + "type": "DateTime" + }, + { + "name": "Mtime", + "type": "DateTime" + }, + { + "name": "Ctime", + "type": "DateTime" + } + ] + }, + "plan": "Analytics" + } + } \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_System_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_System_CL.json new file mode 100644 index 00000000000..e47c5d0ac12 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_System_CL.json @@ -0,0 +1,240 @@ +{ + "properties": { + "schema": { + "name": "Samsung_Knox_System_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "DateTime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "PrimaryImei", + "type": "string" + }, + { + "name": "DeviceImei1", + "type": "string" + }, + { + "name": "DeviceImei2", + "type": "string" + }, + { + "name": "DeviceSerialNumber", + "type": "string" + }, + { + "name": "DeviceWifimac", + "type": "string" + }, + { + "name": "DeviceModel", + "type": "string" + }, + { + "name": "EventGuid", + "type": "long" + }, + { + "name": "Name", + "type": "string" + }, + { + "name": "Version", + "type": "string" + }, + { + "name": "Severity", + "type": "string" + }, + { + "name": "MitreTtp", + "type": "dynamic" + }, + { + "name": "Profile", + "type": "string" + }, + { + "name": "BLBuildVersion", + "type": "string" + }, + { + "name": "BLBuildId", + "type": "string" + }, + { + "name": "BLBuildType", + "type": "string" + }, + { + "name": "KernelBuildId", + "type": "string" + }, + { + "name": "KernelBuildType", + "type": "string" + }, + { + "name": "SystemBuildId0", + "type": "string" + }, + { + "name": "SystemBuildId1", + "type": "string" + }, + { + "name": "SystemBuildId2", + "type": "string" + }, + { + "name": "BLMode", + "type": "string" + }, + { + "name": "RebootReason", + "type": "string" + }, + { + "name": "SecureBoot", + "type": "string" + }, + { + "name": "BLEventTarget", + "type": "string" + }, + { + "name": "BLEvent", + "type": "string" + }, + { + "name": "BLRP", + "type": "string" + }, + { + "name": "KernelRP", + "type": "string" + }, + { + "name": "SystemRP", + "type": "string" + }, + { + "name": "ArpDevice", + "type": "string" + }, + { + "name": "WpState", + "type": "string" + }, + { + "name": "WbFuse", + "type": "string" + }, + { + "name": "WbReason", + "type": "string" + }, + { + "name": "ImgStatus", + "type": "string" + }, + { + "name": "KernelState", + "type": "string" + }, + { + "name": "CustomCount", + "type": "string" + }, + { + "name": "AvbBootState", + "type": "string" + }, + { + "name": "AvbDeviceLocked", + "type": "string" + }, + { + "name": "AvbOsVersion", + "type": "string" + }, + { + "name": "AvbOsPatchLevel", + "type": "string" + }, + { + "name": "AvbVendorPatchLevel", + "type": "string" + }, + { + "name": "AvbBootPatchLevel", + "type": "string" + }, + { + "name": "VbMetaType", + "type": "string" + }, + { + "name": "UnlockCount", + "type": "string" + }, + { + "name": "EmStatus", + "type": "string" + }, + { + "name": "EmFuseHistory", + "type": "string" + }, + { + "name": "EmTokens", + "type": "string" + }, + { + "name": "KGState", + "type": "string" + }, + { + "name": "KGFuse", + "type": "string" + }, + { + "name": "FrpState", + "type": "string" + }, + { + "name": "CCModeState", + "type": "string" + }, + { + "name": "MDMState", + "type": "string" + }, + { + "name": "EDLCount", + "type": "string" + }, + { + "name": "RPMBState", + "type": "string" + }, + { + "name": "FOTACount", + "type": "string" + }, + { + "name": "ODINCount", + "type": "string" + }, + { + "name": "AvbVerityMode", + "type": "string" + } + ] + }, + "plan": "Analytics" + } + } \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_User_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_User_CL.json new file mode 100644 index 00000000000..873b97c3c46 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_User_CL.json @@ -0,0 +1,80 @@ +{ + "properties": { + "schema": { + "name": "Samsung_Knox_User_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "DateTime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "PrimaryImei", + "type": "string" + }, + { + "name": "DeviceImei1", + "type": "string" + }, + { + "name": "DeviceImei2", + "type": "string" + }, + { + "name": "DeviceSerialNumber", + "type": "string" + }, + { + "name": "DeviceWifimac", + "type": "string" + }, + { + "name": "DeviceModel", + "type": "string" + }, + { + "name": "EventGuid", + "type": "long" + }, + { + "name": "Name", + "type": "string" + }, + { + "name": "Version", + "type": "int" + }, + { + "name": "Severity", + "type": "string" + }, + { + "name": "MitreTtp", + "type": "dynamic" + }, + { + "name": "Profile", + "type": "string" + }, + { + "name": "PkgName", + "type": "string" + }, + { + "name": "Url", + "type": "string" + }, + { + "name": "ConfidenceScore", + "type": "double" + }, + { + "name": "UrlType", + "type": "int" + } + ] + }, + "plan": "Analytics" + } + } \ No newline at end of file