diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Application_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Application_CL.json index 6f07954f4d6..79ac039bed1 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Application_CL.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Application_CL.json @@ -1,76 +1,71 @@ { - "properties": { - "schema": { - "name": "Samsung_Knox_Application_CL", - "columns": [ - { - "name": "TimeGenerated", - "type": "DateTime", - "isDefaultDisplay": true, - "description": "The timestamp (UTC) reflecting the time in which the event was generated." - }, - { - "name": "PrimaryImei", - "type": "string" - }, - { - "name": "DeviceImei1", - "type": "string" - }, - { - "name": "DeviceImei2", - "type": "string" - }, - { - "name": "DeviceSerialNumber", - "type": "string" - }, - { - "name": "DeviceWifimac", - "type": "string" - }, - { - "name": "DeviceModel", - "type": "string" - }, - { - "name": "EventGuid", - "type": "long" - }, - { - "name": "Name", - "type": "string" - }, - { - "name": "Version", - "type": "string" - }, - { - "name": "Severity", - "type": "string" - }, - { - "name": "MitreTtp", - "type": "dynamic" - }, - { - "name": "Profile", - "type": "string" - }, - { - "name": "PkgName", - "type": "string" - }, - { - "name": "AccessibilityApi", - "type": "string" - }, - { - "name": "RestrictedPerms", - "type": "dynamic" - } - ] - }, - "plan": "Analytics" - } - } \ No newline at end of file + "Name": "Samsung_Knox_Application_CL", + "Properties": [ + { + "name": "TimeGenerated", + "type": "DateTime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "PrimaryImei", + "type": "string" + }, + { + "name": "DeviceImei1", + "type": "string" + }, + { + "name": "DeviceImei2", + "type": "string" + }, + { + "name": "DeviceSerialNumber", + "type": "string" + }, + { + "name": "DeviceWifimac", + "type": "string" + }, + { + "name": "DeviceModel", + "type": "string" + }, + { + "name": "EventGuid", + "type": "long" + }, + { + "name": "Name", + "type": "string" + }, + { + "name": "Version", + "type": "string" + }, + { + "name": "Severity", + "type": "string" + }, + { + "name": "MitreTtp", + "type": "dynamic" + }, + { + "name": "Profile", + "type": "string" + }, + { + "name": "PkgName", + "type": "string" + }, + { + "name": "AccessibilityApi", + "type": "string" + }, + { + "name": "RestrictedPerms", + "type": "dynamic" + } + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Audit_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Audit_CL.json index 0dcb6d7eb1f..b2626a7fb0e 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Audit_CL.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Audit_CL.json @@ -1,8 +1,6 @@ { - "properties": { - "schema": { - "name": "Samsung_Knox_Audit_CL", - "columns": [ + "Name": "Samsung_Knox_Audit_CL", + "Properties": [ { "name": "TimeGenerated", "type": "DateTime", @@ -85,8 +83,5 @@ "name": "PkgName", "type": "string" } - ] - }, - "plan": "Analytics" - } - } \ No newline at end of file + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Network_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Network_CL.json index 4def94f521d..e1b0821d9c0 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Network_CL.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Network_CL.json @@ -1,8 +1,6 @@ { - "properties": { - "schema": { - "name": "Samsung_Knox_Network_CL", - "columns": [ + "Name": "Samsung_Knox_Network_CL", + "Properties": [ { "name": "TimeGenerated", "type": "DateTime", @@ -133,8 +131,5 @@ "name": "SocketType", "type": "int" } - ] - }, - "plan": "Analytics" - } - } \ No newline at end of file + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Process_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Process_CL.json index c6210a8b19e..34466c665a0 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Process_CL.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_Process_CL.json @@ -1,8 +1,6 @@ { - "properties": { - "schema": { - "name": "Samsung_Knox_Process_CL", - "columns": [ + "Name": "Samsung_Knox_Process_CL", + "Properties": [ { "name": "TimeGenerated", "type": "DateTime", @@ -141,8 +139,5 @@ "name": "Ctime", "type": "DateTime" } - ] - }, - "plan": "Analytics" - } - } \ No newline at end of file + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_System_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_System_CL.json index e47c5d0ac12..a78e820adde 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_System_CL.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_System_CL.json @@ -1,8 +1,6 @@ { - "properties": { - "schema": { - "name": "Samsung_Knox_System_CL", - "columns": [ + "Name": "Samsung_Knox_System_CL", + "Properties": [ { "name": "TimeGenerated", "type": "DateTime", @@ -233,8 +231,5 @@ "name": "AvbVerityMode", "type": "string" } - ] - }, - "plan": "Analytics" - } - } \ No newline at end of file + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_User_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_User_CL.json index 873b97c3c46..af00349213c 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_User_CL.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/Samsung_Knox_User_CL.json @@ -1,8 +1,6 @@ { - "properties": { - "schema": { - "name": "Samsung_Knox_User_CL", - "columns": [ + "Name": "Samsung_Knox_User_CL", + "Properties": [ { "name": "TimeGenerated", "type": "DateTime", @@ -73,8 +71,5 @@ "name": "UrlType", "type": "int" } - ] - }, - "plan": "Analytics" - } - } \ No newline at end of file + ] +} \ No newline at end of file diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxApplicationPrivilegeEscalationOrChange.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxApplicationPrivilegeEscalationOrChange.yaml index 0b659f86ef4..f751b6f2660 100644 --- a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxApplicationPrivilegeEscalationOrChange.yaml +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxApplicationPrivilegeEscalationOrChange.yaml @@ -2,19 +2,22 @@ id: 215e89ca-cdbc-4661-b8b2-7041f6ecc7fb name: Knox Application Privilege Escalation or Change version: 1.0.0 kind: NRT -description: When a Knox mobile app has transitioned from an acceptable uid/esuid/fsuid to a different, non-App id. +description: | + When a Knox mobile app has transitioned from an acceptable uid/esuid/fsuid to a different, non-App id. severity: High status: Available requiredDataConnectors: - connectorId: SamsungDCDefinition dataTypes: - - Samsung_Knox_Audit_CL + - Samsung_Knox_Process_CL tactics: - PrivilegeEscalation relevantTechniques: - T1548 query: | - Samsung_Knox_Process_CL | where Name == "PROCESS_PRIVILEGE_ESCALATION" and MitreTtp has "T1548" + Samsung_Knox_Process_CL + | where Name == "PROCESS_PRIVILEGE_ESCALATION" + | where MitreTtp has "T1548" suppressionEnabled: false suppressionDuration: 5h incidentConfiguration: @@ -25,5 +28,4 @@ incidentConfiguration: lookbackDuration: 5h matchingMethod: AllEntities eventGroupingSettings: - aggregationKind: SingleAlert - + aggregationKind: SingleAlert \ No newline at end of file diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxKeyguardDisabledFeatureSet.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxKeyguardDisabledFeatureSet.yaml index 7eaf5422bcc..a9b7145c531 100644 --- a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxKeyguardDisabledFeatureSet.yaml +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxKeyguardDisabledFeatureSet.yaml @@ -10,11 +10,13 @@ requiredDataConnectors: dataTypes: - Samsung_Knox_Audit_CL tactics: -- InitialAccess + - InitialAccess relevantTechniques: -- T1461 + - T1461 query: | - Samsung_Knox_Audit_CL | where Name == "TAG_KEYGUARD_DISABLED_FEATURES_SET" and MitreTtp has "T1461" + Samsung_Knox_Audit_CL + | where Name == "TAG_KEYGUARD_DISABLED_FEATURES_SET" + and MitreTtp has "T1461" suppressionEnabled: false suppressionDuration: 5h incidentConfiguration: @@ -25,5 +27,4 @@ incidentConfiguration: lookbackDuration: 5h matchingMethod: AllEntities eventGroupingSettings: - aggregationKind: SingleAlert - + aggregationKind: SingleAlert \ No newline at end of file diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxMobileDeviceBootCompromise.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxMobileDeviceBootCompromise.yaml index 3924e3eb31d..eedc0798921 100644 --- a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxMobileDeviceBootCompromise.yaml +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxMobileDeviceBootCompromise.yaml @@ -2,7 +2,8 @@ id: fae7e371-aee8-4d3f-8311-2255a45a30b3 name: Knox Mobile Device Boot Compromise version: 1.0.0 kind: NRT -description: When Knox device boot binary is at risk of compromise. +description: | + 'When Knox device boot binary is at risk of compromise.' severity: High status: Available requiredDataConnectors: @@ -10,11 +11,13 @@ requiredDataConnectors: dataTypes: - Samsung_Knox_System_CL tactics: -- Persistence + - Persistence relevantTechniques: -- T1645 + - T1645 query: | - Samsung_Knox_System_CL | where Name == "BOOT_COMPROMISED_SOFTWARE_BINARY" and MitreTtp has "T1645" + Samsung_Knox_System_CL + | where Name == "BOOT_COMPROMISED_SOFTWARE_BINARY" + and MitreTtp has "T1645" suppressionEnabled: false suppressionDuration: 5h incidentConfiguration: @@ -25,5 +28,4 @@ incidentConfiguration: lookbackDuration: 5h matchingMethod: AllEntities eventGroupingSettings: - aggregationKind: SingleAlert - + aggregationKind: SingleAlert \ No newline at end of file diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPasswordLockout.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPasswordLockout.yaml index 3d042a87dbf..b6cf11d8b1a 100644 --- a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPasswordLockout.yaml +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPasswordLockout.yaml @@ -2,7 +2,8 @@ id: fbff0a97-1972-4df8-a78c-254ccb9879ef name: Knox Password Lockout version: 1.0.0 kind: NRT -description: When maximum password attempts have reached and the Knox device is locked out. This is based on the threshold set by the MDM policy. +description: | + 'When maximum password attempts have reached and the Knox device is locked out. This is based on the threshold set by the MDM policy.' severity: High status: Available requiredDataConnectors: @@ -14,7 +15,9 @@ tactics: relevantTechniques: - T1110 query: | - Samsung_Knox_User_CL | where Name == "PASSWORD_LOCKOUT" and MitreTtp has "T1110" + Samsung_Knox_User_CL + | where Name == "PASSWORD_LOCKOUT" + and MitreTtp has "T1110" suppressionEnabled: false suppressionDuration: 5h incidentConfiguration: diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithCamera.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithCamera.yaml index 4ef23aa1edd..9b8c00649a8 100644 --- a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithCamera.yaml +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithCamera.yaml @@ -2,17 +2,20 @@ id: cd526f4d-dbe9-4149-8a0a-9ec43c3abb16 name: Knox Peripheral Access Detection with Camera version: 1.0.0 kind: NRT -description: When Knox device camera access has been detected through system policy when such access is disabled. +description: | + 'When Knox device camera access has been detected through system policy when such access is disabled.' severity: High status: Available requiredDataConnectors: - connectorId: SamsungDCDefinition dataTypes: - - Samsung_Knox_Audit_CL + - Samsung_Knox_System_CL tactics: [] relevantTechniques: [] query: | - Samsung_Knox_System_CL| where Name == "PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_CAMERA" and MitreTtp has "KNOX.2" + Samsung_Knox_System_CL + | where Name == "PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_CAMERA" + and MitreTtp has "KNOX.2" suppressionEnabled: false suppressionDuration: 5h incidentConfiguration: diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithMic.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithMic.yaml index 2a30894db31..afa510d85c6 100644 --- a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithMic.yaml +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithMic.yaml @@ -1,18 +1,21 @@ id: e4032fd2-4d05-4302-b7c0-f3f0380e2313 -name: Knox Peripheral Access Detection with Mic +name: Knox Peripheral Access Detection with Mic version: 1.0.0 kind: NRT -description: When Knox device microphone access has been detected through system policy when such access is disabled. +description: | + 'When Knox device microphone access has been detected through system policy when such access is disabled.' severity: High status: Available requiredDataConnectors: - connectorId: SamsungDCDefinition dataTypes: - - Samsung_Knox_Audit_CL + - Samsung_Knox_System_CL tactics: [] relevantTechniques: [] query: | - Samsung_Knox_System_CL | where Name == "PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_MIC" and MitreTtp has "KNOX.2" + Samsung_Knox_System_CL + | where Name == "PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_MIC" + and MitreTtp has "KNOX.2" alertDetailsOverride: alertDynamicProperties: [] suppressionEnabled: false @@ -26,4 +29,7 @@ incidentConfiguration: matchingMethod: AllEntities eventGroupingSettings: aggregationKind: SingleAlert - +properties: + schema: + - "Name" + - "MitreTtp" \ No newline at end of file diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSecurityLogFull.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSecurityLogFull.yaml index 3edba390cf9..cd0f7f3835c 100644 --- a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSecurityLogFull.yaml +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSecurityLogFull.yaml @@ -2,7 +2,8 @@ id: bf9be360-7f08-48b2-8e9d-ca240c48b404 name: Knox Security Log Full version: 1.0.0 kind: NRT -description: When Security Log is full on a Knox device. +description: | + 'When Security Log is full on a Knox device.' severity: High status: Available requiredDataConnectors: @@ -12,7 +13,9 @@ requiredDataConnectors: tactics: [] relevantTechniques: [] query: | - Samsung_Knox_Audit_CL| where Name == "LOG_IS_FULL" and MitreTtp has "KNOX.1" + Samsung_Knox_Audit_CL + | where Name == "LOG_IS_FULL" + and MitreTtp has "KNOX.1" suppressionEnabled: false suppressionDuration: 5h incidentConfiguration: diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSuspiciousURLs.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSuspiciousURLs.yaml index de17f6d1d68..a8d19e14931 100644 --- a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSuspiciousURLs.yaml +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSuspiciousURLs.yaml @@ -1,8 +1,9 @@ id: 18d4d4f3-6605-4fd2-968c-82c171409c1c -name: Knox Suspicious URL Accessed Events +name: Knox Suspicious URL Accessed Events version: 1.0.0 kind: NRT -description: When a Knox device user clicks on URLs or links detected as suspicious (potentially phishing or malicious) with a high degree of confidence. +description: | + 'When a Knox device user clicks on URLs or links detected as suspicious (potentially phishing or malicious) with a high degree of confidence.' severity: High status: Available requiredDataConnectors: @@ -14,7 +15,9 @@ tactics: relevantTechniques: - T1566 query: | - Samsung_Knox_User_CL | where Name == "SUSPICIOUS_URL_ACCESSED" and ConfidenceScore > 0.9 + Samsung_Knox_User_CL + | where Name == "SUSPICIOUS_URL_ACCESSED" + and ConfidenceScore > 0.9 suppressionEnabled: false suppressionDuration: 5h incidentConfiguration: diff --git a/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Application_CL.json b/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Application_CL.json index 6f07954f4d6..79ac039bed1 100644 --- a/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Application_CL.json +++ b/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Application_CL.json @@ -1,76 +1,71 @@ { - "properties": { - "schema": { - "name": "Samsung_Knox_Application_CL", - "columns": [ - { - "name": "TimeGenerated", - "type": "DateTime", - "isDefaultDisplay": true, - "description": "The timestamp (UTC) reflecting the time in which the event was generated." - }, - { - "name": "PrimaryImei", - "type": "string" - }, - { - "name": "DeviceImei1", - "type": "string" - }, - { - "name": "DeviceImei2", - "type": "string" - }, - { - "name": "DeviceSerialNumber", - "type": "string" - }, - { - "name": "DeviceWifimac", - "type": "string" - }, - { - "name": "DeviceModel", - "type": "string" - }, - { - "name": "EventGuid", - "type": "long" - }, - { - "name": "Name", - "type": "string" - }, - { - "name": "Version", - "type": "string" - }, - { - "name": "Severity", - "type": "string" - }, - { - "name": "MitreTtp", - "type": "dynamic" - }, - { - "name": "Profile", - "type": "string" - }, - { - "name": "PkgName", - "type": "string" - }, - { - "name": "AccessibilityApi", - "type": "string" - }, - { - "name": "RestrictedPerms", - "type": "dynamic" - } - ] - }, - "plan": "Analytics" - } - } \ No newline at end of file + "Name": "Samsung_Knox_Application_CL", + "Properties": [ + { + "name": "TimeGenerated", + "type": "DateTime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "PrimaryImei", + "type": "string" + }, + { + "name": "DeviceImei1", + "type": "string" + }, + { + "name": "DeviceImei2", + "type": "string" + }, + { + "name": "DeviceSerialNumber", + "type": "string" + }, + { + "name": "DeviceWifimac", + "type": "string" + }, + { + "name": "DeviceModel", + "type": "string" + }, + { + "name": "EventGuid", + "type": "long" + }, + { + "name": "Name", + "type": "string" + }, + { + "name": "Version", + "type": "string" + }, + { + "name": "Severity", + "type": "string" + }, + { + "name": "MitreTtp", + "type": "dynamic" + }, + { + "name": "Profile", + "type": "string" + }, + { + "name": "PkgName", + "type": "string" + }, + { + "name": "AccessibilityApi", + "type": "string" + }, + { + "name": "RestrictedPerms", + "type": "dynamic" + } + ] +} \ No newline at end of file diff --git a/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Audit_CL.json b/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Audit_CL.json index 0dcb6d7eb1f..b2626a7fb0e 100644 --- a/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Audit_CL.json +++ b/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Audit_CL.json @@ -1,8 +1,6 @@ { - "properties": { - "schema": { - "name": "Samsung_Knox_Audit_CL", - "columns": [ + "Name": "Samsung_Knox_Audit_CL", + "Properties": [ { "name": "TimeGenerated", "type": "DateTime", @@ -85,8 +83,5 @@ "name": "PkgName", "type": "string" } - ] - }, - "plan": "Analytics" - } - } \ No newline at end of file + ] +} \ No newline at end of file diff --git a/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Network_CL.json b/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Network_CL.json index 4def94f521d..e1b0821d9c0 100644 --- a/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Network_CL.json +++ b/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Network_CL.json @@ -1,8 +1,6 @@ { - "properties": { - "schema": { - "name": "Samsung_Knox_Network_CL", - "columns": [ + "Name": "Samsung_Knox_Network_CL", + "Properties": [ { "name": "TimeGenerated", "type": "DateTime", @@ -133,8 +131,5 @@ "name": "SocketType", "type": "int" } - ] - }, - "plan": "Analytics" - } - } \ No newline at end of file + ] +} \ No newline at end of file diff --git a/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Process_CL.json b/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Process_CL.json index c6210a8b19e..34466c665a0 100644 --- a/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Process_CL.json +++ b/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Process_CL.json @@ -1,8 +1,6 @@ { - "properties": { - "schema": { - "name": "Samsung_Knox_Process_CL", - "columns": [ + "Name": "Samsung_Knox_Process_CL", + "Properties": [ { "name": "TimeGenerated", "type": "DateTime", @@ -141,8 +139,5 @@ "name": "Ctime", "type": "DateTime" } - ] - }, - "plan": "Analytics" - } - } \ No newline at end of file + ] +} \ No newline at end of file diff --git a/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_System_CL.json b/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_System_CL.json index e47c5d0ac12..a78e820adde 100644 --- a/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_System_CL.json +++ b/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_System_CL.json @@ -1,8 +1,6 @@ { - "properties": { - "schema": { - "name": "Samsung_Knox_System_CL", - "columns": [ + "Name": "Samsung_Knox_System_CL", + "Properties": [ { "name": "TimeGenerated", "type": "DateTime", @@ -233,8 +231,5 @@ "name": "AvbVerityMode", "type": "string" } - ] - }, - "plan": "Analytics" - } - } \ No newline at end of file + ] +} \ No newline at end of file diff --git a/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_User_CL.json b/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_User_CL.json index 873b97c3c46..af00349213c 100644 --- a/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_User_CL.json +++ b/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_User_CL.json @@ -1,8 +1,6 @@ { - "properties": { - "schema": { - "name": "Samsung_Knox_User_CL", - "columns": [ + "Name": "Samsung_Knox_User_CL", + "Properties": [ { "name": "TimeGenerated", "type": "DateTime", @@ -73,8 +71,5 @@ "name": "UrlType", "type": "int" } - ] - }, - "plan": "Analytics" - } - } \ No newline at end of file + ] +} \ No newline at end of file diff --git a/Solutions/Samsung Knox Asset Intelligence/Package/3.0.0.zip b/Solutions/Samsung Knox Asset Intelligence/Package/3.0.0.zip index 684d8d99c6b..a4a75db35df 100644 Binary files a/Solutions/Samsung Knox Asset Intelligence/Package/3.0.0.zip and b/Solutions/Samsung Knox Asset Intelligence/Package/3.0.0.zip differ diff --git a/Solutions/Samsung Knox Asset Intelligence/Package/createUiDefinition.json b/Solutions/Samsung Knox Asset Intelligence/Package/createUiDefinition.json index b43f921e192..b8d6847a406 100644 --- a/Solutions/Samsung Knox Asset Intelligence/Package/createUiDefinition.json +++ b/Solutions/Samsung Knox Asset Intelligence/Package/createUiDefinition.json @@ -216,7 +216,7 @@ { "name": "analytic6", "type": "Microsoft.Common.Section", - "label": "Knox Peripheral Access Detection with Mic", + "label": "Knox Peripheral Access Detection with Mic", "elements": [ { "name": "analytic6-text", diff --git a/Solutions/Samsung Knox Asset Intelligence/Package/mainTemplate.json b/Solutions/Samsung Knox Asset Intelligence/Package/mainTemplate.json index bc775f69ccf..53df6fb0cfd 100644 --- a/Solutions/Samsung Knox Asset Intelligence/Package/mainTemplate.json +++ b/Solutions/Samsung Knox Asset Intelligence/Package/mainTemplate.json @@ -599,17 +599,17 @@ "description": "When a Knox mobile app has transitioned from an acceptable uid/esuid/fsuid to a different, non-App id.", "displayName": "Knox Application Privilege Escalation or Change", "enabled": false, - "query": "Samsung_Knox_Process_CL | where Name == \"PROCESS_PRIVILEGE_ESCALATION\" and MitreTtp has \"T1548\"\n", + "query": "Samsung_Knox_Process_CL \n| where Name == \"PROCESS_PRIVILEGE_ESCALATION\"\n| where MitreTtp has \"T1548\"\n", "severity": "High", "suppressionDuration": "PT1H", "suppressionEnabled": false, "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SamsungDCDefinition", "dataTypes": [ - "Samsung_Knox_Audit_CL" - ] + "Samsung_Knox_Process_CL" + ], + "connectorId": "SamsungDCDefinition" } ], "tactics": [ @@ -624,10 +624,10 @@ "incidentConfiguration": { "createIncident": true, "groupingConfiguration": { - "lookbackDuration": "5h", - "matchingMethod": "AllEntities", "reopenClosedIncident": false, - "enabled": false + "enabled": false, + "lookbackDuration": "5h", + "matchingMethod": "AllEntities" } } } @@ -700,17 +700,17 @@ "description": "Indicates that an admin has set disabled keyguard features on a Knox device.", "displayName": "Knox Keyguard Disabled Feature Set", "enabled": false, - "query": "Samsung_Knox_Audit_CL | where Name == \"TAG_KEYGUARD_DISABLED_FEATURES_SET\" and MitreTtp has \"T1461\"\n", + "query": "Samsung_Knox_Audit_CL \n| where Name == \"TAG_KEYGUARD_DISABLED_FEATURES_SET\" \nand MitreTtp has \"T1461\"\n", "severity": "High", "suppressionDuration": "PT1H", "suppressionEnabled": false, "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SamsungDCDefinition", "dataTypes": [ "Samsung_Knox_Audit_CL" - ] + ], + "connectorId": "SamsungDCDefinition" } ], "tactics": [ @@ -725,10 +725,10 @@ "incidentConfiguration": { "createIncident": true, "groupingConfiguration": { - "lookbackDuration": "5h", - "matchingMethod": "AllEntities", "reopenClosedIncident": false, - "enabled": false + "enabled": false, + "lookbackDuration": "5h", + "matchingMethod": "AllEntities" } } } @@ -801,17 +801,17 @@ "description": "When Knox device boot binary is at risk of compromise.", "displayName": "Knox Mobile Device Boot Compromise", "enabled": false, - "query": "Samsung_Knox_System_CL | where Name == \"BOOT_COMPROMISED_SOFTWARE_BINARY\" and MitreTtp has \"T1645\"\n", + "query": "Samsung_Knox_System_CL \n| where Name == \"BOOT_COMPROMISED_SOFTWARE_BINARY\"\nand MitreTtp has \"T1645\"\n", "severity": "High", "suppressionDuration": "PT1H", "suppressionEnabled": false, "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SamsungDCDefinition", "dataTypes": [ "Samsung_Knox_System_CL" - ] + ], + "connectorId": "SamsungDCDefinition" } ], "tactics": [ @@ -826,10 +826,10 @@ "incidentConfiguration": { "createIncident": true, "groupingConfiguration": { - "lookbackDuration": "5h", - "matchingMethod": "AllEntities", "reopenClosedIncident": false, - "enabled": false + "enabled": false, + "lookbackDuration": "5h", + "matchingMethod": "AllEntities" } } } @@ -902,17 +902,17 @@ "description": "When maximum password attempts have reached and the Knox device is locked out. This is based on the threshold set by the MDM policy.", "displayName": "Knox Password Lockout", "enabled": false, - "query": "Samsung_Knox_User_CL | where Name == \"PASSWORD_LOCKOUT\" and MitreTtp has \"T1110\"\n", + "query": "Samsung_Knox_User_CL \n| where Name == \"PASSWORD_LOCKOUT\"\nand MitreTtp has \"T1110\"\n", "severity": "High", "suppressionDuration": "PT1H", "suppressionEnabled": false, "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SamsungDCDefinition", "dataTypes": [ "Samsung_Knox_User_CL" - ] + ], + "connectorId": "SamsungDCDefinition" } ], "tactics": [ @@ -927,10 +927,10 @@ "incidentConfiguration": { "createIncident": true, "groupingConfiguration": { - "lookbackDuration": "5h", - "matchingMethod": "AllEntities", "reopenClosedIncident": false, - "enabled": false + "enabled": false, + "lookbackDuration": "5h", + "matchingMethod": "AllEntities" } } } @@ -1003,17 +1003,17 @@ "description": "When Knox device camera access has been detected through system policy when such access is disabled.", "displayName": "Knox Peripheral Access Detection with Camera", "enabled": false, - "query": "Samsung_Knox_System_CL| where Name == \"PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_CAMERA\" and MitreTtp has \"KNOX.2\"\n", + "query": "Samsung_Knox_System_CL \n| where Name == \"PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_CAMERA\" \nand MitreTtp has \"KNOX.2\"\n", "severity": "High", "suppressionDuration": "PT1H", "suppressionEnabled": false, "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SamsungDCDefinition", "dataTypes": [ - "Samsung_Knox_Audit_CL" - ] + "Samsung_Knox_System_CL" + ], + "connectorId": "SamsungDCDefinition" } ], "eventGroupingSettings": { @@ -1022,10 +1022,10 @@ "incidentConfiguration": { "createIncident": true, "groupingConfiguration": { - "lookbackDuration": "5h", - "matchingMethod": "AllEntities", "reopenClosedIncident": false, - "enabled": false + "enabled": false, + "lookbackDuration": "5h", + "matchingMethod": "AllEntities" } } } @@ -1096,19 +1096,19 @@ "location": "[parameters('workspace-location')]", "properties": { "description": "When Knox device microphone access has been detected through system policy when such access is disabled.", - "displayName": "Knox Peripheral Access Detection with Mic", + "displayName": "Knox Peripheral Access Detection with Mic", "enabled": false, - "query": "Samsung_Knox_System_CL | where Name == \"PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_MIC\" and MitreTtp has \"KNOX.2\"\n", + "query": "Samsung_Knox_System_CL\n| where Name == \"PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_MIC\"\nand MitreTtp has \"KNOX.2\"\n", "severity": "High", "suppressionDuration": "PT1H", "suppressionEnabled": false, "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SamsungDCDefinition", "dataTypes": [ - "Samsung_Knox_Audit_CL" - ] + "Samsung_Knox_System_CL" + ], + "connectorId": "SamsungDCDefinition" } ], "eventGroupingSettings": { @@ -1120,10 +1120,10 @@ "incidentConfiguration": { "createIncident": true, "groupingConfiguration": { - "lookbackDuration": "5h", - "matchingMethod": "AllEntities", "reopenClosedIncident": false, - "enabled": false + "enabled": false, + "lookbackDuration": "5h", + "matchingMethod": "AllEntities" } } } @@ -1164,7 +1164,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", "contentKind": "AnalyticsRule", - "displayName": "Knox Peripheral Access Detection with Mic", + "displayName": "Knox Peripheral Access Detection with Mic", "contentProductId": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", "id": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" @@ -1196,17 +1196,17 @@ "description": "When a Knox device user clicks on URLs or links detected as suspicious (potentially phishing or malicious) with a high degree of confidence.", "displayName": "Knox Suspicious URL Accessed Events", "enabled": false, - "query": "Samsung_Knox_User_CL | where Name == \"SUSPICIOUS_URL_ACCESSED\" and ConfidenceScore > 0.9\n", + "query": "Samsung_Knox_User_CL \n| where Name == \"SUSPICIOUS_URL_ACCESSED\" \nand ConfidenceScore > 0.9\n", "severity": "High", "suppressionDuration": "PT1H", "suppressionEnabled": false, "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SamsungDCDefinition", "dataTypes": [ "Samsung_Knox_User_CL" - ] + ], + "connectorId": "SamsungDCDefinition" } ], "tactics": [ @@ -1221,10 +1221,10 @@ "incidentConfiguration": { "createIncident": true, "groupingConfiguration": { - "lookbackDuration": "5h", - "matchingMethod": "AllEntities", "reopenClosedIncident": false, - "enabled": false + "enabled": false, + "lookbackDuration": "5h", + "matchingMethod": "AllEntities" } } }