Merge pull request #1 from Samsung/feature/kai-sentinel-solution

Add Samsung KAI Sentinel Solution

Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxApplicationPrivilegeEscalationOrChange.yaml

@@ -0,0 +1,28 @@
+id: 215e89ca-cdbc-4661-b8b2-7041f6ecc7fb
+name: Knox Application Privilege Escalation or Change
+version: 1.0.0
+kind: NRT
+description: When a Knox mobile app has transitioned from an acceptable uid/esuid/fsuid to a different, non-App id.
+severity: High
+status: Available
+requiredDataConnectors:
+  - connectorId: SamsungDCDefinition
+    dataTypes:
+      - Samsung_Knox_Audit_CL
+tactics:
+  - PrivilegeEscalation
+relevantTechniques:
+  - T1548
+query: Samsung_Knox_Process_CL | where Name == "PROCESS_PRIVILEGE_ESCALATION" and MitreTtp has "T1548"
+suppressionEnabled: false
+suppressionDuration: 5h
+incidentConfiguration:
+  createIncident: true
+  groupingConfiguration:
+    enabled: false
+    reopenClosedIncident: false
+    lookbackDuration: 5h
+    matchingMethod: AllEntities
+eventGroupingSettings:
+  aggregationKind: SingleAlert
+

Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxKeyguardDisabledFeatureSet.yaml

@@ -0,0 +1,28 @@
+id: fb4853c9-28c1-4dab-830c-e086cb975170
+name: Knox Keyguard Disabled Feature Set
+version: 1.0.0
+kind: NRT
+description: Indicates that an admin has set disabled keyguard features on a Knox device.
+severity: High
+status: Available
+requiredDataConnectors:
+  - connectorId: SamsungDCDefinition
+    dataTypes:
+      - Samsung_Knox_Audit_CL
+tactics:
+- InitialAccess
+relevantTechniques:
+- T1461
+query: Samsung_Knox_Audit_CL | where Name == "TAG_KEYGUARD_DISABLED_FEATURES_SET" and MitreTtp has "T1461"
+suppressionEnabled: false
+suppressionDuration: 5h
+incidentConfiguration:
+  createIncident: true
+  groupingConfiguration:
+    enabled: false
+    reopenClosedIncident: false
+    lookbackDuration: 5h
+    matchingMethod: AllEntities
+eventGroupingSettings:
+  aggregationKind: SingleAlert
+

Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxMobileDeviceBootCompromise.yaml

@@ -0,0 +1,29 @@
+id: fae7e371-aee8-4d3f-8311-2255a45a30b3
+name: Knox Mobile Device Boot Compromise
+version: 1.0.0
+kind: NRT
+description: When Knox device boot binary is at risk of compromise.
+severity: High
+status: Available
+requiredDataConnectors:
+  - connectorId: SamsungDCDefinition
+    dataTypes:
+      - Samsung_Knox_System_CL
+tactics:
+- Persistence
+relevantTechniques:
+- T1645
+query: |
+  Samsung_Knox_System_CL | where Name == "BOOT_COMPROMISED_SOFTWARE_BINARY" and MitreTtp has "T1645"
+suppressionEnabled: false
+suppressionDuration: 5h
+incidentConfiguration:
+  createIncident: true
+  groupingConfiguration:
+    enabled: false
+    reopenClosedIncident: false
+    lookbackDuration: 5h
+    matchingMethod: AllEntities
+eventGroupingSettings:
+  aggregationKind: SingleAlert
+

Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPasswordLockout.yaml

@@ -0,0 +1,29 @@
+id: fbff0a97-1972-4df8-a78c-254ccb9879ef
+name: Knox Password Lockout
+version: 1.0.0
+kind: NRT
+description: When maximum password attempts have reached and the Knox device is locked out. This is based on the threshold set by the MDM policy.
+severity: High
+status: Available
+requiredDataConnectors:
+  - connectorId: SamsungDCDefinition
+    dataTypes:
+      - Samsung_Knox_User_CL
+tactics:
+- CredentialAccess
+relevantTechniques:
+- T1110
+query: |
+  Samsung_Knox_User_CL | where Name == "PASSWORD_LOCKOUT" and MitreTtp has "T1110"
+suppressionEnabled: false
+suppressionDuration: 5h
+incidentConfiguration:
+  createIncident: true
+  groupingConfiguration:
+    enabled: false
+    reopenClosedIncident: false
+    lookbackDuration: 5h
+    matchingMethod: AllEntities
+eventGroupingSettings:
+  aggregationKind: SingleAlert
+

Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithCamera.yaml

@@ -0,0 +1,25 @@
+id: cd526f4d-dbe9-4149-8a0a-9ec43c3abb16
+name: Knox Peripheral Access  Detection with Camera
+version: 1.0.0
+kind: NRT
+description: When Knox device camera access has been detected through system policy when such access is disabled.
+severity: High
+status: Available
+requiredDataConnectors:
+  - connectorId: SamsungDCDefinition
+    dataTypes:
+      - Samsung_Knox_Audit_CL
+query: |
+  Samsung_Knox_System_CL| where Name == "PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_CAMERA" and MitreTtp has "KNOX.2"
+suppressionEnabled: false
+suppressionDuration: 5h
+incidentConfiguration:
+  createIncident: true
+  groupingConfiguration:
+    enabled: false
+    reopenClosedIncident: false
+    lookbackDuration: 5h
+    matchingMethod: AllEntities
+eventGroupingSettings:
+  aggregationKind: SingleAlert
+

Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithMic.yaml

@@ -0,0 +1,27 @@
+id: e4032fd2-4d05-4302-b7c0-f3f0380e2313
+name: Knox Peripheral Access  Detection with Mic
+version: 1.0.0
+kind: NRT
+description: When Knox device microphone access has been detected through system policy when such access is disabled.
+severity: High
+status: Available
+requiredDataConnectors:
+  - connectorId: SamsungDCDefinition
+    dataTypes:
+      - Samsung_Knox_Audit_CL
+query: |
+  Samsung_Knox_System_CL | where Name == "PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_MIC" and MitreTtp has "KNOX.2"
+alertDetailsOverride:
+  alertDynamicProperties: []
+suppressionEnabled: false
+suppressionDuration: 5h
+incidentConfiguration:
+  createIncident: true
+  groupingConfiguration:
+    enabled: false
+    reopenClosedIncident: false
+    lookbackDuration: 5h
+    matchingMethod: AllEntities
+eventGroupingSettings:
+  aggregationKind: SingleAlert
+

Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSecurityLogFull.yaml

@@ -0,0 +1,24 @@
+id: bf9be360-7f08-48b2-8e9d-ca240c48b404
+name: Knox Security Log Full
+version: 1.0.0
+kind: NRT
+description: When Security Log is full on a Knox device.
+severity: High
+status: Available
+requiredDataConnectors:
+  - connectorId: SamsungDCDefinition
+    dataTypes:
+      - Samsung_Knox_Audit_CL
+query: Samsung_Knox_Audit_CL| where Name == "LOG_IS_FULL" and MitreTtp has "KNOX.1"
+suppressionEnabled: false
+suppressionDuration: 5h
+incidentConfiguration:
+  createIncident: true
+  groupingConfiguration:
+    enabled: false
+    reopenClosedIncident: false
+    lookbackDuration: 5h
+    matchingMethod: AllEntities
+eventGroupingSettings:
+  aggregationKind: SingleAlert
+

Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSuspiciousURLs.yaml

@@ -0,0 +1,28 @@
+id: 18d4d4f3-6605-4fd2-968c-82c171409c1c
+name: 	Knox Suspicious URL Accessed Events
+version: 1.0.0
+kind: NRT
+description: When a Knox device user clicks on URLs or links detected as suspicious (potentially phishing or malicious) with a high degree of confidence.
+severity: High
+status: Available
+requiredDataConnectors:
+  - connectorId: SamsungDCDefinition
+    dataTypes:
+      - Samsung_Knox_User_CL
+tactics:
+- InitialAccess
+relevantTechniques:
+- T1566
+query: Samsung_Knox_User_CL | where Name == "SUSPICIOUS_URL_ACCESSED" and ConfidenceScore > 0.9
+suppressionEnabled: false
+suppressionDuration: 5h
+incidentConfiguration:
+  createIncident: true
+  groupingConfiguration:
+    enabled: false
+    reopenClosedIncident: false
+    lookbackDuration: 5h
+    matchingMethod: AllEntities
+eventGroupingSettings:
+  aggregationKind: SingleAlert
+

Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Application_CL.json

@@ -0,0 +1,76 @@
+{
+    "properties": {
+      "schema": {
+        "name": "Samsung_Knox_Application_CL",
+        "columns": [
+          {
+            "name": "TimeGenerated",
+            "type": "DateTime",
+            "isDefaultDisplay": true,
+            "description": "The timestamp (UTC) reflecting the time in which the event was generated."
+          },
+          {
+            "name": "PrimaryImei",
+            "type": "string"
+          },
+          {
+            "name": "DeviceImei1",
+            "type": "string"
+          },
+          {
+            "name": "DeviceImei2",
+            "type": "string"
+          },
+          {
+            "name": "DeviceSerialNumber",
+            "type": "string"
+          },
+          {
+            "name": "DeviceWifimac",
+            "type": "string"
+          },
+          {
+            "name": "DeviceModel",
+            "type": "string"
+          },
+          {
+            "name": "EventGuid",
+            "type": "long"
+          },
+          {
+            "name": "Name",
+            "type": "string"
+          },
+          {
+            "name": "Version",
+            "type": "string"
+          },
+          {
+            "name": "Severity",
+            "type": "string"
+          },
+          {
+            "name": "MitreTtp",
+            "type": "dynamic"
+          },
+          {
+            "name": "Profile",
+            "type": "string"
+          },
+          {
+            "name": "PkgName",
+            "type": "string"
+          },
+          {
+            "name": "AccessibilityApi",
+            "type": "string"
+          },
+          {
+            "name": "RestrictedPerms",
+            "type": "dynamic"
+          }
+        ]
+      },
+      "plan": "Analytics"
+    }
+  }

Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Audit_CL.json

@@ -0,0 +1,92 @@
+{
+    "properties": {
+      "schema": {
+        "name": "Samsung_Knox_Audit_CL",
+        "columns": [
+          {
+            "name": "TimeGenerated",
+            "type": "DateTime",
+            "isDefaultDisplay": true,
+            "description": "The timestamp (UTC) reflecting the time in which the event was generated."
+          },
+          {
+            "name": "PrimaryImei",
+            "type": "string"
+          },
+          {
+            "name": "DeviceImei1",
+            "type": "string"
+          },
+          {
+            "name": "DeviceImei2",
+            "type": "string"
+          },
+          {
+            "name": "DeviceSerialNumber",
+            "type": "string"
+          },
+          {
+            "name": "DeviceWifimac",
+            "type": "string"
+          },
+          {
+            "name": "DeviceModel",
+            "type": "string"
+          },
+          {
+            "name": "EventGuid",
+            "type": "long"
+          },
+          {
+            "name": "Name",
+            "type": "string"
+          },
+          {
+            "name": "Version",
+            "type": "string"
+          },
+          {
+            "name": "Severity",
+            "type": "string"
+          },
+          {
+            "name": "MitreTtp",
+            "type": "dynamic"
+          },
+          {
+            "name": "Profile",
+            "type": "string"
+          },
+          {
+            "name": "UserId",
+            "type": "int"
+          },
+          {
+            "name": "AdmUserId",
+            "type": "int"
+          },
+          {
+            "name": "AdmPkgName",
+            "type": "string"
+          },
+          {
+            "name": "FailureReason",
+            "type": "string"
+          },
+          {
+            "name": "Action",
+            "type": "string"
+          },
+          {
+            "name": "KeyMask",
+            "type": "int"
+          },
+          {
+            "name": "PkgName",
+            "type": "string"
+          }
+        ]
+      },
+      "plan": "Analytics"
+    }
+  }