From e7e97f77facdef1eaabcbe9e393c4c2434ad1089 Mon Sep 17 00:00:00 2001 From: Sean McClelland Date: Wed, 18 Dec 2024 23:02:03 -0800 Subject: [PATCH] Add Samsung Solution Custom Table to KqlValidation Add Samsung Knox's Sentinel Solution Custom tables to Azure Sentinel's KqlvalidationsTests Custom Tables list to help pass validation. --- .../Samsung_Knox_Application_CL.json | 76 ++++++ .../CustomTables/Samsung_Knox_Audit_CL.json | 92 +++++++ .../CustomTables/Samsung_Knox_Network_CL.json | 140 ++++++++++ .../CustomTables/Samsung_Knox_Process_CL.json | 148 +++++++++++ .../CustomTables/Samsung_Knox_System_CL.json | 240 ++++++++++++++++++ .../CustomTables/Samsung_Knox_User_CL.json | 80 ++++++ 6 files changed, 776 insertions(+) create mode 100644 .script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Application_CL.json create mode 100644 .script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Audit_CL.json create mode 100644 .script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Network_CL.json create mode 100644 .script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Process_CL.json create mode 100644 .script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_System_CL.json create mode 100644 .script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_User_CL.json diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Application_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Application_CL.json new file mode 100644 index 00000000000..6f07954f4d6 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Application_CL.json @@ -0,0 +1,76 @@ +{ + "properties": { + "schema": { + "name": "Samsung_Knox_Application_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "DateTime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "PrimaryImei", + "type": "string" + }, + { + "name": "DeviceImei1", + "type": "string" + }, + { + "name": "DeviceImei2", + "type": "string" + }, + { + "name": "DeviceSerialNumber", + "type": "string" + }, + { + "name": "DeviceWifimac", + "type": "string" + }, + { + "name": "DeviceModel", + "type": "string" + }, + { + "name": "EventGuid", + "type": "long" + }, + { + "name": "Name", + "type": "string" + }, + { + "name": "Version", + "type": "string" + }, + { + "name": "Severity", + "type": "string" + }, + { + "name": "MitreTtp", + "type": "dynamic" + }, + { + "name": "Profile", + "type": "string" + }, + { + "name": "PkgName", + "type": "string" + }, + { + "name": "AccessibilityApi", + "type": "string" + }, + { + "name": "RestrictedPerms", + "type": "dynamic" + } + ] + }, + "plan": "Analytics" + } + } \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Audit_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Audit_CL.json new file mode 100644 index 00000000000..0dcb6d7eb1f --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Audit_CL.json @@ -0,0 +1,92 @@ +{ + "properties": { + "schema": { + "name": "Samsung_Knox_Audit_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "DateTime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "PrimaryImei", + "type": "string" + }, + { + "name": "DeviceImei1", + "type": "string" + }, + { + "name": "DeviceImei2", + "type": "string" + }, + { + "name": "DeviceSerialNumber", + "type": "string" + }, + { + "name": "DeviceWifimac", + "type": "string" + }, + { + "name": "DeviceModel", + "type": "string" + }, + { + "name": "EventGuid", + "type": "long" + }, + { + "name": "Name", + "type": "string" + }, + { + "name": "Version", + "type": "string" + }, + { + "name": "Severity", + "type": "string" + }, + { + "name": "MitreTtp", + "type": "dynamic" + }, + { + "name": "Profile", + "type": "string" + }, + { + "name": "UserId", + "type": "int" + }, + { + "name": "AdmUserId", + "type": "int" + }, + { + "name": "AdmPkgName", + "type": "string" + }, + { + "name": "FailureReason", + "type": "string" + }, + { + "name": "Action", + "type": "string" + }, + { + "name": "KeyMask", + "type": "int" + }, + { + "name": "PkgName", + "type": "string" + } + ] + }, + "plan": "Analytics" + } + } \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Network_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Network_CL.json new file mode 100644 index 00000000000..4def94f521d --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Network_CL.json @@ -0,0 +1,140 @@ +{ + "properties": { + "schema": { + "name": "Samsung_Knox_Network_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "DateTime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "PrimaryImei", + "type": "string" + }, + { + "name": "DeviceImei1", + "type": "string" + }, + { + "name": "DeviceImei2", + "type": "string" + }, + { + "name": "DeviceSerialNumber", + "type": "string" + }, + { + "name": "DeviceWifimac", + "type": "string" + }, + { + "name": "DeviceModel", + "type": "string" + }, + { + "name": "EventGuid", + "type": "long" + }, + { + "name": "Name", + "type": "string" + }, + { + "name": "Version", + "type": "string" + }, + { + "name": "Severity", + "type": "string" + }, + { + "name": "MitreTtp", + "type": "dynamic" + }, + { + "name": "Profile", + "type": "string" + }, + { + "name": "Protocol", + "type": "int" + }, + { + "name": "SourcePort", + "type": "int" + }, + { + "name": "RemotePort", + "type": "int" + }, + { + "name": "SourceAddr", + "type": "string" + }, + { + "name": "RemoteAddr", + "type": "string" + }, + { + "name": "EventDetectedTime", + "type": "DateTime" + }, + { + "name": "Family", + "type": "int" + }, + { + "name": "PkgName", + "type": "string" + }, + { + "name": "InterfaceName", + "type": "string" + }, + { + "name": "Tid", + "type": "int" + }, + { + "name": "Pid", + "type": "int" + }, + { + "name": "Ppid", + "type": "int" + }, + { + "name": "Uid", + "type": "int" + }, + { + "name": "Gid", + "type": "int" + }, + { + "name": "ExitCode", + "type": "int" + }, + { + "name": "Syscall", + "type": "int" + }, + { + "name": "Path", + "type": "string" + }, + { + "name": "Ja3Fingerprint", + "type": "string" + }, + { + "name": "SocketType", + "type": "int" + } + ] + }, + "plan": "Analytics" + } + } \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Process_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Process_CL.json new file mode 100644 index 00000000000..c6210a8b19e --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Process_CL.json @@ -0,0 +1,148 @@ +{ + "properties": { + "schema": { + "name": "Samsung_Knox_Process_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "DateTime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "PrimaryImei", + "type": "string" + }, + { + "name": "DeviceImei1", + "type": "string" + }, + { + "name": "DeviceImei2", + "type": "string" + }, + { + "name": "DeviceSerialNumber", + "type": "string" + }, + { + "name": "DeviceWifimac", + "type": "string" + }, + { + "name": "DeviceModel", + "type": "string" + }, + { + "name": "EventGuid", + "type": "long" + }, + { + "name": "Name", + "type": "string" + }, + { + "name": "Version", + "type": "string" + }, + { + "name": "Severity", + "type": "string" + }, + { + "name": "MitreTtp", + "type": "dynamic" + }, + { + "name": "Profile", + "type": "string" + }, + { + "name": "Tid", + "type": "int" + }, + { + "name": "Pid", + "type": "int" + }, + { + "name": "Ppid", + "type": "int" + }, + { + "name": "Uid", + "type": "int" + }, + { + "name": "Gid", + "type": "int" + }, + { + "name": "ExitCode", + "type": "int" + }, + { + "name": "Syscall", + "type": "int" + }, + { + "name": "Path", + "type": "string" + }, + { + "name": "Cwd", + "type": "string" + }, + { + "name": "CmdLine", + "type": "string" + }, + { + "name": "Euid", + "type": "int" + }, + { + "name": "Egid", + "type": "int" + }, + { + "name": "Fsuid", + "type": "int" + }, + { + "name": "Fsgid", + "type": "int" + }, + { + "name": "Suid", + "type": "int" + }, + { + "name": "Sgid", + "type": "int" + }, + { + "name": "OwnerUid", + "type": "int" + }, + { + "name": "OwnerGid", + "type": "int" + }, + { + "name": "Atime", + "type": "DateTime" + }, + { + "name": "Mtime", + "type": "DateTime" + }, + { + "name": "Ctime", + "type": "DateTime" + } + ] + }, + "plan": "Analytics" + } + } \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_System_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_System_CL.json new file mode 100644 index 00000000000..e47c5d0ac12 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_System_CL.json @@ -0,0 +1,240 @@ +{ + "properties": { + "schema": { + "name": "Samsung_Knox_System_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "DateTime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "PrimaryImei", + "type": "string" + }, + { + "name": "DeviceImei1", + "type": "string" + }, + { + "name": "DeviceImei2", + "type": "string" + }, + { + "name": "DeviceSerialNumber", + "type": "string" + }, + { + "name": "DeviceWifimac", + "type": "string" + }, + { + "name": "DeviceModel", + "type": "string" + }, + { + "name": "EventGuid", + "type": "long" + }, + { + "name": "Name", + "type": "string" + }, + { + "name": "Version", + "type": "string" + }, + { + "name": "Severity", + "type": "string" + }, + { + "name": "MitreTtp", + "type": "dynamic" + }, + { + "name": "Profile", + "type": "string" + }, + { + "name": "BLBuildVersion", + "type": "string" + }, + { + "name": "BLBuildId", + "type": "string" + }, + { + "name": "BLBuildType", + "type": "string" + }, + { + "name": "KernelBuildId", + "type": "string" + }, + { + "name": "KernelBuildType", + "type": "string" + }, + { + "name": "SystemBuildId0", + "type": "string" + }, + { + "name": "SystemBuildId1", + "type": "string" + }, + { + "name": "SystemBuildId2", + "type": "string" + }, + { + "name": "BLMode", + "type": "string" + }, + { + "name": "RebootReason", + "type": "string" + }, + { + "name": "SecureBoot", + "type": "string" + }, + { + "name": "BLEventTarget", + "type": "string" + }, + { + "name": "BLEvent", + "type": "string" + }, + { + "name": "BLRP", + "type": "string" + }, + { + "name": "KernelRP", + "type": "string" + }, + { + "name": "SystemRP", + "type": "string" + }, + { + "name": "ArpDevice", + "type": "string" + }, + { + "name": "WpState", + "type": "string" + }, + { + "name": "WbFuse", + "type": "string" + }, + { + "name": "WbReason", + "type": "string" + }, + { + "name": "ImgStatus", + "type": "string" + }, + { + "name": "KernelState", + "type": "string" + }, + { + "name": "CustomCount", + "type": "string" + }, + { + "name": "AvbBootState", + "type": "string" + }, + { + "name": "AvbDeviceLocked", + "type": "string" + }, + { + "name": "AvbOsVersion", + "type": "string" + }, + { + "name": "AvbOsPatchLevel", + "type": "string" + }, + { + "name": "AvbVendorPatchLevel", + "type": "string" + }, + { + "name": "AvbBootPatchLevel", + "type": "string" + }, + { + "name": "VbMetaType", + "type": "string" + }, + { + "name": "UnlockCount", + "type": "string" + }, + { + "name": "EmStatus", + "type": "string" + }, + { + "name": "EmFuseHistory", + "type": "string" + }, + { + "name": "EmTokens", + "type": "string" + }, + { + "name": "KGState", + "type": "string" + }, + { + "name": "KGFuse", + "type": "string" + }, + { + "name": "FrpState", + "type": "string" + }, + { + "name": "CCModeState", + "type": "string" + }, + { + "name": "MDMState", + "type": "string" + }, + { + "name": "EDLCount", + "type": "string" + }, + { + "name": "RPMBState", + "type": "string" + }, + { + "name": "FOTACount", + "type": "string" + }, + { + "name": "ODINCount", + "type": "string" + }, + { + "name": "AvbVerityMode", + "type": "string" + } + ] + }, + "plan": "Analytics" + } + } \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_User_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_User_CL.json new file mode 100644 index 00000000000..873b97c3c46 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_User_CL.json @@ -0,0 +1,80 @@ +{ + "properties": { + "schema": { + "name": "Samsung_Knox_User_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "DateTime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "PrimaryImei", + "type": "string" + }, + { + "name": "DeviceImei1", + "type": "string" + }, + { + "name": "DeviceImei2", + "type": "string" + }, + { + "name": "DeviceSerialNumber", + "type": "string" + }, + { + "name": "DeviceWifimac", + "type": "string" + }, + { + "name": "DeviceModel", + "type": "string" + }, + { + "name": "EventGuid", + "type": "long" + }, + { + "name": "Name", + "type": "string" + }, + { + "name": "Version", + "type": "int" + }, + { + "name": "Severity", + "type": "string" + }, + { + "name": "MitreTtp", + "type": "dynamic" + }, + { + "name": "Profile", + "type": "string" + }, + { + "name": "PkgName", + "type": "string" + }, + { + "name": "Url", + "type": "string" + }, + { + "name": "ConfidenceScore", + "type": "double" + }, + { + "name": "UrlType", + "type": "int" + } + ] + }, + "plan": "Analytics" + } + } \ No newline at end of file