diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxApplicationPrivilegeEscalationOrChange.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxApplicationPrivilegeEscalationOrChange.yaml new file mode 100644 index 00000000000..30c60868f83 --- /dev/null +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxApplicationPrivilegeEscalationOrChange.yaml @@ -0,0 +1,28 @@ +id: 215e89ca-cdbc-4661-b8b2-7041f6ecc7fb +name: Knox Application Privilege Escalation or Change +version: 1.0.0 +kind: NRT +description: When a Knox mobile app has transitioned from an acceptable uid/esuid/fsuid to a different, non-App id. +severity: High +status: Available +requiredDataConnectors: + - connectorId: SamsungDCDefinition + dataTypes: + - Samsung_Knox_Audit_CL +tactics: + - PrivilegeEscalation +relevantTechniques: + - T1548 +query: Samsung_Knox_Process_CL | where Name == "PROCESS_PRIVILEGE_ESCALATION" and MitreTtp has "T1548" +suppressionEnabled: false +suppressionDuration: 5h +incidentConfiguration: + createIncident: true + groupingConfiguration: + enabled: false + reopenClosedIncident: false + lookbackDuration: 5h + matchingMethod: AllEntities +eventGroupingSettings: + aggregationKind: SingleAlert + diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxKeyguardDisabledFeatureSet.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxKeyguardDisabledFeatureSet.yaml new file mode 100644 index 00000000000..5c01b73cd58 --- /dev/null +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxKeyguardDisabledFeatureSet.yaml @@ -0,0 +1,28 @@ +id: fb4853c9-28c1-4dab-830c-e086cb975170 +name: Knox Keyguard Disabled Feature Set +version: 1.0.0 +kind: NRT +description: Indicates that an admin has set disabled keyguard features on a Knox device. +severity: High +status: Available +requiredDataConnectors: + - connectorId: SamsungDCDefinition + dataTypes: + - Samsung_Knox_Audit_CL +tactics: +- InitialAccess +relevantTechniques: +- T1461 +query: Samsung_Knox_Audit_CL | where Name == "TAG_KEYGUARD_DISABLED_FEATURES_SET" and MitreTtp has "T1461" +suppressionEnabled: false +suppressionDuration: 5h +incidentConfiguration: + createIncident: true + groupingConfiguration: + enabled: false + reopenClosedIncident: false + lookbackDuration: 5h + matchingMethod: AllEntities +eventGroupingSettings: + aggregationKind: SingleAlert + diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxMobileDeviceBootCompromise.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxMobileDeviceBootCompromise.yaml new file mode 100644 index 00000000000..3924e3eb31d --- /dev/null +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxMobileDeviceBootCompromise.yaml @@ -0,0 +1,29 @@ +id: fae7e371-aee8-4d3f-8311-2255a45a30b3 +name: Knox Mobile Device Boot Compromise +version: 1.0.0 +kind: NRT +description: When Knox device boot binary is at risk of compromise. +severity: High +status: Available +requiredDataConnectors: + - connectorId: SamsungDCDefinition + dataTypes: + - Samsung_Knox_System_CL +tactics: +- Persistence +relevantTechniques: +- T1645 +query: | + Samsung_Knox_System_CL | where Name == "BOOT_COMPROMISED_SOFTWARE_BINARY" and MitreTtp has "T1645" +suppressionEnabled: false +suppressionDuration: 5h +incidentConfiguration: + createIncident: true + groupingConfiguration: + enabled: false + reopenClosedIncident: false + lookbackDuration: 5h + matchingMethod: AllEntities +eventGroupingSettings: + aggregationKind: SingleAlert + diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPasswordLockout.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPasswordLockout.yaml new file mode 100644 index 00000000000..3d042a87dbf --- /dev/null +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPasswordLockout.yaml @@ -0,0 +1,29 @@ +id: fbff0a97-1972-4df8-a78c-254ccb9879ef +name: Knox Password Lockout +version: 1.0.0 +kind: NRT +description: When maximum password attempts have reached and the Knox device is locked out. This is based on the threshold set by the MDM policy. +severity: High +status: Available +requiredDataConnectors: + - connectorId: SamsungDCDefinition + dataTypes: + - Samsung_Knox_User_CL +tactics: +- CredentialAccess +relevantTechniques: +- T1110 +query: | + Samsung_Knox_User_CL | where Name == "PASSWORD_LOCKOUT" and MitreTtp has "T1110" +suppressionEnabled: false +suppressionDuration: 5h +incidentConfiguration: + createIncident: true + groupingConfiguration: + enabled: false + reopenClosedIncident: false + lookbackDuration: 5h + matchingMethod: AllEntities +eventGroupingSettings: + aggregationKind: SingleAlert + diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithCamera.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithCamera.yaml new file mode 100644 index 00000000000..8f0b08ab6fc --- /dev/null +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithCamera.yaml @@ -0,0 +1,25 @@ +id: cd526f4d-dbe9-4149-8a0a-9ec43c3abb16 +name: Knox Peripheral Access Detection with Camera +version: 1.0.0 +kind: NRT +description: When Knox device camera access has been detected through system policy when such access is disabled. +severity: High +status: Available +requiredDataConnectors: + - connectorId: SamsungDCDefinition + dataTypes: + - Samsung_Knox_Audit_CL +query: | + Samsung_Knox_System_CL| where Name == "PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_CAMERA" and MitreTtp has "KNOX.2" +suppressionEnabled: false +suppressionDuration: 5h +incidentConfiguration: + createIncident: true + groupingConfiguration: + enabled: false + reopenClosedIncident: false + lookbackDuration: 5h + matchingMethod: AllEntities +eventGroupingSettings: + aggregationKind: SingleAlert + diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithMic.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithMic.yaml new file mode 100644 index 00000000000..d395ba149c9 --- /dev/null +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithMic.yaml @@ -0,0 +1,27 @@ +id: e4032fd2-4d05-4302-b7c0-f3f0380e2313 +name: Knox Peripheral Access Detection with Mic +version: 1.0.0 +kind: NRT +description: When Knox device microphone access has been detected through system policy when such access is disabled. +severity: High +status: Available +requiredDataConnectors: + - connectorId: SamsungDCDefinition + dataTypes: + - Samsung_Knox_Audit_CL +query: | + Samsung_Knox_System_CL | where Name == "PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_MIC" and MitreTtp has "KNOX.2" +alertDetailsOverride: + alertDynamicProperties: [] +suppressionEnabled: false +suppressionDuration: 5h +incidentConfiguration: + createIncident: true + groupingConfiguration: + enabled: false + reopenClosedIncident: false + lookbackDuration: 5h + matchingMethod: AllEntities +eventGroupingSettings: + aggregationKind: SingleAlert + diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSecurityLogFull.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSecurityLogFull.yaml new file mode 100644 index 00000000000..0c3b4938abe --- /dev/null +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSecurityLogFull.yaml @@ -0,0 +1,24 @@ +id: bf9be360-7f08-48b2-8e9d-ca240c48b404 +name: Knox Security Log Full +version: 1.0.0 +kind: NRT +description: When Security Log is full on a Knox device. +severity: High +status: Available +requiredDataConnectors: + - connectorId: SamsungDCDefinition + dataTypes: + - Samsung_Knox_Audit_CL +query: Samsung_Knox_Audit_CL| where Name == "LOG_IS_FULL" and MitreTtp has "KNOX.1" +suppressionEnabled: false +suppressionDuration: 5h +incidentConfiguration: + createIncident: true + groupingConfiguration: + enabled: false + reopenClosedIncident: false + lookbackDuration: 5h + matchingMethod: AllEntities +eventGroupingSettings: + aggregationKind: SingleAlert + diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSuspiciousURLs.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSuspiciousURLs.yaml new file mode 100644 index 00000000000..3d598c065c9 --- /dev/null +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSuspiciousURLs.yaml @@ -0,0 +1,28 @@ +id: 18d4d4f3-6605-4fd2-968c-82c171409c1c +name: Knox Suspicious URL Accessed Events +version: 1.0.0 +kind: NRT +description: When a Knox device user clicks on URLs or links detected as suspicious (potentially phishing or malicious) with a high degree of confidence. +severity: High +status: Available +requiredDataConnectors: + - connectorId: SamsungDCDefinition + dataTypes: + - Samsung_Knox_User_CL +tactics: +- InitialAccess +relevantTechniques: +- T1566 +query: Samsung_Knox_User_CL | where Name == "SUSPICIOUS_URL_ACCESSED" and ConfidenceScore > 0.9 +suppressionEnabled: false +suppressionDuration: 5h +incidentConfiguration: + createIncident: true + groupingConfiguration: + enabled: false + reopenClosedIncident: false + lookbackDuration: 5h + matchingMethod: AllEntities +eventGroupingSettings: + aggregationKind: SingleAlert + diff --git a/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Application_CL.json b/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Application_CL.json new file mode 100644 index 00000000000..6f07954f4d6 --- /dev/null +++ b/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Application_CL.json @@ -0,0 +1,76 @@ +{ + "properties": { + "schema": { + "name": "Samsung_Knox_Application_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "DateTime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "PrimaryImei", + "type": "string" + }, + { + "name": "DeviceImei1", + "type": "string" + }, + { + "name": "DeviceImei2", + "type": "string" + }, + { + "name": "DeviceSerialNumber", + "type": "string" + }, + { + "name": "DeviceWifimac", + "type": "string" + }, + { + "name": "DeviceModel", + "type": "string" + }, + { + "name": "EventGuid", + "type": "long" + }, + { + "name": "Name", + "type": "string" + }, + { + "name": "Version", + "type": "string" + }, + { + "name": "Severity", + "type": "string" + }, + { + "name": "MitreTtp", + "type": "dynamic" + }, + { + "name": "Profile", + "type": "string" + }, + { + "name": "PkgName", + "type": "string" + }, + { + "name": "AccessibilityApi", + "type": "string" + }, + { + "name": "RestrictedPerms", + "type": "dynamic" + } + ] + }, + "plan": "Analytics" + } + } \ No newline at end of file diff --git a/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Audit_CL.json b/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Audit_CL.json new file mode 100644 index 00000000000..0dcb6d7eb1f --- /dev/null +++ b/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Audit_CL.json @@ -0,0 +1,92 @@ +{ + "properties": { + "schema": { + "name": "Samsung_Knox_Audit_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "DateTime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "PrimaryImei", + "type": "string" + }, + { + "name": "DeviceImei1", + "type": "string" + }, + { + "name": "DeviceImei2", + "type": "string" + }, + { + "name": "DeviceSerialNumber", + "type": "string" + }, + { + "name": "DeviceWifimac", + "type": "string" + }, + { + "name": "DeviceModel", + "type": "string" + }, + { + "name": "EventGuid", + "type": "long" + }, + { + "name": "Name", + "type": "string" + }, + { + "name": "Version", + "type": "string" + }, + { + "name": "Severity", + "type": "string" + }, + { + "name": "MitreTtp", + "type": "dynamic" + }, + { + "name": "Profile", + "type": "string" + }, + { + "name": "UserId", + "type": "int" + }, + { + "name": "AdmUserId", + "type": "int" + }, + { + "name": "AdmPkgName", + "type": "string" + }, + { + "name": "FailureReason", + "type": "string" + }, + { + "name": "Action", + "type": "string" + }, + { + "name": "KeyMask", + "type": "int" + }, + { + "name": "PkgName", + "type": "string" + } + ] + }, + "plan": "Analytics" + } + } \ No newline at end of file diff --git a/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Network_CL.json b/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Network_CL.json new file mode 100644 index 00000000000..4def94f521d --- /dev/null +++ b/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Network_CL.json @@ -0,0 +1,140 @@ +{ + "properties": { + "schema": { + "name": "Samsung_Knox_Network_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "DateTime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "PrimaryImei", + "type": "string" + }, + { + "name": "DeviceImei1", + "type": "string" + }, + { + "name": "DeviceImei2", + "type": "string" + }, + { + "name": "DeviceSerialNumber", + "type": "string" + }, + { + "name": "DeviceWifimac", + "type": "string" + }, + { + "name": "DeviceModel", + "type": "string" + }, + { + "name": "EventGuid", + "type": "long" + }, + { + "name": "Name", + "type": "string" + }, + { + "name": "Version", + "type": "string" + }, + { + "name": "Severity", + "type": "string" + }, + { + "name": "MitreTtp", + "type": "dynamic" + }, + { + "name": "Profile", + "type": "string" + }, + { + "name": "Protocol", + "type": "int" + }, + { + "name": "SourcePort", + "type": "int" + }, + { + "name": "RemotePort", + "type": "int" + }, + { + "name": "SourceAddr", + "type": "string" + }, + { + "name": "RemoteAddr", + "type": "string" + }, + { + "name": "EventDetectedTime", + "type": "DateTime" + }, + { + "name": "Family", + "type": "int" + }, + { + "name": "PkgName", + "type": "string" + }, + { + "name": "InterfaceName", + "type": "string" + }, + { + "name": "Tid", + "type": "int" + }, + { + "name": "Pid", + "type": "int" + }, + { + "name": "Ppid", + "type": "int" + }, + { + "name": "Uid", + "type": "int" + }, + { + "name": "Gid", + "type": "int" + }, + { + "name": "ExitCode", + "type": "int" + }, + { + "name": "Syscall", + "type": "int" + }, + { + "name": "Path", + "type": "string" + }, + { + "name": "Ja3Fingerprint", + "type": "string" + }, + { + "name": "SocketType", + "type": "int" + } + ] + }, + "plan": "Analytics" + } + } \ No newline at end of file diff --git a/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Process_CL.json b/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Process_CL.json new file mode 100644 index 00000000000..c6210a8b19e --- /dev/null +++ b/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Process_CL.json @@ -0,0 +1,148 @@ +{ + "properties": { + "schema": { + "name": "Samsung_Knox_Process_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "DateTime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "PrimaryImei", + "type": "string" + }, + { + "name": "DeviceImei1", + "type": "string" + }, + { + "name": "DeviceImei2", + "type": "string" + }, + { + "name": "DeviceSerialNumber", + "type": "string" + }, + { + "name": "DeviceWifimac", + "type": "string" + }, + { + "name": "DeviceModel", + "type": "string" + }, + { + "name": "EventGuid", + "type": "long" + }, + { + "name": "Name", + "type": "string" + }, + { + "name": "Version", + "type": "string" + }, + { + "name": "Severity", + "type": "string" + }, + { + "name": "MitreTtp", + "type": "dynamic" + }, + { + "name": "Profile", + "type": "string" + }, + { + "name": "Tid", + "type": "int" + }, + { + "name": "Pid", + "type": "int" + }, + { + "name": "Ppid", + "type": "int" + }, + { + "name": "Uid", + "type": "int" + }, + { + "name": "Gid", + "type": "int" + }, + { + "name": "ExitCode", + "type": "int" + }, + { + "name": "Syscall", + "type": "int" + }, + { + "name": "Path", + "type": "string" + }, + { + "name": "Cwd", + "type": "string" + }, + { + "name": "CmdLine", + "type": "string" + }, + { + "name": "Euid", + "type": "int" + }, + { + "name": "Egid", + "type": "int" + }, + { + "name": "Fsuid", + "type": "int" + }, + { + "name": "Fsgid", + "type": "int" + }, + { + "name": "Suid", + "type": "int" + }, + { + "name": "Sgid", + "type": "int" + }, + { + "name": "OwnerUid", + "type": "int" + }, + { + "name": "OwnerGid", + "type": "int" + }, + { + "name": "Atime", + "type": "DateTime" + }, + { + "name": "Mtime", + "type": "DateTime" + }, + { + "name": "Ctime", + "type": "DateTime" + } + ] + }, + "plan": "Analytics" + } + } \ No newline at end of file diff --git a/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_System_CL.json b/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_System_CL.json new file mode 100644 index 00000000000..e47c5d0ac12 --- /dev/null +++ b/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_System_CL.json @@ -0,0 +1,240 @@ +{ + "properties": { + "schema": { + "name": "Samsung_Knox_System_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "DateTime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "PrimaryImei", + "type": "string" + }, + { + "name": "DeviceImei1", + "type": "string" + }, + { + "name": "DeviceImei2", + "type": "string" + }, + { + "name": "DeviceSerialNumber", + "type": "string" + }, + { + "name": "DeviceWifimac", + "type": "string" + }, + { + "name": "DeviceModel", + "type": "string" + }, + { + "name": "EventGuid", + "type": "long" + }, + { + "name": "Name", + "type": "string" + }, + { + "name": "Version", + "type": "string" + }, + { + "name": "Severity", + "type": "string" + }, + { + "name": "MitreTtp", + "type": "dynamic" + }, + { + "name": "Profile", + "type": "string" + }, + { + "name": "BLBuildVersion", + "type": "string" + }, + { + "name": "BLBuildId", + "type": "string" + }, + { + "name": "BLBuildType", + "type": "string" + }, + { + "name": "KernelBuildId", + "type": "string" + }, + { + "name": "KernelBuildType", + "type": "string" + }, + { + "name": "SystemBuildId0", + "type": "string" + }, + { + "name": "SystemBuildId1", + "type": "string" + }, + { + "name": "SystemBuildId2", + "type": "string" + }, + { + "name": "BLMode", + "type": "string" + }, + { + "name": "RebootReason", + "type": "string" + }, + { + "name": "SecureBoot", + "type": "string" + }, + { + "name": "BLEventTarget", + "type": "string" + }, + { + "name": "BLEvent", + "type": "string" + }, + { + "name": "BLRP", + "type": "string" + }, + { + "name": "KernelRP", + "type": "string" + }, + { + "name": "SystemRP", + "type": "string" + }, + { + "name": "ArpDevice", + "type": "string" + }, + { + "name": "WpState", + "type": "string" + }, + { + "name": "WbFuse", + "type": "string" + }, + { + "name": "WbReason", + "type": "string" + }, + { + "name": "ImgStatus", + "type": "string" + }, + { + "name": "KernelState", + "type": "string" + }, + { + "name": "CustomCount", + "type": "string" + }, + { + "name": "AvbBootState", + "type": "string" + }, + { + "name": "AvbDeviceLocked", + "type": "string" + }, + { + "name": "AvbOsVersion", + "type": "string" + }, + { + "name": "AvbOsPatchLevel", + "type": "string" + }, + { + "name": "AvbVendorPatchLevel", + "type": "string" + }, + { + "name": "AvbBootPatchLevel", + "type": "string" + }, + { + "name": "VbMetaType", + "type": "string" + }, + { + "name": "UnlockCount", + "type": "string" + }, + { + "name": "EmStatus", + "type": "string" + }, + { + "name": "EmFuseHistory", + "type": "string" + }, + { + "name": "EmTokens", + "type": "string" + }, + { + "name": "KGState", + "type": "string" + }, + { + "name": "KGFuse", + "type": "string" + }, + { + "name": "FrpState", + "type": "string" + }, + { + "name": "CCModeState", + "type": "string" + }, + { + "name": "MDMState", + "type": "string" + }, + { + "name": "EDLCount", + "type": "string" + }, + { + "name": "RPMBState", + "type": "string" + }, + { + "name": "FOTACount", + "type": "string" + }, + { + "name": "ODINCount", + "type": "string" + }, + { + "name": "AvbVerityMode", + "type": "string" + } + ] + }, + "plan": "Analytics" + } + } \ No newline at end of file diff --git a/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_User_CL.json b/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_User_CL.json new file mode 100644 index 00000000000..873b97c3c46 --- /dev/null +++ b/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_User_CL.json @@ -0,0 +1,80 @@ +{ + "properties": { + "schema": { + "name": "Samsung_Knox_User_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "DateTime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "PrimaryImei", + "type": "string" + }, + { + "name": "DeviceImei1", + "type": "string" + }, + { + "name": "DeviceImei2", + "type": "string" + }, + { + "name": "DeviceSerialNumber", + "type": "string" + }, + { + "name": "DeviceWifimac", + "type": "string" + }, + { + "name": "DeviceModel", + "type": "string" + }, + { + "name": "EventGuid", + "type": "long" + }, + { + "name": "Name", + "type": "string" + }, + { + "name": "Version", + "type": "int" + }, + { + "name": "Severity", + "type": "string" + }, + { + "name": "MitreTtp", + "type": "dynamic" + }, + { + "name": "Profile", + "type": "string" + }, + { + "name": "PkgName", + "type": "string" + }, + { + "name": "Url", + "type": "string" + }, + { + "name": "ConfidenceScore", + "type": "double" + }, + { + "name": "UrlType", + "type": "int" + } + ] + }, + "plan": "Analytics" + } + } \ No newline at end of file diff --git a/Solutions/Samsung Knox Asset Intelligence/Data Connectors/SamsungDCDefinition.json b/Solutions/Samsung Knox Asset Intelligence/Data Connectors/SamsungDCDefinition.json new file mode 100644 index 00000000000..efe91a03a20 --- /dev/null +++ b/Solutions/Samsung Knox Asset Intelligence/Data Connectors/SamsungDCDefinition.json @@ -0,0 +1,119 @@ +{ + "id": "SamsungDCDefinition", + "title": "Samsung Knox Asset Intelligence (Preview)", + "publisher": "Samsung", + "descriptionMarkdown": "Samsung Knox Asset Intelligence Data Connector provides you the ability to centralize mobile security events and logs to view customizes insights in Workbooks and create incidents based on Analytics Rules templates.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Samsung User Events logs", + "baseQuery": "Samsung_Knox_Audit_CL" + } + ], + "sampleQueries": [ + { + "description" : "One-line title for your sample query 1", + "query": "Samsung_Knox_Audit_CL\n | take 10" + } + ], + "dataTypes": [ + { + "name": "Samsung_Knox_Application_CL", + "lastDataReceivedQuery": "Samsung_Knox_Application_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Samsung_Knox_Audit_CL", + "lastDataReceivedQuery": "Samsung_Knox_Audit_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Samsung_Knox_Process_CL", + "lastDataReceivedQuery": "Samsung_Knox_Process_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Samsung_Knox_Network_CL", + "lastDataReceivedQuery": "Samsung_Knox_Network_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Samsung_Knox_User_CL", + "lastDataReceivedQuery": "Samsung_Knox_User_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Samsung_Knox_System_CL", + "lastDataReceivedQuery": "Samsung_Knox_System_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "Samsung_Knox_Audit_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions on the Log Analytics Workspace are required to enable the Solution. You can either choose an existing Log Analytics workspace or create new. [See the documentation](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/quick-create-workspace?tabs=azure-portal) to learn more about Log Analytics workspace creation.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + } + ], + "customs": [ + { + "name": "Entra App", + "description": "An Entra Application needs to be registered and provisioned with 'Sentinel Contributor'/ 'Microsoft Metrics Publisher' role to setup client secret-based authentication for data transfer. [See the documentation](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app?tabs=client-secret) to learn more about Entra App creation/registration and creating Client Secret credentials" + } + ] + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "apiVersion": "2020-01-01", + "location": "[parameters('location')]", + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/',parameters('connectorId'))]", + "kind": "Office365", + "properties": { + "tenantId": "[subscription().tenantId]", + "dataTypes": { + "exchange": { + "state": "[parameters('exchangeState')]" + }, + "sharePoint": { + "state": "[parameters('sharePointState')]" + }, + "teams": { + "state": "[parameters('teamsState')]" + } + } + } + } + ], + "instructionSteps": [ + { + "title": "", + "description": "This Samsung Knox Data Connector uses Microsoft Log Ingestion API that push security events into Microsoft Sentinel from Samsung Knox Asset Intelligence solution." + }, + { + "title": "STEP 1 - Create and register an Entra Application ", + "description": ">**Note**: : Since this Data Connector is designed to support Client Secret-based authentication to securely transfer data, the user must create the Client Secret as credentials during the Entra application creation and registration. Ensure you copy the Client Secret value as soon as it is generated.\n\n>**IMPORTANT**: Save the Tenant (Directory) ID, Client (Application) ID and Client Secret (Secret Value) values" + }, + { + "title": "STEP 2 - Obtain Sentinel Data collection Details", + "description": ">**Note**: Once you have installed Samsung Knox Asset Intelligence for Microsoft Sentinel Solution in Sentinel, a Data Collection Rule (DCR) associated with a Data Collection Endpoint (DCE), is auto-generated. To view this information, navigate to [Data Collection Rules](https://portal.azure.com/#browse/microsoft.insights%2Fdatacollectionrules?) and look for DCR with its Name starting with **'samsung-knox-dcr-....'** and click on the DCR to view associated details.\n\n>**IMPORTANT**: Save the values for Immutable ID (DCR) and Data Collection Endpoint" + }, + { + "title": "STEP 3 - Connect to Samsung Knox Asset Intelligence solution to configure Microsoft Sentinel to push select Knox Security Events as Alerts -", + "description": "1. Login to [Knox Asset Intelligence administration portal](https://central.samsungknox.com/kaiadmin/dai/home) and navigate to **Dashboard Settings**; this is available at the top-right corner of the Portal\n> **Note**: Ensure the login user has access to 'Security' and 'Manage dashboard view and data collection' permissions\n\n2. Click on Security tab to view settings for Security Operations Integration and for Knox Security Logs.\n\n3. In the Security Operations Integration page, toggle on the **'Enable Microsoft Sentinel Integration'** and enter appropriate values in the required fields - \n\n a. For Tenant ID, Client ID and Client Secret, refer to the information saved from Step 1 while registering the Entra application \n\n b. For Sentinel DCE and DCR, refer to the information saved from Step 2 \n\n4. Click on the **'Test Connection'** and ensure the connection is successful.\n\n5. Before you can Save, configure Knox Security Logs by selecting wither Essential or Advanced configuration **(default: Essential)**\n\n6. To complete the Sentinel integration, click **'Save'**" + } + ] +} \ No newline at end of file diff --git a/Solutions/Samsung Knox Asset Intelligence/Data Connectors/azuredeploy_SamsungDataConnectorDefinition.json b/Solutions/Samsung Knox Asset Intelligence/Data Connectors/azuredeploy_SamsungDataConnectorDefinition.json new file mode 100644 index 00000000000..b6e81b2123d --- /dev/null +++ b/Solutions/Samsung Knox Asset Intelligence/Data Connectors/azuredeploy_SamsungDataConnectorDefinition.json @@ -0,0 +1,1265 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Log Analytics Workspace Name": { + "defaultValue": "", + "type": "String" + }, + "Log Analytics Workspace Location": { + "defaultValue": "", + "type": "String" + }, + "Log Analytics Workspace Subscription": { + "defaultValue": "", + "type": "String" + }, + "Log Analytics Workspace Resource Group": { + "defaultValue": "", + "type": "String" + }, + "dce-reuse-flag": { + "defaultValue": false, + "allowedValues": [ + false, + true + ], + "type": "Bool", + "metadata": { + "description": "The default name for the DCE is ms-sentinel-knox-dce-[function-name]-[LA-Region]. If you prefer a custom name, please set this flag to true" + } + }, + "input-dce-name": { + "defaultValue": "", + "type": "String" + }, + "dcr-normalized-data_refresh_flag": { + "defaultValue": true, + "allowedValues": [ + false, + true + ], + "type": "Bool" + }, + "dcr-normalized-data_name_input": { + "defaultValue": "", + "type": "String", + "metadata": { + "description": "Default name will be samsung-knox-dcr-[LA-Region], no need to enter if you want to use default names" + } + } + }, + "variables": { + "loganalyticsworkspace": "[parameters('Log Analytics Workspace Name')]", + "loganalyticsworkspace-location": "[parameters('Log Analytics Workspace Location')]", + "loganalyticsworkspace-subscription": "[parameters('Log Analytics Workspace Subscription')]", + "loganalyticsworkspace-resourceGroup": "[parameters('Log Analytics Workspace Resource Group')]", + "default-dce-name": "[concat('samsung-knox-dce-',replace(variables('loganalyticsworkspace-location'),' ', ''))]", + "dce-name": "[if(not(parameters('dce-reuse-flag')), variables('default-dce-name'), parameters('input-dce-name'))]", + "dcr-normalized-data": "[if(empty(parameters('dcr-normalized-data_name_input')), concat('samsung-knox-dcr-',replace(variables('loganalyticsworkspace-location'),' ', '')), parameters('dcr-normalized-data_name_input'))]", + "dcr-normalized-data_refresh_flag": "[parameters('dcr-normalized-data_refresh_flag')]", + "cust-table-audit": "Samsung_Knox_Audit_CL", + "cust-table-application": "Samsung_Knox_Application_CL", + "cust-table-process": "Samsung_Knox_Process_CL", + "cust-table-user": "Samsung_Knox_User_CL", + "cust-table-network": "Samsung_Knox_Network_CL", + "cust-table-system": "Samsung_Knox_System_CL" + }, + "resources": [ + { + "type": "Microsoft.Insights/dataCollectionEndpoints", + "apiVersion": "2022-06-01", + "name": "[variables('dce-name')]", + "location": "[variables('loganalyticsworkspace-location')]", + "dependsOn": [ + "[resourceId(variables('loganalyticsworkspace-subscription'), variables('loganalyticsworkspace-resourceGroup'), 'Microsoft.Resources/deployments', 'RestDRLATablesTemplate')]" + ], + "properties": { + "networkAcls": { + "publicNetworkAccess": "Enabled" + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "RestDRLATablesTemplate", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(variables('loganalyticsworkspace'),'/',variables('cust-table-audit'))]", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "apiVersion": "2022-10-01", + "tags": {}, + "properties": { + "plan": "Analytics", + "schema": { + "name": "[variables('cust-table-audit')]", + "columns": [ + { + "name": "TimeGenerated", + "type": "DateTime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "EventTime", + "type": "DateTime" + }, + { + "name": "PrimaryImei", + "type": "string" + }, + { + "name": "DeviceImei1", + "type": "string" + }, + { + "name": "DeviceImei2", + "type": "string" + }, + { + "name": "DeviceSerialNumber", + "type": "string" + }, + { + "name": "DeviceWifimac", + "type": "string" + }, + { + "name": "DeviceModel", + "type": "string" + }, + { + "name": "EventGuid", + "type": "long" + }, + { + "name": "Name", + "type": "string" + }, + { + "name": "Version", + "type": "int" + }, + { + "name": "Severity", + "type": "string" + }, + { + "name": "MitreTtp", + "type": "dynamic" + }, + { + "name": "Profile", + "type": "string" + }, + { + "name": "UserId", + "type": "int" + }, + { + "name": "AdmUserId", + "type": "int" + }, + { + "name": "AdmPkgName", + "type": "string" + }, + { + "name": "FailureReason", + "type": "string" + }, + { + "name": "Action", + "type": "string" + }, + { + "name": "KeyMask", + "type": "int" + }, + { + "name": "PkgName", + "type": "string" + } + ] + } + } + }, + { + "name": "[concat(variables('loganalyticsworkspace'),'/',variables('cust-table-application'))]", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "apiVersion": "2022-10-01", + "tags": {}, + "properties": { + "plan": "Analytics", + "schema": { + "name": "[variables('cust-table-application')]", + "columns": [ + { + "name": "TimeGenerated", + "type": "DateTime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "EventTime", + "type": "DateTime" + }, + { + "name": "PrimaryImei", + "type": "string" + }, + { + "name": "DeviceImei1", + "type": "string" + }, + { + "name": "DeviceImei2", + "type": "string" + }, + { + "name": "DeviceSerialNumber", + "type": "string" + }, + { + "name": "DeviceWifimac", + "type": "string" + }, + { + "name": "DeviceModel", + "type": "string" + }, + { + "name": "EventGuid", + "type": "long" + }, + { + "name": "Name", + "type": "string" + }, + { + "name": "Version", + "type": "int" + }, + { + "name": "Severity", + "type": "string" + }, + { + "name": "MitreTtp", + "type": "dynamic" + }, + { + "name": "Profile", + "type": "string" + }, + { + "name": "PkgName", + "type": "string" + }, + { + "name": "AccessibilityApi", + "type": "string" + }, + { + "name": "RestrictedPerms", + "type": "dynamic" + } + ] + } + } + }, + { + "name": "[concat(variables('loganalyticsworkspace'),'/',variables('cust-table-process'))]", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "apiVersion": "2022-10-01", + "tags": {}, + "properties": { + "plan": "Analytics", + "schema": { + "name": "[variables('cust-table-process')]", + "columns": [ + { + "name": "TimeGenerated", + "type": "DateTime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "EventTime", + "type": "DateTime" + }, + { + "name": "PrimaryImei", + "type": "string" + }, + { + "name": "DeviceImei1", + "type": "string" + }, + { + "name": "DeviceImei2", + "type": "string" + }, + { + "name": "DeviceSerialNumber", + "type": "string" + }, + { + "name": "DeviceWifimac", + "type": "string" + }, + { + "name": "DeviceModel", + "type": "string" + }, + { + "name": "EventGuid", + "type": "long" + }, + { + "name": "Name", + "type": "string" + }, + { + "name": "Version", + "type": "int" + }, + { + "name": "Severity", + "type": "string" + }, + { + "name": "MitreTtp", + "type": "dynamic" + }, + { + "name": "Profile", + "type": "string" + }, + { + "name": "Tid", + "type": "int" + }, + { + "name": "Pid", + "type": "int" + }, + { + "name": "Ppid", + "type": "int" + }, + { + "name": "Uid", + "type": "int" + }, + { + "name": "Gid", + "type": "int" + }, + { + "name": "ExitCode", + "type": "int" + }, + { + "name": "Syscall", + "type": "int" + }, + { + "name": "Path", + "type": "string" + }, + { + "name": "Cwd", + "type": "string" + }, + { + "name": "CmdLine", + "type": "string" + }, + { + "name": "Euid", + "type": "int" + }, + { + "name": "Egid", + "type": "int" + }, + { + "name": "Fsuid", + "type": "int" + }, + { + "name": "Fsgid", + "type": "int" + }, + { + "name": "Suid", + "type": "int" + }, + { + "name": "Sgid", + "type": "int" + }, + { + "name": "OwnerUid", + "type": "int" + }, + { + "name": "OwnerGid", + "type": "int" + }, + { + "name": "Atime", + "type": "long" + }, + { + "name": "Mtime", + "type": "long" + }, + { + "name": "Ctime", + "type": "long" + } + ] + } + } + }, + { + "name": "[concat(variables('loganalyticsworkspace'),'/',variables('cust-table-user'))]", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "apiVersion": "2022-10-01", + "tags": {}, + "properties": { + "plan": "Analytics", + "schema": { + "name": "[variables('cust-table-user')]", + "columns": [ + { + "name": "TimeGenerated", + "type": "DateTime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "EventTime", + "type": "DateTime" + }, + { + "name": "PrimaryImei", + "type": "string" + }, + { + "name": "DeviceImei1", + "type": "string" + }, + { + "name": "DeviceImei2", + "type": "string" + }, + { + "name": "DeviceSerialNumber", + "type": "string" + }, + { + "name": "DeviceWifimac", + "type": "string" + }, + { + "name": "DeviceModel", + "type": "string" + }, + { + "name": "EventGuid", + "type": "long" + }, + { + "name": "Name", + "type": "string" + }, + { + "name": "Version", + "type": "int" + }, + { + "name": "Severity", + "type": "string" + }, + { + "name": "MitreTtp", + "type": "dynamic" + }, + { + "name": "Profile", + "type": "string" + }, + { + "name": "PkgName", + "type": "string" + }, + { + "name": "Url", + "type": "string" + }, + { + "name": "ConfidenceScore", + "type": "real" + }, + { + "name": "UrlType", + "type": "int" + } + ] + } + } + }, + { + "name": "[concat(variables('loganalyticsworkspace'),'/',variables('cust-table-network'))]", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "apiVersion": "2022-10-01", + "tags": {}, + "properties": { + "plan": "Analytics", + "schema": { + "name": "[variables('cust-table-network')]", + "columns": [ + { + "name": "TimeGenerated", + "type": "DateTime", + "isDefaultDisplay": true + }, + { + "name": "EventTime", + "type": "DateTime" + }, + { + "name": "PrimaryImei", + "type": "string" + }, + { + "name": "DeviceImei1", + "type": "string" + }, + { + "name": "DeviceImei2", + "type": "string" + }, + { + "name": "DeviceSerialNumber", + "type": "string" + }, + { + "name": "DeviceWifimac", + "type": "string" + }, + { + "name": "DeviceModel", + "type": "string" + }, + { + "name": "EventGuid", + "type": "long" + }, + { + "name": "Name", + "type": "string" + }, + { + "name": "Version", + "type": "int" + }, + { + "name": "Severity", + "type": "string" + }, + { + "name": "MitreTtp", + "type": "dynamic" + }, + { + "name": "Profile", + "type": "string" + }, + { + "name": "Protocol", + "type": "int" + }, + { + "name": "SourcePort", + "type": "int" + }, + { + "name": "RemotePort", + "type": "int" + }, + { + "name": "SourceAddr", + "type": "string" + }, + { + "name": "RemoteAddr", + "type": "string" + }, + { + "name": "EventDetectedTime", + "type": "DateTime" + }, + { + "name": "Family", + "type": "int" + }, + { + "name": "PkgName", + "type": "string" + }, + { + "name": "InterfaceName", + "type": "string" + }, + { + "name": "Tid", + "type": "int" + }, + { + "name": "Pid", + "type": "int" + }, + { + "name": "Ppid", + "type": "int" + }, + { + "name": "Uid", + "type": "int" + }, + { + "name": "Gid", + "type": "int" + }, + { + "name": "ExitCode", + "type": "int" + }, + { + "name": "Syscall", + "type": "int" + }, + { + "name": "Path", + "type": "string" + }, + { + "name": "Ja3Fingerprint", + "type": "string" + }, + { + "name": "SocketType", + "type": "int" + } + ] + } + } + }, + { + "name": "[concat(variables('loganalyticsworkspace'),'/',variables('cust-table-system'))]", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "apiVersion": "2022-10-01", + "tags": {}, + "properties": { + "plan": "Analytics", + "schema": { + "name": "[variables('cust-table-system')]", + "columns": [ + { + "name": "TimeGenerated", + "type": "DateTime", + "isDefaultDisplay": true + }, + { + "name": "EventTime", + "type": "DateTime" + }, + { + "name": "PrimaryImei", + "type": "string" + }, + { + "name": "DeviceImei1", + "type": "string" + }, + { + "name": "DeviceImei2", + "type": "string" + }, + { + "name": "DeviceSerialNumber", + "type": "string" + }, + { + "name": "DeviceWifimac", + "type": "string" + }, + { + "name": "DeviceModel", + "type": "string" + }, + { + "name": "EventGuid", + "type": "long" + }, + { + "name": "Name", + "type": "string" + }, + { + "name": "Version", + "type": "int" + }, + { + "name": "Severity", + "type": "string" + }, + { + "name": "MitreTtp", + "type": "dynamic" + }, + { + "name": "Profile", + "type": "string" + }, + { + "name": "BLBuildVersion", + "type": "string" + }, + { + "name": "BLBuildId", + "type": "string" + }, + { + "name": "BLBuildType", + "type": "string" + }, + { + "name": "KernelBuildId", + "type": "string" + }, + { + "name": "KernelBuildType", + "type": "string" + }, + { + "name": "SystemBuildId0", + "type": "string" + }, + { + "name": "SystemBuildId1", + "type": "string" + }, + { + "name": "SystemBuildId2", + "type": "string" + }, + { + "name": "BLMode", + "type": "string" + }, + { + "name": "RebootReason", + "type": "string" + }, + { + "name": "SecureBoot", + "type": "string" + }, + { + "name": "BLEventTarget", + "type": "string" + }, + { + "name": "BLEvent", + "type": "string" + }, + { + "name": "BLRP", + "type": "string" + }, + { + "name": "KernelRP", + "type": "string" + }, + { + "name": "SystemRP", + "type": "string" + }, + { + "name": "ArpDevice", + "type": "string" + }, + { + "name": "WpState", + "type": "string" + }, + { + "name": "WbFuse", + "type": "string" + }, + { + "name": "WbReason", + "type": "string" + }, + { + "name": "ImgStatus", + "type": "string" + }, + { + "name": "KernelState", + "type": "string" + }, + { + "name": "CustomCount", + "type": "string" + }, + { + "name": "AvbBootState", + "type": "string" + }, + { + "name": "AvbDeviceLocked", + "type": "string" + }, + { + "name": "AvbOsVersion", + "type": "string" + }, + { + "name": "AvbOsPatchLevel", + "type": "string" + }, + { + "name": "AvbVendorPatchLevel", + "type": "string" + }, + { + "name": "AvbBootPatchLevel", + "type": "string" + }, + { + "name": "VbMetaType", + "type": "string" + }, + { + "name": "UnlockCount", + "type": "string" + }, + { + "name": "EmStatus", + "type": "string" + }, + { + "name": "EmFuseHistory", + "type": "string" + }, + { + "name": "EmTokens", + "type": "string" + }, + { + "name": "KGState", + "type": "string" + }, + { + "name": "KGFuse", + "type": "string" + }, + { + "name": "FrpState", + "type": "string" + }, + { + "name": "CCModeState", + "type": "string" + }, + { + "name": "MDMState", + "type": "string" + }, + { + "name": "EDLCount", + "type": "string" + }, + { + "name": "RPMBState", + "type": "string" + }, + { + "name": "FOTACount", + "type": "string" + }, + { + "name": "ODINCount", + "type": "string" + }, + { + "name": "AvbVerityMode", + "type": "string" + } + ] + } + } + } + + ] + }, + "parameters": {} + }, + "subscriptionId": "[variables('loganalyticsworkspace-subscription')]", + "resourceGroup": "[variables('loganalyticsworkspace-resourceGroup')]" + }, + { + "type": "Microsoft.Insights/dataCollectionRules", + "apiVersion": "2022-06-01", + "name": "[variables('dcr-normalized-data')]", + "location": "[variables('loganalyticsworkspace-location')]", + "tags": { + "createdBy": "Sentinel" + }, + "dependsOn": [ + "[resourceId('Microsoft.Insights/dataCollectionEndpoints', variables('dce-name'))]" + ], + "properties": { + "dataCollectionEndpointId": "[resourceId(subscription().subscriptionId,resourceGroup().name,'Microsoft.Insights/dataCollectionEndpoints', variables('dce-name'))]", + "streamDeclarations": { + "Custom-Samsung": { + "columns": [ + { + "name": "imei1", + "type": "string", + "description": "Device Imei1" + }, + { + "name": "imei2", + "type": "string", + "description": "Device Imei2" + }, + { + "name": "serial", + "type": "string", + "description": "Device Serial" + }, + { + "name": "mac", + "type": "string", + "description": "Device Wifi Mac" + }, + { + "name": "model", + "type": "string", + "description": "Device Model" + }, + { + "name": "timestamp", + "type": "long", + "description": "The time at which the data was generated" + }, + { + "name": "event_id", + "type": "long", + "description": "id" + }, + { + "name": "version", + "type": "int", + "description": "device event version" + }, + { + "name": "name", + "type": "string", + "description": "event name like TAG_KEYGUARD_DISMISSED" + }, + { + "name": "severity", + "type": "string", + "description": "Severity" + }, + { + "name": "private", + "type": "string", + "description": "Profile, Allowable values: PRIVATE, PUBLIC" + }, + { + "name": "maturity", + "type": "string" + }, + { + "name": "source", + "type": "string" + }, + { + "name": "tag_table", + "type": "string", + "description": "tag for events" + }, + { + "name": "mitre_attack_techniques", + "type": "dynamic", + "description": "MitreTtp" + }, + { + "name": "addon_content", + "type": "dynamic", + "description": "userId, admUserId, admPkgName, reason, action, keyMask, pkgName, interfaceName" + }, + { + "name": "tid", + "type": "int", + "description": "Tid" + }, + { + "name": "pid", + "type": "int", + "description": "Pid" + }, + { + "name": "ppid", + "type": "int", + "description": "Ppid" + }, + { + "name": "uid", + "type": "int", + "description": "Uid" + }, + { + "name": "gid", + "type": "int", + "description": "Gid" + }, + { + "name": "exit_code", + "type": "int", + "description": "ExitCode" + }, + { + "name": "syscall", + "type": "int", + "description": "Syscall" + }, + { + "name": "path", + "type": "string", + "description": "Path" + }, + { + "name": "cwd", + "type": "string", + "description": "Cwd" + }, + { + "name": "cmdline", + "type": "string", + "description": "CmdLine" + }, + { + "name": "euid", + "type": "int", + "description": "Euid" + }, + { + "name": "egid", + "type": "int", + "description": "Egid" + }, + { + "name": "fsuid", + "type": "int", + "description": "Fsuid" + }, + { + "name": "fsgid", + "type": "int", + "description": "Fsgid" + }, + { + "name": "suid", + "type": "int", + "description": "Suid" + }, + { + "name": "sgid", + "type": "int", + "description": "Sgid" + }, + { + "name": "owner_uid", + "type": "int", + "description": "OwnerUid" + }, + { + "name": "owner_gid", + "type": "int", + "description": "OwnerGid" + }, + { + "name": "atime", + "type": "long", + "description": "Atime" + }, + { + "name": "mtime", + "type": "long", + "description": "Mtime" + }, + { + "name": "ctime", + "type": "long", + "description": "Ctime" + }, + { + "name": "package_name", + "type": "string", + "description": "PkgName" + }, + { + "name": "accessbility_api", + "type": "string", + "description": "AccessibilityApi" + }, + { + "name": "restricted_permissions", + "type": "dynamic", + "description": "RestrictedPerms" + }, + { + "name": "url", + "type": "string", + "description": "Url" + }, + { + "name": "confidence_score", + "type": "real", + "description": "ConfidenceScore" + }, + { + "name": "url_type", + "type": "int", + "description": "UrlType" + }, + { + "name": "protocol", + "type": "int", + "description": "Protocol" + }, + { + "name": "local_port", + "type": "int", + "description": "SourcePort" + }, + { + "name": "remote_port", + "type": "int", + "description": "RemotePort" + }, + { + "name": "local_address", + "type": "string", + "description": "SourceAddr" + }, + { + "name": "remote_address", + "type": "string", + "description": "RemoteAddr" + }, + { + "name": "eventTime", + "type": "datetime", + "description": "EventDetectedTime" + }, + { + "name": "family", + "type": "int", + "description": "Family" + }, + + { + "name": "JA3_fingerprint", + "type": "string", + "description": "Ja3Fingerprint" + }, + { + "name": "type", + "type": "int", + "description": "SocketType" + } + ] + } + }, + "destinations": { + "logAnalytics": [ + { + "name": "SentinelWorkspace", + "workspaceResourceId": "[resourceId(variables('loganalyticsworkspace-subscription'), variables('loganalyticsworkspace-resourceGroup'),'Microsoft.OperationalInsights/Workspaces', variables('loganalyticsworkspace'))]" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Custom-Samsung" + ], + "destinations": [ "SentinelWorkspace" ], + "transformKql": "source \r\n|where (name == 'TAG_FAILED_TO_WIPE_USER_DATA' or name == 'TAG_WIPING_DATA_IS_NOT_ALLOWED_FOR_THIS_USER' or name == 'TAG_ADMIN_HAS_REQUESTED_FULL_WIPE_OF_DEVICE' or name == 'TAG_PACKAGE_NAME_HAS_BEEN_ACTIVATED_AS_ADMIN' or name == 'TAG_PACKAGE_NAME_HAS_BEEN_REMOVED_AS_ADMIN' or name == 'TAG_APPLICATION_ACTION_FAILED_BECAUSE_OF_SIGNATURE_VERIFICATION_FAILURE' or name == 'LOG_IS_FULL' or name == 'TAG_ADB_SHELL_INTERACTIVE' or name == 'TAG_KEYGUARD_DISABLED_FEATURES_SET' or name == 'TAG_KEYGUARD_DISMISSED') \r\n | extend PrimaryImei = case(isempty(imei1), imei2, imei1) \r\n |extend parsedAC = parse_json(addon_content) \r\n| extend UserId = toint(parsedAC.userId) \r\n| extend AdmUserId = toint(parsedAC.admUserId) \r\n| extend AdmPkgName = tostring(parsedAC.admPkgName) \r\n| extend FailureReason = tostring(parsedAC.reason) \r\n| extend Action = tostring(parsedAC.action) \r\n| extend KeyMask = toint(parsedAC.mask) \r\n| extend PkgName = tostring(parsedAC.pkgName) \n| extend eventDatetime = datetime_add('milliSecond', tolong(timestamp), todatetime('1970-01-01'))\n | extend TimeGenerated = iff(isnotempty(eventDatetime), eventDatetime, now()) \r\n| project-rename EventGuid = event_id,\r\n Name = name,\r\n Version = version,\r\n Severity = severity,\r\n MitreTtp = mitre_attack_techniques,\r\n Profile = private,\r\n DeviceImei1=imei1,\r\n DeviceImei2=imei2,\r\n DeviceSerialNumber=serial,\r\n DeviceWifimac=mac,\r\n DeviceModel=model, EventTime= eventDatetime ", + "outputStream": "[concat('Custom-', variables('cust-table-audit'))]" + }, + { + "streams": [ + "Custom-Samsung" + ], + "destinations": [ "SentinelWorkspace" ], + "transformKql": "source \r\n|where (name == 'PREVENT_APP_REMOVAL_CAPABILITY' or name == 'KEY_INPUT_CAPTURE_CAPABILITY'or name == 'SCREEN_CAPTURE_CAPABILITY' or name == 'USER_INTERACTION_CONTROL_CAPABILITY' or name == 'ACCESS_NOTIFICATION_PERMISSION' or name == 'VIDEO_CAPTURE_PERMISSION' or name == 'ACCESS_CALL_LOG_PERMISSION') \r\n | extend PrimaryImei = case(isempty(imei1), imei2, imei1) \n| extend eventDatetime = datetime_add('milliSecond', tolong(timestamp), todatetime('1970-01-01'))\n | extend TimeGenerated = iff(isnotempty(eventDatetime), eventDatetime, now()) \r\n| project-rename EventGuid = event_id,\r\n Name = name,\r\n Version = version,\r\n Severity = severity,\r\n MitreTtp = mitre_attack_techniques,\r\n Profile = private,\r\n PkgName = package_name,\r\n AccessibilityApi = accessbility_api,\r\n RestrictedPerms = restricted_permissions,\r\n DeviceImei1=imei1,\r\n DeviceImei2=imei2,\r\n DeviceSerialNumber=serial,\r\n DeviceWifimac=mac,\r\n DeviceModel=model, EventTime= eventDatetime ", + "outputStream": "[concat('Custom-', variables('cust-table-application'))]" + }, + { + "streams": [ + "Custom-Samsung" + ], + "destinations": [ "SentinelWorkspace" ], + "transformKql": "source \r\n|where (name == 'PROCESS_PRIVILEGE_ESCALATION') \r\n | extend PrimaryImei = case(isempty(imei1), imei2, imei1) \n| extend eventDatetime = datetime_add('milliSecond', tolong(timestamp), todatetime('1970-01-01'))\n | extend TimeGenerated = iff(isnotempty(eventDatetime), eventDatetime, now()) \r\n| project-rename EventGuid = event_id,\r\n Name = name,\r\n Version = version,\r\n Severity = severity,\r\n MitreTtp = mitre_attack_techniques,\r\n Profile = private,\r\n Tid = tid,\r\n Pid = pid,\r\n Ppid = ppid,\r\n Uid = uid,\r\n Gid = gid,\r\n ExitCode = exit_code,\r\n Syscall = syscall,\r\n Path = path,\r\n Cwd = cwd,\r\n CmdLine = cmdline,\r\n Euid = euid,\r\n Egid = egid,\r\n Fsuid = fsuid,\r\n Fsgid = fsgid,\r\n Suid = suid,\r\n Sgid = sgid,\r\n OwnerUid = owner_uid,\r\n OwnerGid = owner_gid,\r\n Atime = atime,\r\n Mtime = mtime,\r\n Ctime = ctime,\r\n DeviceImei1=imei1,\r\n DeviceImei2=imei2,\r\n DeviceSerialNumber=serial,\r\n DeviceWifimac=mac,\r\n DeviceModel=model, EventTime= eventDatetime ", + "outputStream": "[concat('Custom-', variables('cust-table-process'))]" + }, + { + "streams": [ + "Custom-Samsung" + ], + "destinations": [ "SentinelWorkspace" ], + "transformKql": "source \r\n|where (name == 'SUSPICIOUS_URL_ACCESSED' or name == 'PASSWORD_LOCKOUT') \r\n | extend PrimaryImei = case(isempty(imei1), imei2, imei1) \n| extend eventDatetime = datetime_add('milliSecond', tolong(timestamp), todatetime('1970-01-01'))\n | extend TimeGenerated = iff(isnotempty(eventDatetime), eventDatetime, now()) \r\n| project-rename EventGuid = event_id,\r\n Name = name,\r\n Version = version,\r\n Severity = severity,\r\n MitreTtp = mitre_attack_techniques,\r\n Profile = private,\r\n PkgName = package_name,\r\n Url = url,\r\n ConfidenceScore = confidence_score,\r\n UrlType = url_type,\r\n DeviceImei1=imei1,\r\n DeviceImei2=imei2,\r\n DeviceSerialNumber=serial,\r\n DeviceWifimac=mac,\r\n DeviceModel=model, EventTime= eventDatetime | extend MitreTtp = case(Name == 'SUSPICIOUS_URL_ACCESSED', array_concat(MitreTtp, parse_json(\"['T1566']\")), MitreTtp)", + "outputStream": "[concat('Custom-', variables('cust-table-user'))]" + }, + { + "streams": [ + "Custom-Samsung" + ], + "destinations": [ "SentinelWorkspace" ], + "transformKql": "source \r\n|where (name == 'TAG_NETWORK_EVENT_INSECURE_PACKET') \r\n | extend PrimaryImei = case(isempty(imei1), imei2, imei1) \r\n| extend parsedAC = parse_json(addon_content) \r\n| extend EventDetectedTime = datetime_add('milliSecond', tolong(parsedAC.eventTime), todatetime('1970-01-01')) \r\n| extend PkgName = tostring(parsedAC.pkgName) \r\n| extend InterfaceName = tostring(parsedAC.interfaceName) \n| extend eventDatetime = datetime_add('milliSecond', tolong(timestamp), todatetime('1970-01-01'))\n | extend TimeGenerated = iff(isnotempty(eventDatetime), eventDatetime, now()) \r\n| project-rename EventGuid = event_id,\r\n Name = name,\r\n Version = version,\r\n Severity = severity,\r\n MitreTtp = mitre_attack_techniques,\r\n Profile = private,\r\n Protocol = protocol,\r\n SourcePort = local_port,\r\n RemotePort = remote_port,\r\n SourceAddr = local_address,\r\n RemoteAddr = remote_address,\r\n Family = family,\r\n Tid = tid,\r\n Pid = pid,\r\n Ppid = ppid,\r\n Uid = uid,\r\n Gid = gid,\r\n ExitCode = exit_code,\r\n Syscall = syscall,\r\n Path = path,\r\n Ja3Fingerprint = JA3_fingerprint,\r\n SocketType = type,\r\n DeviceImei1=imei1,\r\n DeviceImei2=imei2,\r\n DeviceSerialNumber=serial,\r\n DeviceWifimac=mac,\r\n DeviceModel=model , EventTime= eventDatetime ", + "outputStream": "[concat('Custom-', variables('cust-table-network'))]" + }, + { + "streams": [ + "Custom-Samsung" + ], + "destinations": [ "SentinelWorkspace" ], + "transformKql": "source \r\n|where (name == 'BOOT_COMPROMISED_SOFTWARE_BINARY' or name == 'PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_CAMERA' or name == 'PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_MIC' or name == 'BOOT_STATE' or name == 'BOOT_SECURITY_ABNORMALITY') \r\n | extend PrimaryImei = case(isempty(imei1), imei2, imei1) \r\n| extend parsedAC = parse_json(addon_content) \r\n| extend BLBuildVersion = tostring(parsedAC.BOOTLOADER_BUILD_VERSION) \r\n| extend BLBuildId = tostring(parsedAC.BOOTLOADER_BUILD_ID) \r\n| extend BLBuildType = tostring(parsedAC.BOOTLOADER_BUILD_TYPE) \r\n| extend KernelBuildId = tostring(parsedAC.KERNEL_BUILD_ID) \r\n| extend KernelBuildType = tostring(parsedAC.KERNEL_BUILD_TYPE) \r\n| extend SystemBuildId0 = tostring(parsedAC.SYSTEM_BUILD_ID0) \r\n| extend SystemBuildId1 = tostring(parsedAC.SYSTEM_BUILD_ID1) \r\n| extend SystemBuildId2 = tostring(parsedAC.SYSTEM_BUILD_ID2) \r\n| extend BLMode = tostring(parsedAC.BOOTLOADER_MODE) \r\n| extend RebootReason = tostring(parsedAC.REBOOT_REASON) \r\n| extend SecureBoot = tostring(parsedAC.SECURE_BOOT) \r\n| extend BLEventTarget = tostring(parsedAC.BOOTLOADER_EVENT_TARGET) \r\n| extend BLEvent = tostring(parsedAC.BOOTLOADER_EVENT) \r\n| extend BLRP = tostring(parsedAC.BOOTLOADER_RP) \r\n| extend KernelRP = tostring(parsedAC.KERNEL_RP) \r\n| extend SystemRP = tostring(parsedAC.SYSTEM_RP) \r\n| extend ArpDevice = tostring(parsedAC.ARP_DEVICE) \r\n| extend WpState = tostring(parsedAC.WP_STATE) \r\n| extend WbFuse = tostring(parsedAC.WB_FUSE) \r\n| extend WbReason = tostring(parsedAC.WB_REASON) \r\n| extend ImgStatus = tostring(parsedAC.IMG_STATUS) \r\n| extend KernelState = tostring(parsedAC.KERNEL_STATE) \r\n| extend CustomCount = tostring(parsedAC.CUSTOM_COUNT) \r\n| extend AvbBootState = tostring(parsedAC.AVB_BOOT_STATE) \r\n| extend AvbDeviceLocked = tostring(parsedAC.AVB_DEVICE_LOCKED) \r\n| extend AvbOsVersion = tostring(parsedAC.AVB_OS_VERSION) \r\n| extend AvbOsPatchLevel = tostring(parsedAC.AVB_OS_PATCH_LEVEL) \r\n| extend AvbVendorPatchLevel = tostring(parsedAC.AVB_VENDOR_PATCH_LEVEL) \r\n| extend AvbBootPatchLevel = tostring(parsedAC.AVB_BOOT_PATCH_LEVEL) \r\n| extend VbMetaType = tostring(parsedAC.VBMETA_TYPE) \r\n| extend UnlockCount = tostring(parsedAC.UNLOCK_COUNT) \r\n| extend EmStatus = tostring(parsedAC.EM_STATUS) \r\n| extend EmFuseHistory = tostring(parsedAC.EM_FUSE_HISTORY) \r\n| extend EmTokens = tostring(parsedAC.EM_TOKENS) \r\n| extend KGState = tostring(parsedAC.KG_STATE) \r\n| extend KGFuse = tostring(parsedAC.KG_FUSE) \r\n| extend FrpState = tostring(parsedAC.FRP_STATE) \r\n| extend CCModeState = tostring(parsedAC.CC_MODE_STATE) \r\n| extend MDMState = tostring(parsedAC.MDM_STATE) \r\n| extend EDLCount = tostring(parsedAC.EDL_COUNT) \r\n| extend RPMBState = tostring(parsedAC.RPMB_STATE) \r\n| extend FOTACount = tostring(parsedAC.FOTA_COUNT) \r\n| extend ODINCount = tostring(parsedAC.ODIN_COUNT) \r\n| extend AvbVerityMode = tostring(parsedAC.AVB_VERITY_MODE) \r\n| extend eventDatetime = datetime_add('milliSecond', tolong(timestamp), todatetime('1970-01-01'))\n | extend TimeGenerated = iff(isnotempty(eventDatetime), eventDatetime, now())\r\n | project-rename EventGuid = event_id,\r\n Name = name,\r\n Version = version,\r\n Severity = severity,\r\n MitreTtp = mitre_attack_techniques,\r\n Profile = private,\r\n DeviceImei1=imei1,\r\n DeviceImei2=imei2,\r\n DeviceSerialNumber=serial,\r\n DeviceWifimac=mac,\r\n DeviceModel=model, EventTime= eventDatetime ", + "outputStream": "[concat('Custom-', variables('cust-table-system'))]" + } + ] + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/Solutions/Samsung Knox Asset Intelligence/Data/Solution_Samsung.json b/Solutions/Samsung Knox Asset Intelligence/Data/Solution_Samsung.json new file mode 100644 index 00000000000..b4e1732af31 --- /dev/null +++ b/Solutions/Samsung Knox Asset Intelligence/Data/Solution_Samsung.json @@ -0,0 +1,26 @@ +{ + "Name": "Samsung Knox Asset Intelligence", + "Author": "Samsung - kai.sme@samsung.com", + "Logo": "", + "Description": "The Knox Asset Intelligence for Microsoft Sentinel solution enables enterprise IT and SecOps (Security Operations) administrators to view and manage security threats to their Samsung Knox mobile devices. By integrating security events and logs from Knox Asset Intelligence with the Azure Monitor Log Ingestion API, the solution lets enterprise organizations easily view, identify and investigate security threats in near-real-time with Microsoft Sentinel.", + "Data Connectors": [ + "Data Connectors/SamsungDCDefinition.json" + ], + "Workbooks": ["Solutions/Samsung Knox Asset Intelligence/Workbooks/SamsungKnoxAssetIntelligence.json"], + "WorkbookBladeDescription":"This Knox Asset Intelligence for Microsoft Sentinel solution installs a workbook that summarizes the mobile security events reported by Samsung Knox devices over a selected reporting period. You can use this workbook to quickly assess the threat type and severity, or identify patterns and anomalies in order to help prioritize incident responses or further investigations.", + "AnalyticalRuleBladeDescription": "This solution comes with the following analytic rule templates, based on critical mobile security event data captured from Samsung Knox devices. You can also customize these analytic rule templates based on your organization’s needs.", + "Analytic Rules": [ + "Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxApplicationPrivilegeEscalationOrChange.yaml", + "Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxKeyguardDisabledFeatureSet.yaml", + "Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxMobileDeviceBootCompromise.yaml", + "Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPasswordLockout.yaml", + "Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithCamera.yaml", + "Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithMic.yaml", + "Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSuspiciousURLs.yaml" + ], + "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Samsung Knox Asset Intelligence", + "Version": "3.0.0", + "Metadata": "SolutionMetadata.json", + "TemplateSpec": true, + "Is1PConnector": false + } \ No newline at end of file diff --git a/Solutions/Samsung Knox Asset Intelligence/Package/3.0.0.zip b/Solutions/Samsung Knox Asset Intelligence/Package/3.0.0.zip new file mode 100644 index 00000000000..a48f92a9bd1 Binary files /dev/null and b/Solutions/Samsung Knox Asset Intelligence/Package/3.0.0.zip differ diff --git a/Solutions/Samsung Knox Asset Intelligence/Package/createUiDefinition.json b/Solutions/Samsung Knox Asset Intelligence/Package/createUiDefinition.json new file mode 100644 index 00000000000..b43f921e192 --- /dev/null +++ b/Solutions/Samsung Knox Asset Intelligence/Package/createUiDefinition.json @@ -0,0 +1,253 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "config": { + "isWizard": false, + "basics": { + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Samsung%20Knox%20Asset%20Intelligence/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Knox Asset Intelligence for Microsoft Sentinel solution enables enterprise IT and SecOps (Security Operations) administrators to view and manage security threats to their Samsung Knox mobile devices. By integrating security events and logs from Knox Asset Intelligence with the Azure Monitor Log Ingestion API, the solution lets enterprise organizations easily view, identify and investigate security threats in near-real-time with Microsoft Sentinel.\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 7\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "subscription": { + "resourceProviders": [ + "Microsoft.OperationsManagement/solutions", + "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "Microsoft.Insights/workbooks", + "Microsoft.Logic/workflows" + ] + }, + "location": { + "metadata": { + "hidden": "Hiding location, we get it from the log analytics workspace" + }, + "visible": false + }, + "resourceGroup": { + "allowExisting": true + } + } + }, + "basics": [ + { + "name": "getLAWorkspace", + "type": "Microsoft.Solutions.ArmApiControl", + "toolTip": "This filters by workspaces that exist in the Resource Group selected", + "condition": "[greater(length(resourceGroup().name),0)]", + "request": { + "method": "GET", + "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" + } + }, + { + "name": "workspace", + "type": "Microsoft.Common.DropDown", + "label": "Workspace", + "placeholder": "Select a workspace", + "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", + "constraints": { + "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", + "required": true + }, + "visible": true + } + ], + "steps": [ + { + "name": "dataconnectors", + "label": "Data Connectors", + "bladeTitle": "Data Connectors", + "elements": [ + { + "name": "dataconnectors1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for Samsung Knox Asset Intelligence. You can get Samsung Knox Asset Intelligence custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } + }, + { + "name": "dataconnectors-link2", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more about connecting data sources", + "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" + } + } + } + ] + }, + { + "name": "workbooks", + "label": "Workbooks", + "subLabel": { + "preValidation": "Configure the workbooks", + "postValidation": "Done" + }, + "bladeTitle": "Workbooks", + "elements": [ + { + "name": "workbooks-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Knox Asset Intelligence for Microsoft Sentinel solution installs a workbook that summarizes the mobile security events reported by Samsung Knox devices over a selected reporting period. You can use this workbook to quickly assess the threat type and severity, or identify patterns and anomalies in order to help prioritize incident responses or further investigations." + } + }, + { + "name": "workbooks-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data" + } + } + }, + { + "name": "workbook1", + "type": "Microsoft.Common.Section", + "label": "Samsung Knox Asset Intelligence", + "elements": [ + { + "name": "workbook1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Knox Asset Intelligence for Microsoft Sentinel solution installs a workbook that summarizes the mobile security events reported by Samsung Knox devices over a selected reporting period. You can use this workbook to quickly assess the threat type and severity, or identify patterns and anomalies in order to help prioritize incident responses or further investigations." + } + } + ] + } + ] + }, + { + "name": "analytics", + "label": "Analytics", + "subLabel": { + "preValidation": "Configure the analytics", + "postValidation": "Done" + }, + "bladeTitle": "Analytics", + "elements": [ + { + "name": "analytics-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution comes with the following analytic rule templates, based on critical mobile security event data captured from Samsung Knox devices. You can also customize these analytic rule templates based on your organization’s needs." + } + }, + { + "name": "analytics-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + }, + { + "name": "analytic1", + "type": "Microsoft.Common.Section", + "label": "Knox Application Privilege Escalation or Change", + "elements": [ + { + "name": "analytic1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "When a Knox mobile app has transitioned from an acceptable uid/esuid/fsuid to a different, non-App id." + } + } + ] + }, + { + "name": "analytic2", + "type": "Microsoft.Common.Section", + "label": "Knox Keyguard Disabled Feature Set", + "elements": [ + { + "name": "analytic2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Indicates that an admin has set disabled keyguard features on a Knox device." + } + } + ] + }, + { + "name": "analytic3", + "type": "Microsoft.Common.Section", + "label": "Knox Mobile Device Boot Compromise", + "elements": [ + { + "name": "analytic3-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "When Knox device boot binary is at risk of compromise." + } + } + ] + }, + { + "name": "analytic4", + "type": "Microsoft.Common.Section", + "label": "Knox Password Lockout", + "elements": [ + { + "name": "analytic4-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "When maximum password attempts have reached and the Knox device is locked out. This is based on the threshold set by the MDM policy." + } + } + ] + }, + { + "name": "analytic5", + "type": "Microsoft.Common.Section", + "label": "Knox Peripheral Access Detection with Camera", + "elements": [ + { + "name": "analytic5-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "When Knox device camera access has been detected through system policy when such access is disabled." + } + } + ] + }, + { + "name": "analytic6", + "type": "Microsoft.Common.Section", + "label": "Knox Peripheral Access Detection with Mic", + "elements": [ + { + "name": "analytic6-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "When Knox device microphone access has been detected through system policy when such access is disabled." + } + } + ] + }, + { + "name": "analytic7", + "type": "Microsoft.Common.Section", + "label": "Knox Suspicious URL Accessed Events", + "elements": [ + { + "name": "analytic7-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "When a Knox device user clicks on URLs or links detected as suspicious (potentially phishing or malicious) with a high degree of confidence." + } + } + ] + } + ] + } + ], + "outputs": { + "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", + "location": "[location()]", + "workspace": "[basics('workspace')]" + } + } +} diff --git a/Solutions/Samsung Knox Asset Intelligence/Package/mainTemplate.json b/Solutions/Samsung Knox Asset Intelligence/Package/mainTemplate.json new file mode 100644 index 00000000000..d0c689f4ad7 --- /dev/null +++ b/Solutions/Samsung Knox Asset Intelligence/Package/mainTemplate.json @@ -0,0 +1,1335 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "Samsung - kai.sme@samsung.com", + "comments": "Solution template for Samsung Knox Asset Intelligence" + }, + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "workbook1-name": { + "type": "string", + "defaultValue": "Samsung Knox Asset Intelligence", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + } + }, + "variables": { + "email": "kai.sme@samsung.com", + "_email": "[variables('email')]", + "_solutionName": "Samsung Knox Asset Intelligence", + "_solutionVersion": "3.0.0", + "solutionId": "samsungelectronics1734042706970.samsung-knox-asset-intelligence-sentinel", + "_solutionId": "[variables('solutionId')]", + "uiConfigId1": "SamsungDCDefinition", + "_uiConfigId1": "[variables('uiConfigId1')]", + "dataConnectorContentId1": "SamsungDCDefinition", + "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", + "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "_dataConnectorId1": "[variables('dataConnectorId1')]", + "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", + "dataConnectorVersion1": "1.0.0", + "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", + "workbookVersion1": "1.0.0", + "workbookContentId1": "SamsungKnoxAssetIntelligence.json", + "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", + "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", + "_workbookContentId1": "[variables('workbookContentId1')]", + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", + "analyticRuleObject1": { + "analyticRuleVersion1": "1.0.0", + "_analyticRulecontentId1": "215e89ca-cdbc-4661-b8b2-7041f6ecc7fb", + "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '215e89ca-cdbc-4661-b8b2-7041f6ecc7fb')]", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('215e89ca-cdbc-4661-b8b2-7041f6ecc7fb')))]", + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','215e89ca-cdbc-4661-b8b2-7041f6ecc7fb','-', '1.0.0')))]" + }, + "analyticRuleObject2": { + "analyticRuleVersion2": "1.0.0", + "_analyticRulecontentId2": "fb4853c9-28c1-4dab-830c-e086cb975170", + "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'fb4853c9-28c1-4dab-830c-e086cb975170')]", + "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('fb4853c9-28c1-4dab-830c-e086cb975170')))]", + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fb4853c9-28c1-4dab-830c-e086cb975170','-', '1.0.0')))]" + }, + "analyticRuleObject3": { + "analyticRuleVersion3": "1.0.0", + "_analyticRulecontentId3": "fae7e371-aee8-4d3f-8311-2255a45a30b3", + "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'fae7e371-aee8-4d3f-8311-2255a45a30b3')]", + "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('fae7e371-aee8-4d3f-8311-2255a45a30b3')))]", + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fae7e371-aee8-4d3f-8311-2255a45a30b3','-', '1.0.0')))]" + }, + "analyticRuleObject4": { + "analyticRuleVersion4": "1.0.0", + "_analyticRulecontentId4": "fbff0a97-1972-4df8-a78c-254ccb9879ef", + "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'fbff0a97-1972-4df8-a78c-254ccb9879ef')]", + "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('fbff0a97-1972-4df8-a78c-254ccb9879ef')))]", + "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fbff0a97-1972-4df8-a78c-254ccb9879ef','-', '1.0.0')))]" + }, + "analyticRuleObject5": { + "analyticRuleVersion5": "1.0.0", + "_analyticRulecontentId5": "cd526f4d-dbe9-4149-8a0a-9ec43c3abb16", + "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'cd526f4d-dbe9-4149-8a0a-9ec43c3abb16')]", + "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('cd526f4d-dbe9-4149-8a0a-9ec43c3abb16')))]", + "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','cd526f4d-dbe9-4149-8a0a-9ec43c3abb16','-', '1.0.0')))]" + }, + "analyticRuleObject6": { + "analyticRuleVersion6": "1.0.0", + "_analyticRulecontentId6": "e4032fd2-4d05-4302-b7c0-f3f0380e2313", + "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'e4032fd2-4d05-4302-b7c0-f3f0380e2313')]", + "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('e4032fd2-4d05-4302-b7c0-f3f0380e2313')))]", + "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e4032fd2-4d05-4302-b7c0-f3f0380e2313','-', '1.0.0')))]" + }, + "analyticRuleObject7": { + "analyticRuleVersion7": "1.0.0", + "_analyticRulecontentId7": "18d4d4f3-6605-4fd2-968c-82c171409c1c", + "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '18d4d4f3-6605-4fd2-968c-82c171409c1c')]", + "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('18d4d4f3-6605-4fd2-968c-82c171409c1c')))]", + "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','18d4d4f3-6605-4fd2-968c-82c171409c1c','-', '1.0.0')))]" + }, + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Samsung Knox Asset Intelligence data connector with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId1')]", + "title": "Samsung Knox Asset Intelligence (Preview)", + "publisher": "Samsung", + "descriptionMarkdown": "Samsung Knox Asset Intelligence Data Connector provides you the ability to centralize mobile security events and logs to view customizes insights in Workbooks and create incidents based on Analytics Rules templates.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Samsung User Events logs", + "baseQuery": "Samsung_Knox_Audit_CL" + } + ], + "sampleQueries": [ + { + "description": "One-line title for your sample query 1", + "query": "Samsung_Knox_Audit_CL\n | take 10" + } + ], + "dataTypes": [ + { + "name": "Samsung_Knox_Application_CL", + "lastDataReceivedQuery": "Samsung_Knox_Application_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Samsung_Knox_Audit_CL", + "lastDataReceivedQuery": "Samsung_Knox_Audit_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Samsung_Knox_Process_CL", + "lastDataReceivedQuery": "Samsung_Knox_Process_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Samsung_Knox_Network_CL", + "lastDataReceivedQuery": "Samsung_Knox_Network_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Samsung_Knox_User_CL", + "lastDataReceivedQuery": "Samsung_Knox_User_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Samsung_Knox_System_CL", + "lastDataReceivedQuery": "Samsung_Knox_System_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "Samsung_Knox_Audit_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions on the Log Analytics Workspace are required to enable the Solution. You can either choose an existing Log Analytics workspace or create new. [See the documentation](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/quick-create-workspace?tabs=azure-portal) to learn more about Log Analytics workspace creation.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + } + ], + "customs": [ + { + "name": "Entra App", + "description": "An Entra Application needs to be registered and provisioned with 'Sentinel Contributor'/ 'Microsoft Metrics Publisher' role to setup client secret-based authentication for data transfer. [See the documentation](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app?tabs=client-secret) to learn more about Entra App creation/registration and creating Client Secret credentials" + } + ] + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "apiVersion": "2020-01-01", + "location": "[parameters('location')]", + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/',parameters('connectorId'))]", + "kind": "Office365", + "properties": { + "tenantId": "[subscription().tenantId]", + "dataTypes": { + "exchange": { + "state": "[parameters('exchangeState')]" + }, + "sharePoint": { + "state": "[parameters('sharePointState')]" + }, + "teams": { + "state": "[parameters('teamsState')]" + } + } + } + } + ], + "instructionSteps": [ + { + "description": "This Samsung Knox Data Connector uses Microsoft Log Ingestion API that push security events into Microsoft Sentinel from Samsung Knox Asset Intelligence solution." + }, + { + "description": ">**Note**: : Since this Data Connector is designed to support Client Secret-based authentication to securely transfer data, the user must create the Client Secret as credentials during the Entra application creation and registration. Ensure you copy the Client Secret value as soon as it is generated.\n\n>**IMPORTANT**: Save the Tenant (Directory) ID, Client (Application) ID and Client Secret (Secret Value) values", + "title": "STEP 1 - Create and register an Entra Application " + }, + { + "description": ">**Note**: Once you have installed Samsung Knox Asset Intelligence for Microsoft Sentinel Solution in Sentinel, a Data Collection Rule (DCR) associated with a Data Collection Endpoint (DCE), is auto-generated. To view this information, navigate to [Data Collection Rules](https://portal.azure.com/#browse/microsoft.insights%2Fdatacollectionrules?) and look for DCR with its Name starting with **'samsung-knox-dcr-....'** and click on the DCR to view associated details.\n\n>**IMPORTANT**: Save the values for Immutable ID (DCR) and Data Collection Endpoint", + "title": "STEP 2 - Obtain Sentinel Data collection Details" + }, + { + "description": "1. Login to [Knox Asset Intelligence administration portal](https://central.samsungknox.com/kaiadmin/dai/home) and navigate to **Dashboard Settings**; this is available at the top-right corner of the Portal\n> **Note**: Ensure the login user has access to 'Security' and 'Manage dashboard view and data collection' permissions\n\n2. Click on Security tab to view settings for Security Operations Integration and for Knox Security Logs.\n\n3. In the Security Operations Integration page, toggle on the **'Enable Microsoft Sentinel Integration'** and enter appropriate values in the required fields - \n\n a. For Tenant ID, Client ID and Client Secret, refer to the information saved from Step 1 while registering the Entra application \n\n b. For Sentinel DCE and DCR, refer to the information saved from Step 2 \n\n4. Click on the **'Test Connection'** and ensure the connection is successful.\n\n5. Before you can Save, configure Knox Security Logs by selecting wither Essential or Advanced configuration **(default: Essential)**\n\n6. To complete the Sentinel integration, click **'Save'**", + "title": "STEP 3 - Connect to Samsung Knox Asset Intelligence solution to configure Microsoft Sentinel to push select Knox Security Events as Alerts -" + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "Samsung Knox Asset Intelligence", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Samsung", + "email": "[variables('_email')]" + }, + "support": { + "name": "Samsung Electronics Co., Ltd.", + "email": "kai.sme@samsung.com", + "tier": "Partner", + "link": "https://www2.samsungknox.com/en/support" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId1')]", + "contentKind": "DataConnector", + "displayName": "Samsung Knox Asset Intelligence (Preview)", + "contentProductId": "[variables('_dataConnectorcontentProductId1')]", + "id": "[variables('_dataConnectorcontentProductId1')]", + "version": "[variables('dataConnectorVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId1')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "Samsung Knox Asset Intelligence", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Samsung", + "email": "[variables('_email')]" + }, + "support": { + "name": "Samsung Electronics Co., Ltd.", + "email": "kai.sme@samsung.com", + "tier": "Partner", + "link": "https://www2.samsungknox.com/en/support" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "Samsung Knox Asset Intelligence (Preview)", + "publisher": "Samsung", + "descriptionMarkdown": "Samsung Knox Asset Intelligence Data Connector provides you the ability to centralize mobile security events and logs to view customizes insights in Workbooks and create incidents based on Analytics Rules templates.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Samsung User Events logs", + "baseQuery": "Samsung_Knox_Audit_CL" + } + ], + "dataTypes": [ + { + "name": "Samsung_Knox_Application_CL", + "lastDataReceivedQuery": "Samsung_Knox_Application_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Samsung_Knox_Audit_CL", + "lastDataReceivedQuery": "Samsung_Knox_Audit_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Samsung_Knox_Process_CL", + "lastDataReceivedQuery": "Samsung_Knox_Process_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Samsung_Knox_Network_CL", + "lastDataReceivedQuery": "Samsung_Knox_Network_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Samsung_Knox_User_CL", + "lastDataReceivedQuery": "Samsung_Knox_User_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Samsung_Knox_System_CL", + "lastDataReceivedQuery": "Samsung_Knox_System_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "Samsung_Knox_Audit_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "sampleQueries": [ + { + "description": "One-line title for your sample query 1", + "query": "Samsung_Knox_Audit_CL\n | take 10" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions on the Log Analytics Workspace are required to enable the Solution. You can either choose an existing Log Analytics workspace or create new. [See the documentation](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/quick-create-workspace?tabs=azure-portal) to learn more about Log Analytics workspace creation.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + } + ], + "customs": [ + { + "name": "Entra App", + "description": "An Entra Application needs to be registered and provisioned with 'Sentinel Contributor'/ 'Microsoft Metrics Publisher' role to setup client secret-based authentication for data transfer. [See the documentation](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app?tabs=client-secret) to learn more about Entra App creation/registration and creating Client Secret credentials" + } + ] + }, + "instructionSteps": [ + { + "description": "This Samsung Knox Data Connector uses Microsoft Log Ingestion API that push security events into Microsoft Sentinel from Samsung Knox Asset Intelligence solution." + }, + { + "description": ">**Note**: : Since this Data Connector is designed to support Client Secret-based authentication to securely transfer data, the user must create the Client Secret as credentials during the Entra application creation and registration. Ensure you copy the Client Secret value as soon as it is generated.\n\n>**IMPORTANT**: Save the Tenant (Directory) ID, Client (Application) ID and Client Secret (Secret Value) values", + "title": "STEP 1 - Create and register an Entra Application " + }, + { + "description": ">**Note**: Once you have installed Samsung Knox Asset Intelligence for Microsoft Sentinel Solution in Sentinel, a Data Collection Rule (DCR) associated with a Data Collection Endpoint (DCE), is auto-generated. To view this information, navigate to [Data Collection Rules](https://portal.azure.com/#browse/microsoft.insights%2Fdatacollectionrules?) and look for DCR with its Name starting with **'samsung-knox-dcr-....'** and click on the DCR to view associated details.\n\n>**IMPORTANT**: Save the values for Immutable ID (DCR) and Data Collection Endpoint", + "title": "STEP 2 - Obtain Sentinel Data collection Details" + }, + { + "description": "1. Login to [Knox Asset Intelligence administration portal](https://central.samsungknox.com/kaiadmin/dai/home) and navigate to **Dashboard Settings**; this is available at the top-right corner of the Portal\n> **Note**: Ensure the login user has access to 'Security' and 'Manage dashboard view and data collection' permissions\n\n2. Click on Security tab to view settings for Security Operations Integration and for Knox Security Logs.\n\n3. In the Security Operations Integration page, toggle on the **'Enable Microsoft Sentinel Integration'** and enter appropriate values in the required fields - \n\n a. For Tenant ID, Client ID and Client Secret, refer to the information saved from Step 1 while registering the Entra application \n\n b. For Sentinel DCE and DCR, refer to the information saved from Step 2 \n\n4. Click on the **'Test Connection'** and ensure the connection is successful.\n\n5. Before you can Save, configure Knox Security Logs by selecting wither Essential or Advanced configuration **(default: Essential)**\n\n6. To complete the Sentinel integration, click **'Save'**", + "title": "STEP 3 - Connect to Samsung Knox Asset Intelligence solution to configure Microsoft Sentinel to push select Knox Security Events as Alerts -" + } + ], + "id": "[variables('_uiConfigId1')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SamsungKnoxAssetIntelligence Workbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('workbookVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId1')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "This Knox Asset Intelligence for Microsoft Sentinel solution installs a workbook that summarizes the mobile security events reported by Samsung Knox devices over a selected reporting period. You can use this workbook to quickly assess the threat type and severity, or identify patterns and anomalies in order to help prioritize incident responses or further investigations." + }, + "properties": { + "displayName": "[parameters('workbook1-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"5b5bf4e9-62b8-4ef2-aeb3-ecd249fb6187\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CustomTimeRange\",\"label\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":3600000},{\"durationMs\":86400000},{\"durationMs\":604800000},{\"durationMs\":2592000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":604800000}},{\"id\":\"6b4373f0-7c1a-47d8-baed-bc5d0cd7233e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"timebrush\",\"label\":\"Time Filter\",\"type\":4,\"isRequired\":true,\"isHiddenWhenLocked\":true,\"typeSettings\":{\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":60000,\"endTime\":\"2016-12-12T18:01:00Z\"}},{\"id\":\"a40ffccc-08a0-4e15-9bf2-3ed99658d4d8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"selectedseverity\",\"label\":\"Severity\",\"type\":2,\"description\":\"Filter on Security Events by Severity\",\"isRequired\":true,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"jsonData\":\"[\\\"high\\\", \\\"med\\\",\\\"low\\\"]\",\"value\":[\"value::all\"]},{\"id\":\"e2572416-ae1f-42db-8c31-8d0d4c4315d4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"selectedtype\",\"label\":\"Type\",\"type\":2,\"description\":\"Filter on Security Events by Type\",\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"jsonData\":\"[\\\"Audit\\\",\\\"Application\\\", \\\"Process\\\", \\\"User\\\", \\\"Network\\\", \\\"System\\\"]\",\"defaultValue\":\"value::all\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let audit = view(){\\n Samsung_Knox_Audit_CL\\n };\\nlet application= view(){\\n Samsung_Knox_Application_CL\\n };\\n let system= view(){\\n Samsung_Knox_System_CL\\n };\\n let process= view(){\\n Samsung_Knox_Process_CL\\n };\\n let user= view(){\\n Samsung_Knox_User_CL\\n };\\n let network= view(){\\n Samsung_Knox_Network_CL\\n };\\nlet selectedtables = dynamic([{selectedtype}]);\\nlet severityParam = dynamic([{selectedseverity}]);\\nlet maxdatapoints = 10000;\\nlet starttime = {CustomTimeRange:start};\\nlet endtime = {CustomTimeRange:end};\\nlet day = datetime_diff('day',endtime,starttime);\\nlet initialbinsize = case(day >=30, 1d, day >=7, 1d, day >=1,1h,5m);\\nlet datapoints = (binsize : timespan){\\nunion (audit() | where \\\"Audit\\\" in (selectedtables)), (application() | where \\\"Application\\\" in (selectedtables)),(process() | where \\\"Process\\\" in (selectedtables)),(user() | where \\\"User\\\" in (selectedtables)),(network() | where \\\"Network\\\" in (selectedtables)),(system() | where \\\"System\\\" in (selectedtables))\\n| where TimeGenerated >= {CustomTimeRange:start} and TimeGenerated <={CustomTimeRange:end} \\n| where Severity in (severityParam)\\n| summarize Count=count() by Name, bin(TimeGenerated,binsize)};\\n\\nlet totalpoints = datapoints(initialbinsize) |summarize totalrows = count();\\nlet inttotalpoints = toint(toscalar(totalpoints));\\nlet binsizefactor = inttotalpoints/maxdatapoints +1;\\nlet binsize = binsizefactor * initialbinsize;\\n\\nunion (audit() | where \\\"Audit\\\" in (selectedtables)), (application() | where \\\"Application\\\" in (selectedtables)),(process() | where \\\"Process\\\" in (selectedtables)),(user() | where \\\"User\\\" in (selectedtables)),(network() | where \\\"Network\\\" in (selectedtables)),(system() | where \\\"System\\\" in (selectedtables))\\n| where TimeGenerated >= {CustomTimeRange:start} and TimeGenerated <={CustomTimeRange:end} \\n| where Severity in (severityParam)\\n| summarize Count=count() by Name, bin(TimeGenerated,binsize)\\n\",\"size\":2,\"title\":\"Total events\",\"noDataMessage\":\"No security event data found for the selected time period, severity or type.  Please update the filters applied.\",\"timeBrushParameterName\":\"timebrush\",\"timeBrushExportOnlyWhenBrushed\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"60\",\"name\":\"query - 7\",\"styleSettings\":{\"margin\":\"0px\",\"padding\":\"0px\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\n\\nlet severityParam = dynamic([{selectedseverity}]);\\nlet audit = view(){\\n Samsung_Knox_Audit_CL\\n };\\nlet application= view(){\\n Samsung_Knox_Application_CL\\n };\\n let system= view(){\\n Samsung_Knox_System_CL\\n };\\n let process= view(){\\n Samsung_Knox_Process_CL\\n };\\n let user= view(){\\n Samsung_Knox_User_CL\\n };\\n let network= view(){\\n Samsung_Knox_Network_CL\\n };\\nlet selectedtables = dynamic([{selectedtype}]);\\nunion (audit() | where \\\"Audit\\\" in (selectedtables)), (application() | where \\\"Application\\\" in (selectedtables)),(process() | where \\\"Process\\\" in (selectedtables)),(user() | where \\\"User\\\" in (selectedtables)),(network() | where \\\"Network\\\" in (selectedtables)),(system() | where \\\"System\\\" in (selectedtables))\\n|where iff('{timebrush:label}'==\\\"12/12/2016 10:00 AM - 10:01 AM\\\" , TimeGenerated >= {CustomTimeRange:start} and TimeGenerated <={CustomTimeRange:end}, TimeGenerated >= {timebrush:start} and TimeGenerated <={timebrush:end})\\n|where Severity in (severityParam)\\n| summarize count() by Severity\\n| where Severity in ('high', 'med','low')\\n|order by case( Severity == 'high',3, Severity == 'med',2, Severity == 'low',1,0)\\n\",\"size\":4,\"title\":\"Events by severity\",\"noDataMessage\":\"No security event data found for the selected time period, severity or type.  Please update the filters applied.\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"severity\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"severity\",\"color\":\"redBright\"},{\"columnName\":\"severity\",\"color\":\"orange\"},{\"columnName\":\"severity\",\"color\":\"lightBlue\"}]}}},{\"columnMatch\":\"count_\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"severity\",\"color\":\"lightBlue\"},{\"columnName\":\"severity\",\"color\":\"lightBlue\"},{\"columnName\":\"severity\",\"color\":\"lightBlue\"}]}}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"high\",\"representation\":\"redBright\",\"text\":\"{0}\"},{\"operator\":\"==\",\"thresholdValue\":\"low\",\"representation\":\"yellow\",\"text\":\"{0}\"},{\"operator\":\"==\",\"thresholdValue\":\"med\",\"representation\":\"orange\",\"text\":\"{0}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}\"}]}},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"none\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"sortOrderField\":1}},\"customWidth\":\"100\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let severityParam = dynamic([{selectedseverity}]);\\nlet audit = view(){\\n Samsung_Knox_Audit_CL\\n };\\nlet application= view(){\\n Samsung_Knox_Application_CL\\n };\\n let system= view(){\\n Samsung_Knox_System_CL\\n };\\n let process= view(){\\n Samsung_Knox_Process_CL\\n };\\n let user= view(){\\n Samsung_Knox_User_CL\\n };\\n let network= view(){\\n Samsung_Knox_Network_CL\\n };\\nlet selectedtables = dynamic([{selectedtype}]);\\nunion (audit() | where \\\"Audit\\\" in (selectedtables)), (application() | where \\\"Application\\\" in (selectedtables)),(process() | where \\\"Process\\\" in (selectedtables)),(user() | where \\\"User\\\" in (selectedtables)),(network() | where \\\"Network\\\" in (selectedtables)),(system() | where \\\"System\\\" in (selectedtables))\\n|where iff('{timebrush:label}'==\\\"12/12/2016 10:00 AM - 10:01 AM\\\" , TimeGenerated >= {CustomTimeRange:start} and TimeGenerated <={CustomTimeRange:end}, TimeGenerated >= {timebrush:start} and TimeGenerated <={timebrush:end})\\n|where Severity in (severityParam)\\n| summarize count() by Type\\n| render piechart \",\"size\":3,\"title\":\"Events by type\",\"noDataMessage\":\"No security event data found for the selected time period, severity or type.  Please update the filters applied.\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Samsung_Knox_Application_CL\",\"label\":\"Application\"},{\"seriesName\":\"Samsung_Knox_Network_CL\",\"label\":\"Network\"},{\"seriesName\":\"Samsung_Knox_User_CL\",\"label\":\"User\"},{\"seriesName\":\"Samsung_Knox_Process_CL\",\"label\":\"Process\"},{\"seriesName\":\"Samsung_Knox_Audit_CL\",\"label\":\"Audit\"},{\"seriesName\":\"Samsung_Knox_System_CL\",\"label\":\"System\"}]}},\"name\":\"query - 11\"}]},\"name\":\"group - 9\"}]},\"customWidth\":\"40\",\"name\":\"group - 8\",\"styleSettings\":{\"margin\":\"0px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\nlet audit = view(){\\n Samsung_Knox_Audit_CL\\n };\\nlet application= view(){\\n Samsung_Knox_Application_CL\\n };\\n let system= view(){\\n Samsung_Knox_System_CL\\n };\\n let process= view(){\\n Samsung_Knox_Process_CL\\n };\\n let user= view(){\\n Samsung_Knox_User_CL\\n };\\n let network= view(){\\n Samsung_Knox_Network_CL\\n };\\nlet selectedtables = dynamic([{selectedtype}]);\\nlet severityParam = dynamic([{selectedseverity}]);\\nunion (audit() | where \\\"Audit\\\" in (selectedtables)), (application() | where \\\"Application\\\" in (selectedtables)),(process() | where \\\"Process\\\" in (selectedtables)),(user() | where \\\"User\\\" in (selectedtables)),(network() | where \\\"Network\\\" in (selectedtables)),(system() | where \\\"System\\\" in (selectedtables))\\n| where iff('{timebrush:label}'==\\\"12/12/2016 10:00 AM - 10:01 AM\\\" , TimeGenerated >= {CustomTimeRange:start} and TimeGenerated <={CustomTimeRange:end}, TimeGenerated >= {timebrush:start} and TimeGenerated <={timebrush:end})\\n| where Severity in (severityParam)\\n|project Time =TimeGenerated,\\nName,\\nSeverity,\\n[\\\"Device Model\\\"] = DeviceModel,\\nType = replace_string(replace_string(Type,\\\"Samsung_Knox_\\\",\\\"\\\"),\\\"_CL\\\",\\\"\\\"),\\nProfile,\\n[\\\"MITRE Technique ID(s)\\\"] = array_strcat(MitreTtp,\\\", \\\")\\n| sort by Time desc\\n\\n\\n\",\"size\":2,\"title\":\"Event list\",\"noDataMessage\":\"No security event data found for the selected time period, severity or type.  Please update the filters applied.\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"high\",\"representation\":\"dot-redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"med\",\"representation\":\"dot-orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"low\",\"representation\":\"dot-yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"LOW\",\"representation\":\"dot-yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"HIGH\",\"representation\":\"dot-redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"MED\",\"representation\":\"dot-orange\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":1000}},\"name\":\"query - 9\"}]},\"name\":\"group - 6\"}],\"fromTemplateId\":\"sentinel-SamsungKnoxAssetIntelligence\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", + "properties": { + "description": "@{workbookKey=SamsungKnoxAssetIntelligence.json; logoFileName=Samsung_Knox_Asset_Intelligence.svg; description=This Knox Asset Intelligence for Microsoft Sentinel solution installs a workbook that summarizes the mobile security events reported by Samsung Knox devices over a selected reporting period. You can use this workbook to quickly assess the threat type and severity, or identify patterns and anomalies in order to help prioritize incident responses or further investigations.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Samsung Knox Asset Intelligence; templateRelativePath=SamsungKnoxAssetIntelligence.json; subtitle=; provider=Samsung}.description", + "parentId": "[variables('workbookId1')]", + "contentId": "[variables('_workbookContentId1')]", + "kind": "Workbook", + "version": "[variables('workbookVersion1')]", + "source": { + "kind": "Solution", + "name": "Samsung Knox Asset Intelligence", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Samsung", + "email": "[variables('_email')]" + }, + "support": { + "name": "Samsung Electronics Co., Ltd.", + "email": "kai.sme@samsung.com", + "tier": "Partner", + "link": "https://www2.samsungknox.com/en/support" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "Samsung_Knox_Audit_CL", + "kind": "DataType" + }, + { + "contentId": "Samsung_Knox_Application_CL", + "kind": "DataType" + }, + { + "contentId": "Samsung_Knox_System_CL", + "kind": "DataType" + }, + { + "contentId": "Samsung_Knox_Process_CL", + "kind": "DataType" + }, + { + "contentId": "Samsung_Knox_User_CL", + "kind": "DataType" + }, + { + "contentId": "Samsung_Knox_Network_CL", + "kind": "DataType" + }, + { + "contentId": "SamsungKnoxAssetIntelligence", + "kind": "DataConnector" + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId1')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook1-name')]", + "contentProductId": "[variables('_workbookcontentProductId1')]", + "id": "[variables('_workbookcontentProductId1')]", + "version": "[variables('workbookVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SamsungKnoxApplicationPrivilegeEscalationOrChange_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "apiVersion": "2023-02-01-preview", + "kind": "NRT", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "When a Knox mobile app has transitioned from an acceptable uid/esuid/fsuid to a different, non-App id.", + "displayName": "Knox Application Privilege Escalation or Change", + "enabled": false, + "query": "Samsung_Knox_Process_CL | where Name == \"PROCESS_PRIVILEGE_ESCALATION\" and MitreTtp has \"T1548\"", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "Samsung_Knox_Audit_CL" + ], + "connectorId": "SamsungDCDefinition" + } + ], + "tactics": [ + "PrivilegeEscalation" + ], + "techniques": [ + "T1548" + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "incidentConfiguration": { + "groupingConfiguration": { + "lookbackDuration": "5h", + "enabled": false, + "reopenClosedIncident": false, + "matchingMethod": "AllEntities" + }, + "createIncident": true + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]", + "properties": { + "description": "Samsung Knox Asset Intelligence Analytics Rule 1", + "parentId": "[variables('analyticRuleObject1').analyticRuleId1]", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]", + "source": { + "kind": "Solution", + "name": "Samsung Knox Asset Intelligence", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Samsung", + "email": "[variables('_email')]" + }, + "support": { + "name": "Samsung Electronics Co., Ltd.", + "email": "kai.sme@samsung.com", + "tier": "Partner", + "link": "https://www2.samsungknox.com/en/support" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "contentKind": "AnalyticsRule", + "displayName": "Knox Application Privilege Escalation or Change", + "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SamsungKnoxKeyguardDisabledFeatureSet_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "apiVersion": "2023-02-01-preview", + "kind": "NRT", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Indicates that an admin has set disabled keyguard features on a Knox device.", + "displayName": "Knox Keyguard Disabled Feature Set", + "enabled": false, + "query": "Samsung_Knox_Audit_CL | where Name == \"TAG_KEYGUARD_DISABLED_FEATURES_SET\" and MitreTtp has \"T1461\"", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "Samsung_Knox_Audit_CL" + ], + "connectorId": "SamsungDCDefinition" + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1461" + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "incidentConfiguration": { + "groupingConfiguration": { + "lookbackDuration": "5h", + "enabled": false, + "reopenClosedIncident": false, + "matchingMethod": "AllEntities" + }, + "createIncident": true + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]", + "properties": { + "description": "Samsung Knox Asset Intelligence Analytics Rule 2", + "parentId": "[variables('analyticRuleObject2').analyticRuleId2]", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]", + "source": { + "kind": "Solution", + "name": "Samsung Knox Asset Intelligence", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Samsung", + "email": "[variables('_email')]" + }, + "support": { + "name": "Samsung Electronics Co., Ltd.", + "email": "kai.sme@samsung.com", + "tier": "Partner", + "link": "https://www2.samsungknox.com/en/support" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "contentKind": "AnalyticsRule", + "displayName": "Knox Keyguard Disabled Feature Set", + "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SamsungKnoxMobileDeviceBootCompromise_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "apiVersion": "2023-02-01-preview", + "kind": "NRT", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "When Knox device boot binary is at risk of compromise.", + "displayName": "Knox Mobile Device Boot Compromise", + "enabled": false, + "query": "Samsung_Knox_System_CL | where Name == \"BOOT_COMPROMISED_SOFTWARE_BINARY\" and MitreTtp has \"T1645\"\n", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "Samsung_Knox_System_CL" + ], + "connectorId": "SamsungDCDefinition" + } + ], + "tactics": [ + "Persistence" + ], + "techniques": [ + "T1645" + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "incidentConfiguration": { + "groupingConfiguration": { + "lookbackDuration": "5h", + "enabled": false, + "reopenClosedIncident": false, + "matchingMethod": "AllEntities" + }, + "createIncident": true + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]", + "properties": { + "description": "Samsung Knox Asset Intelligence Analytics Rule 3", + "parentId": "[variables('analyticRuleObject3').analyticRuleId3]", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]", + "source": { + "kind": "Solution", + "name": "Samsung Knox Asset Intelligence", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Samsung", + "email": "[variables('_email')]" + }, + "support": { + "name": "Samsung Electronics Co., Ltd.", + "email": "kai.sme@samsung.com", + "tier": "Partner", + "link": "https://www2.samsungknox.com/en/support" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "contentKind": "AnalyticsRule", + "displayName": "Knox Mobile Device Boot Compromise", + "contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", + "id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SamsungKnoxPasswordLockout_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "apiVersion": "2023-02-01-preview", + "kind": "NRT", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "When maximum password attempts have reached and the Knox device is locked out. This is based on the threshold set by the MDM policy.", + "displayName": "Knox Password Lockout", + "enabled": false, + "query": "Samsung_Knox_User_CL | where Name == \"PASSWORD_LOCKOUT\" and MitreTtp has \"T1110\"\n", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "Samsung_Knox_User_CL" + ], + "connectorId": "SamsungDCDefinition" + } + ], + "tactics": [ + "CredentialAccess" + ], + "techniques": [ + "T1110" + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "incidentConfiguration": { + "groupingConfiguration": { + "lookbackDuration": "5h", + "enabled": false, + "reopenClosedIncident": false, + "matchingMethod": "AllEntities" + }, + "createIncident": true + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]", + "properties": { + "description": "Samsung Knox Asset Intelligence Analytics Rule 4", + "parentId": "[variables('analyticRuleObject4').analyticRuleId4]", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]", + "source": { + "kind": "Solution", + "name": "Samsung Knox Asset Intelligence", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Samsung", + "email": "[variables('_email')]" + }, + "support": { + "name": "Samsung Electronics Co., Ltd.", + "email": "kai.sme@samsung.com", + "tier": "Partner", + "link": "https://www2.samsungknox.com/en/support" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "contentKind": "AnalyticsRule", + "displayName": "Knox Password Lockout", + "contentProductId": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", + "id": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject5').analyticRuleTemplateSpecName5]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SamsungKnoxPeripheralAccessDetectionWithCamera_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "apiVersion": "2023-02-01-preview", + "kind": "NRT", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "When Knox device camera access has been detected through system policy when such access is disabled.", + "displayName": "Knox Peripheral Access Detection with Camera", + "enabled": false, + "query": "Samsung_Knox_System_CL| where Name == \"PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_CAMERA\" and MitreTtp has \"KNOX.2\"\n", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "Samsung_Knox_Audit_CL" + ], + "connectorId": "SamsungDCDefinition" + } + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "incidentConfiguration": { + "groupingConfiguration": { + "lookbackDuration": "5h", + "enabled": false, + "reopenClosedIncident": false, + "matchingMethod": "AllEntities" + }, + "createIncident": true + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject5').analyticRuleId5,'/'))))]", + "properties": { + "description": "Samsung Knox Asset Intelligence Analytics Rule 5", + "parentId": "[variables('analyticRuleObject5').analyticRuleId5]", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]", + "source": { + "kind": "Solution", + "name": "Samsung Knox Asset Intelligence", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Samsung", + "email": "[variables('_email')]" + }, + "support": { + "name": "Samsung Electronics Co., Ltd.", + "email": "kai.sme@samsung.com", + "tier": "Partner", + "link": "https://www2.samsungknox.com/en/support" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "contentKind": "AnalyticsRule", + "displayName": "Knox Peripheral Access Detection with Camera", + "contentProductId": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", + "id": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject6').analyticRuleTemplateSpecName6]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SamsungKnoxPeripheralAccessDetectionWithMic_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "apiVersion": "2023-02-01-preview", + "kind": "NRT", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "When Knox device microphone access has been detected through system policy when such access is disabled.", + "displayName": "Knox Peripheral Access Detection with Mic", + "enabled": false, + "query": "Samsung_Knox_System_CL | where Name == \"PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_MIC\" and MitreTtp has \"KNOX.2\"\n", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "Samsung_Knox_Audit_CL" + ], + "connectorId": "SamsungDCDefinition" + } + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "alertDetailsOverride": { + "alertDynamicProperties": [] + }, + "incidentConfiguration": { + "groupingConfiguration": { + "lookbackDuration": "5h", + "enabled": false, + "reopenClosedIncident": false, + "matchingMethod": "AllEntities" + }, + "createIncident": true + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject6').analyticRuleId6,'/'))))]", + "properties": { + "description": "Samsung Knox Asset Intelligence Analytics Rule 6", + "parentId": "[variables('analyticRuleObject6').analyticRuleId6]", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]", + "source": { + "kind": "Solution", + "name": "Samsung Knox Asset Intelligence", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Samsung", + "email": "[variables('_email')]" + }, + "support": { + "name": "Samsung Electronics Co., Ltd.", + "email": "kai.sme@samsung.com", + "tier": "Partner", + "link": "https://www2.samsungknox.com/en/support" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "contentKind": "AnalyticsRule", + "displayName": "Knox Peripheral Access Detection with Mic", + "contentProductId": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", + "id": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject7').analyticRuleTemplateSpecName7]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SamsungKnoxSuspiciousURLs_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "apiVersion": "2023-02-01-preview", + "kind": "NRT", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "When a Knox device user clicks on URLs or links detected as suspicious (potentially phishing or malicious) with a high degree of confidence.", + "displayName": "Knox Suspicious URL Accessed Events", + "enabled": false, + "query": "Samsung_Knox_User_CL | where Name == \"SUSPICIOUS_URL_ACCESSED\" and ConfidenceScore > 0.9", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "Samsung_Knox_User_CL" + ], + "connectorId": "SamsungDCDefinition" + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1566" + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "incidentConfiguration": { + "groupingConfiguration": { + "lookbackDuration": "5h", + "enabled": false, + "reopenClosedIncident": false, + "matchingMethod": "AllEntities" + }, + "createIncident": true + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject7').analyticRuleId7,'/'))))]", + "properties": { + "description": "Samsung Knox Asset Intelligence Analytics Rule 7", + "parentId": "[variables('analyticRuleObject7').analyticRuleId7]", + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]", + "source": { + "kind": "Solution", + "name": "Samsung Knox Asset Intelligence", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Samsung", + "email": "[variables('_email')]" + }, + "support": { + "name": "Samsung Electronics Co., Ltd.", + "email": "kai.sme@samsung.com", + "tier": "Partner", + "link": "https://www2.samsungknox.com/en/support" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "contentKind": "AnalyticsRule", + "displayName": "Knox Suspicious URL Accessed Events", + "contentProductId": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", + "id": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", + "location": "[parameters('workspace-location')]", + "properties": { + "version": "3.0.0", + "kind": "Solution", + "contentSchemaVersion": "3.0.0", + "displayName": "Samsung Knox Asset Intelligence", + "publisherDisplayName": "Samsung Electronics Co., Ltd.", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Knox Asset Intelligence for Microsoft Sentinel solution enables enterprise IT and SecOps (Security Operations) administrators to view and manage security threats to their Samsung Knox mobile devices. By integrating security events and logs from Knox Asset Intelligence with the Azure Monitor Log Ingestion API, the solution lets enterprise organizations easily view, identify and investigate security threats in near-real-time with Microsoft Sentinel.

\n

Data Connectors: 1, Workbooks: 1, Analytic Rules: 7

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", + "contentId": "[variables('_solutionId')]", + "parentId": "[variables('_solutionId')]", + "source": { + "kind": "Solution", + "name": "Samsung Knox Asset Intelligence", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Samsung", + "email": "[variables('_email')]" + }, + "support": { + "name": "Samsung Electronics Co., Ltd.", + "email": "kai.sme@samsung.com", + "tier": "Partner", + "link": "https://www2.samsungknox.com/en/support" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId1')]", + "version": "[variables('dataConnectorVersion1')]" + }, + { + "kind": "Workbook", + "contentId": "[variables('_workbookContentId1')]", + "version": "[variables('workbookVersion1')]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" + } + ] + }, + "firstPublishDate": "2025-01-15", + "providers": [ + "Samsung" + ], + "categories": { + "domains": [ + "Security - Threat Protection" + ] + } + }, + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" + } + ], + "outputs": {} +} diff --git a/Solutions/Samsung Knox Asset Intelligence/Package/testParameters.json b/Solutions/Samsung Knox Asset Intelligence/Package/testParameters.json new file mode 100644 index 00000000000..67217bc6312 --- /dev/null +++ b/Solutions/Samsung Knox Asset Intelligence/Package/testParameters.json @@ -0,0 +1,32 @@ +{ + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "workbook1-name": { + "type": "string", + "defaultValue": "Samsung Knox Asset Intelligence", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + } +} diff --git a/Solutions/Samsung Knox Asset Intelligence/ReleaseNotes.md b/Solutions/Samsung Knox Asset Intelligence/ReleaseNotes.md new file mode 100644 index 00000000000..b4eb363adc1 --- /dev/null +++ b/Solutions/Samsung Knox Asset Intelligence/ReleaseNotes.md @@ -0,0 +1,3 @@ +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|--------------------------------------------------------| + diff --git a/Solutions/Samsung Knox Asset Intelligence/SolutionMetadata.json b/Solutions/Samsung Knox Asset Intelligence/SolutionMetadata.json new file mode 100644 index 00000000000..bfc7fcf7c4e --- /dev/null +++ b/Solutions/Samsung Knox Asset Intelligence/SolutionMetadata.json @@ -0,0 +1,16 @@ +{ + "publisherId": "samsungelectronics1734042706970", + "offerId": "samsung-knox-asset-intelligence-sentinel", + "firstPublishDate": "2025-01-15", + "providers": ["Samsung"], + "categories": { + "domains" : ["Security - Threat Protection"], + "verticals": [] + }, + "support": { + "name": "Samsung Electronics Co., Ltd.", + "email": "kai.sme@samsung.com", + "tier": "Partner", + "link": "https://www2.samsungknox.com/en/support" + } +} \ No newline at end of file diff --git a/Solutions/Samsung Knox Asset Intelligence/Workbooks/SamsungKnoxAssetIntelligence.json b/Solutions/Samsung Knox Asset Intelligence/Workbooks/SamsungKnoxAssetIntelligence.json new file mode 100644 index 00000000000..7c9b5827565 --- /dev/null +++ b/Solutions/Samsung Knox Asset Intelligence/Workbooks/SamsungKnoxAssetIntelligence.json @@ -0,0 +1,396 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "5b5bf4e9-62b8-4ef2-aeb3-ecd249fb6187", + "version": "KqlParameterItem/1.0", + "name": "CustomTimeRange", + "label": "TimeRange", + "type": 4, + "isRequired": true, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 3600000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 2592000000 + } + ], + "allowCustom": true + }, + "timeContext": { + "durationMs": 86400000 + }, + "value": { + "durationMs": 604800000 + } + }, + { + "id": "6b4373f0-7c1a-47d8-baed-bc5d0cd7233e", + "version": "KqlParameterItem/1.0", + "name": "timebrush", + "label": "Time Filter", + "type": 4, + "isRequired": true, + "isHiddenWhenLocked": true, + "typeSettings": { + "selectableValues": [], + "allowCustom": true + }, + "timeContext": { + "durationMs": 86400000 + }, + "value": { + "durationMs": 60000, + "endTime": "2016-12-12T18:01:00.000Z" + } + }, + { + "id": "a40ffccc-08a0-4e15-9bf2-3ed99658d4d8", + "version": "KqlParameterItem/1.0", + "name": "selectedseverity", + "label": "Severity", + "type": 2, + "description": "Filter on Security Events by Severity", + "isRequired": true, + "isGlobal": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "showDefault": false + }, + "jsonData": "[\"high\", \"med\",\"low\"]", + "value": [ + "value::all" + ] + }, + { + "id": "e2572416-ae1f-42db-8c31-8d0d4c4315d4", + "version": "KqlParameterItem/1.0", + "name": "selectedtype", + "label": "Type", + "type": 2, + "description": "Filter on Security Events by Type", + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "showDefault": false + }, + "jsonData": "[\"Audit\",\"Application\", \"Process\", \"User\", \"Network\", \"System\"]", + "defaultValue": "value::all" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 2" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let audit = view(){\n Samsung_Knox_Audit_CL\n };\nlet application= view(){\n Samsung_Knox_Application_CL\n };\n let system= view(){\n Samsung_Knox_System_CL\n };\n let process= view(){\n Samsung_Knox_Process_CL\n };\n let user= view(){\n Samsung_Knox_User_CL\n };\n let network= view(){\n Samsung_Knox_Network_CL\n };\nlet selectedtables = dynamic([{selectedtype}]);\nlet severityParam = dynamic([{selectedseverity}]);\nlet maxdatapoints = 10000;\nlet starttime = {CustomTimeRange:start};\nlet endtime = {CustomTimeRange:end};\nlet day = datetime_diff('day',endtime,starttime);\nlet initialbinsize = case(day >=30, 1d, day >=7, 1d, day >=1,1h,5m);\nlet datapoints = (binsize : timespan){\nunion (audit() | where \"Audit\" in (selectedtables)), (application() | where \"Application\" in (selectedtables)),(process() | where \"Process\" in (selectedtables)),(user() | where \"User\" in (selectedtables)),(network() | where \"Network\" in (selectedtables)),(system() | where \"System\" in (selectedtables))\n| where TimeGenerated >= {CustomTimeRange:start} and TimeGenerated <={CustomTimeRange:end} \n| where Severity in (severityParam)\n| summarize Count=count() by Name, bin(TimeGenerated,binsize)};\n\nlet totalpoints = datapoints(initialbinsize) |summarize totalrows = count();\nlet inttotalpoints = toint(toscalar(totalpoints));\nlet binsizefactor = inttotalpoints/maxdatapoints +1;\nlet binsize = binsizefactor * initialbinsize;\n\nunion (audit() | where \"Audit\" in (selectedtables)), (application() | where \"Application\" in (selectedtables)),(process() | where \"Process\" in (selectedtables)),(user() | where \"User\" in (selectedtables)),(network() | where \"Network\" in (selectedtables)),(system() | where \"System\" in (selectedtables))\n| where TimeGenerated >= {CustomTimeRange:start} and TimeGenerated <={CustomTimeRange:end} \n| where Severity in (severityParam)\n| summarize Count=count() by Name, bin(TimeGenerated,binsize)\n", + "size": 2, + "title": "Total events", + "noDataMessage": "No security event data found for the selected time period, severity or type.  Please update the filters applied.", + "timeBrushParameterName": "timebrush", + "timeBrushExportOnlyWhenBrushed": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart" + }, + "customWidth": "60", + "name": "query - 7", + "styleSettings": { + "margin": "0px", + "padding": "0px" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "\n\nlet severityParam = dynamic([{selectedseverity}]);\nlet audit = view(){\n Samsung_Knox_Audit_CL\n };\nlet application= view(){\n Samsung_Knox_Application_CL\n };\n let system= view(){\n Samsung_Knox_System_CL\n };\n let process= view(){\n Samsung_Knox_Process_CL\n };\n let user= view(){\n Samsung_Knox_User_CL\n };\n let network= view(){\n Samsung_Knox_Network_CL\n };\nlet selectedtables = dynamic([{selectedtype}]);\nunion (audit() | where \"Audit\" in (selectedtables)), (application() | where \"Application\" in (selectedtables)),(process() | where \"Process\" in (selectedtables)),(user() | where \"User\" in (selectedtables)),(network() | where \"Network\" in (selectedtables)),(system() | where \"System\" in (selectedtables))\n|where iff('{timebrush:label}'==\"12/12/2016 10:00 AM - 10:01 AM\" , TimeGenerated >= {CustomTimeRange:start} and TimeGenerated <={CustomTimeRange:end}, TimeGenerated >= {timebrush:start} and TimeGenerated <={timebrush:end})\n|where Severity in (severityParam)\n| summarize count() by Severity\n| where Severity in ('high', 'med','low')\n|order by case( Severity == 'high',3, Severity == 'med',2, Severity == 'low',1,0)\n", + "size": 4, + "title": "Events by severity", + "noDataMessage": "No security event data found for the selected time period, severity or type.  Please update the filters applied.", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "gridSettings": { + "formatters": [ + { + "columnMatch": "severity", + "formatter": 22, + "formatOptions": { + "compositeBarSettings": { + "labelText": "", + "columnSettings": [ + { + "columnName": "severity", + "color": "redBright" + }, + { + "columnName": "severity", + "color": "orange" + }, + { + "columnName": "severity", + "color": "lightBlue" + } + ] + } + } + }, + { + "columnMatch": "count_", + "formatter": 22, + "formatOptions": { + "compositeBarSettings": { + "labelText": "", + "columnSettings": [ + { + "columnName": "severity", + "color": "lightBlue" + }, + { + "columnName": "severity", + "color": "lightBlue" + }, + { + "columnName": "severity", + "color": "lightBlue" + } + ] + } + } + } + ] + }, + "tileSettings": { + "titleContent": { + "columnMatch": "Severity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "high", + "representation": "redBright", + "text": "{0}" + }, + { + "operator": "==", + "thresholdValue": "low", + "representation": "yellow", + "text": "{0}" + }, + { + "operator": "==", + "thresholdValue": "med", + "representation": "orange", + "text": "{0}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}" + } + ] + } + }, + "leftContent": { + "columnMatch": "count_", + "formatter": 12, + "formatOptions": { + "palette": "none" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "showBorder": true, + "sortOrderField": 1 + } + }, + "customWidth": "100", + "name": "query - 10" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let severityParam = dynamic([{selectedseverity}]);\nlet audit = view(){\n Samsung_Knox_Audit_CL\n };\nlet application= view(){\n Samsung_Knox_Application_CL\n };\n let system= view(){\n Samsung_Knox_System_CL\n };\n let process= view(){\n Samsung_Knox_Process_CL\n };\n let user= view(){\n Samsung_Knox_User_CL\n };\n let network= view(){\n Samsung_Knox_Network_CL\n };\nlet selectedtables = dynamic([{selectedtype}]);\nunion (audit() | where \"Audit\" in (selectedtables)), (application() | where \"Application\" in (selectedtables)),(process() | where \"Process\" in (selectedtables)),(user() | where \"User\" in (selectedtables)),(network() | where \"Network\" in (selectedtables)),(system() | where \"System\" in (selectedtables))\n|where iff('{timebrush:label}'==\"12/12/2016 10:00 AM - 10:01 AM\" , TimeGenerated >= {CustomTimeRange:start} and TimeGenerated <={CustomTimeRange:end}, TimeGenerated >= {timebrush:start} and TimeGenerated <={timebrush:end})\n|where Severity in (severityParam)\n| summarize count() by Type\n| render piechart ", + "size": 3, + "title": "Events by type", + "noDataMessage": "No security event data found for the selected time period, severity or type.  Please update the filters applied.", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "chartSettings": { + "seriesLabelSettings": [ + { + "seriesName": "Samsung_Knox_Application_CL", + "label": "Application" + }, + { + "seriesName": "Samsung_Knox_Network_CL", + "label": "Network" + }, + { + "seriesName": "Samsung_Knox_User_CL", + "label": "User" + }, + { + "seriesName": "Samsung_Knox_Process_CL", + "label": "Process" + }, + { + "seriesName": "Samsung_Knox_Audit_CL", + "label": "Audit" + }, + { + "seriesName": "Samsung_Knox_System_CL", + "label": "System" + } + ] + } + }, + "name": "query - 11" + } + ] + }, + "name": "group - 9" + } + ] + }, + "customWidth": "40", + "name": "group - 8", + "styleSettings": { + "margin": "0px" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "\nlet audit = view(){\n Samsung_Knox_Audit_CL\n };\nlet application= view(){\n Samsung_Knox_Application_CL\n };\n let system= view(){\n Samsung_Knox_System_CL\n };\n let process= view(){\n Samsung_Knox_Process_CL\n };\n let user= view(){\n Samsung_Knox_User_CL\n };\n let network= view(){\n Samsung_Knox_Network_CL\n };\nlet selectedtables = dynamic([{selectedtype}]);\nlet severityParam = dynamic([{selectedseverity}]);\nunion (audit() | where \"Audit\" in (selectedtables)), (application() | where \"Application\" in (selectedtables)),(process() | where \"Process\" in (selectedtables)),(user() | where \"User\" in (selectedtables)),(network() | where \"Network\" in (selectedtables)),(system() | where \"System\" in (selectedtables))\n| where iff('{timebrush:label}'==\"12/12/2016 10:00 AM - 10:01 AM\" , TimeGenerated >= {CustomTimeRange:start} and TimeGenerated <={CustomTimeRange:end}, TimeGenerated >= {timebrush:start} and TimeGenerated <={timebrush:end})\n| where Severity in (severityParam)\n|project Time =TimeGenerated,\nName,\nSeverity,\n[\"Device Model\"] = DeviceModel,\nType = replace_string(replace_string(Type,\"Samsung_Knox_\",\"\"),\"_CL\",\"\"),\nProfile,\n[\"MITRE Technique ID(s)\"] = array_strcat(MitreTtp,\", \")\n| sort by Time desc\n\n\n", + "size": 2, + "title": "Event list", + "noDataMessage": "No security event data found for the selected time period, severity or type.  Please update the filters applied.", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Severity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "high", + "representation": "dot-redBright", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "med", + "representation": "dot-orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "low", + "representation": "dot-yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "LOW", + "representation": "dot-yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "HIGH", + "representation": "dot-redBright", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "MED", + "representation": "dot-orange", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + } + } + ], + "rowLimit": 1000 + } + }, + "name": "query - 9" + } + ] + }, + "name": "group - 6" + } + ], + "fromTemplateId": "sentinel-SamsungKnoxAssetIntelligence", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" +} \ No newline at end of file