Merge pull request #5 from Samsung/feature-fix-validations

updated AnalyticsRule, fix validations and repackage

.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Application_CL.json

@@ -1,76 +1,71 @@
 {
-    "properties": {
-      "schema": {
-        "name": "Samsung_Knox_Application_CL",
-        "columns": [
-          {
-            "name": "TimeGenerated",
-            "type": "DateTime",
-            "isDefaultDisplay": true,
-            "description": "The timestamp (UTC) reflecting the time in which the event was generated."
-          },
-          {
-            "name": "PrimaryImei",
-            "type": "string"
-          },
-          {
-            "name": "DeviceImei1",
-            "type": "string"
-          },
-          {
-            "name": "DeviceImei2",
-            "type": "string"
-          },
-          {
-            "name": "DeviceSerialNumber",
-            "type": "string"
-          },
-          {
-            "name": "DeviceWifimac",
-            "type": "string"
-          },
-          {
-            "name": "DeviceModel",
-            "type": "string"
-          },
-          {
-            "name": "EventGuid",
-            "type": "long"
-          },
-          {
-            "name": "Name",
-            "type": "string"
-          },
-          {
-            "name": "Version",
-            "type": "string"
-          },
-          {
-            "name": "Severity",
-            "type": "string"
-          },
-          {
-            "name": "MitreTtp",
-            "type": "dynamic"
-          },
-          {
-            "name": "Profile",
-            "type": "string"
-          },
-          {
-            "name": "PkgName",
-            "type": "string"
-          },
-          {
-            "name": "AccessibilityApi",
-            "type": "string"
-          },
-          {
-            "name": "RestrictedPerms",
-            "type": "dynamic"
-          }
-        ]
-      },
-      "plan": "Analytics"
-    }
-  }
+    "Name": "Samsung_Knox_Application_CL",
+    "Properties": [
+        {
+          "name": "TimeGenerated",
+          "type": "DateTime",
+          "isDefaultDisplay": true,
+          "description": "The timestamp (UTC) reflecting the time in which the event was generated."
+        },
+        {
+          "name": "PrimaryImei",
+          "type": "string"
+        },
+        {
+          "name": "DeviceImei1",
+          "type": "string"
+        },
+        {
+          "name": "DeviceImei2",
+          "type": "string"
+        },
+        {
+          "name": "DeviceSerialNumber",
+          "type": "string"
+        },
+        {
+          "name": "DeviceWifimac",
+          "type": "string"
+        },
+        {
+          "name": "DeviceModel",
+          "type": "string"
+        },
+        {
+          "name": "EventGuid",
+          "type": "long"
+        },
+        {
+          "name": "Name",
+          "type": "string"
+        },
+        {
+          "name": "Version",
+          "type": "string"
+        },
+        {
+          "name": "Severity",
+          "type": "string"
+        },
+        {
+          "name": "MitreTtp",
+          "type": "dynamic"
+        },
+        {
+          "name": "Profile",
+          "type": "string"
+        },
+        {
+          "name": "PkgName",
+          "type": "string"
+        },
+        {
+          "name": "AccessibilityApi",
+          "type": "string"
+        },
+        {
+          "name": "RestrictedPerms",
+          "type": "dynamic"
+        }
+  ]
+}

.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Audit_CL.json

@@ -1,8 +1,6 @@
 {
-    "properties": {
-      "schema": {
-        "name": "Samsung_Knox_Audit_CL",
-        "columns": [
+    "Name": "Samsung_Knox_Audit_CL",
+    "Properties": [
           {
             "name": "TimeGenerated",
             "type": "DateTime",
@@ -85,8 +83,5 @@
             "name": "PkgName",
             "type": "string"
           }
-        ]
-      },
-      "plan": "Analytics"
-    }
-  }
+    ]
+}

.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Network_CL.json

@@ -1,8 +1,6 @@
 {
-    "properties": {
-      "schema": {
-        "name": "Samsung_Knox_Network_CL",
-        "columns": [
+    "Name": "Samsung_Knox_Network_CL",
+    "Properties": [
           {
             "name": "TimeGenerated",
             "type": "DateTime",
@@ -133,8 +131,5 @@
             "name": "SocketType",
             "type": "int"
           }
-        ]
-      },
-      "plan": "Analytics"
-    }
-  }
+    ]
+}

.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Process_CL.json

@@ -1,8 +1,6 @@
 {
-    "properties": {
-      "schema": {
-        "name": "Samsung_Knox_Process_CL",
-        "columns": [
+    "Name": "Samsung_Knox_Process_CL",
+    "Properties": [
           {
             "name": "TimeGenerated",
             "type": "DateTime",
@@ -141,8 +139,5 @@
             "name": "Ctime",
             "type": "DateTime"
           }
-        ]
-      },
-      "plan": "Analytics"
-    }
-  }
+    ]
+}

.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_System_CL.json

@@ -1,8 +1,6 @@
 {
-    "properties": {
-      "schema": {
-        "name": "Samsung_Knox_System_CL",
-        "columns": [
+    "Name": "Samsung_Knox_System_CL",
+    "Properties": [
           {
             "name": "TimeGenerated",
             "type": "DateTime",
@@ -233,8 +231,5 @@
             "name": "AvbVerityMode",
             "type": "string"
           }
-        ]
-      },
-      "plan": "Analytics"
-    }
-  }
+    ]
+}

.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_User_CL.json

@@ -1,8 +1,6 @@
 {
-    "properties": {
-      "schema": {
-        "name": "Samsung_Knox_User_CL",
-        "columns": [
+    "Name": "Samsung_Knox_User_CL",
+    "Properties": [
           {
             "name": "TimeGenerated",
             "type": "DateTime",
@@ -73,8 +71,5 @@
             "name": "UrlType",
             "type": "int"
           }
-        ]
-      },
-      "plan": "Analytics"
-    }
-  }
+    ]
+}

Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxApplicationPrivilegeEscalationOrChange.yaml

@@ -2,19 +2,22 @@ id: 215e89ca-cdbc-4661-b8b2-7041f6ecc7fb
 name: Knox Application Privilege Escalation or Change
 version: 1.0.0
 kind: NRT
-description: When a Knox mobile app has transitioned from an acceptable uid/esuid/fsuid to a different, non-App id.
+description: |
+  When a Knox mobile app has transitioned from an acceptable uid/esuid/fsuid to a different, non-App id.
 severity: High
 status: Available
 requiredDataConnectors:
   - connectorId: SamsungDCDefinition
     dataTypes:
-      - Samsung_Knox_Audit_CL
+      - Samsung_Knox_Process_CL
 tactics:
   - PrivilegeEscalation
 relevantTechniques:
   - T1548
 query: |
-  Samsung_Knox_Process_CL | where Name == "PROCESS_PRIVILEGE_ESCALATION" and MitreTtp has "T1548"
+  Samsung_Knox_Process_CL 
+  | where Name == "PROCESS_PRIVILEGE_ESCALATION"
+  | where MitreTtp has "T1548"
 suppressionEnabled: false
 suppressionDuration: 5h
 incidentConfiguration:
@@ -25,5 +28,4 @@ incidentConfiguration:
     lookbackDuration: 5h
     matchingMethod: AllEntities
 eventGroupingSettings:
-  aggregationKind: SingleAlert
-
+  aggregationKind: SingleAlert

Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxKeyguardDisabledFeatureSet.yaml

@@ -10,11 +10,13 @@ requiredDataConnectors:
     dataTypes:
       - Samsung_Knox_Audit_CL
 tactics:
-- InitialAccess
+  - InitialAccess
 relevantTechniques:
-- T1461
+  - T1461
 query: |
-  Samsung_Knox_Audit_CL | where Name == "TAG_KEYGUARD_DISABLED_FEATURES_SET" and MitreTtp has "T1461"
+  Samsung_Knox_Audit_CL 
+  | where Name == "TAG_KEYGUARD_DISABLED_FEATURES_SET" 
+  and MitreTtp has "T1461"
 suppressionEnabled: false
 suppressionDuration: 5h
 incidentConfiguration:
@@ -25,5 +27,4 @@ incidentConfiguration:
     lookbackDuration: 5h
     matchingMethod: AllEntities
 eventGroupingSettings:
-  aggregationKind: SingleAlert
-
+  aggregationKind: SingleAlert

Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxMobileDeviceBootCompromise.yaml

@@ -2,19 +2,22 @@ id: fae7e371-aee8-4d3f-8311-2255a45a30b3
 name: Knox Mobile Device Boot Compromise
 version: 1.0.0
 kind: NRT
-description: When Knox device boot binary is at risk of compromise.
+description: |
+  'When Knox device boot binary is at risk of compromise.'
 severity: High
 status: Available
 requiredDataConnectors:
   - connectorId: SamsungDCDefinition
     dataTypes:
       - Samsung_Knox_System_CL
 tactics:
-- Persistence
+  - Persistence
 relevantTechniques:
-- T1645
+  - T1645
 query: |
-  Samsung_Knox_System_CL | where Name == "BOOT_COMPROMISED_SOFTWARE_BINARY" and MitreTtp has "T1645"
+  Samsung_Knox_System_CL 
+  | where Name == "BOOT_COMPROMISED_SOFTWARE_BINARY"
+  and MitreTtp has "T1645"
 suppressionEnabled: false
 suppressionDuration: 5h
 incidentConfiguration:
@@ -25,5 +28,4 @@ incidentConfiguration:
     lookbackDuration: 5h
     matchingMethod: AllEntities
 eventGroupingSettings:
-  aggregationKind: SingleAlert
-
+  aggregationKind: SingleAlert

Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPasswordLockout.yaml

@@ -2,7 +2,8 @@ id: fbff0a97-1972-4df8-a78c-254ccb9879ef
 name: Knox Password Lockout
 version: 1.0.0
 kind: NRT
-description: When maximum password attempts have reached and the Knox device is locked out. This is based on the threshold set by the MDM policy.
+description: |
+  'When maximum password attempts have reached and the Knox device is locked out. This is based on the threshold set by the MDM policy.'
 severity: High
 status: Available
 requiredDataConnectors:
@@ -14,7 +15,9 @@ tactics:
 relevantTechniques:
 - T1110
 query: |
-  Samsung_Knox_User_CL | where Name == "PASSWORD_LOCKOUT" and MitreTtp has "T1110"
+  Samsung_Knox_User_CL 
+  | where Name == "PASSWORD_LOCKOUT"
+  and MitreTtp has "T1110"
 suppressionEnabled: false
 suppressionDuration: 5h
 incidentConfiguration: