From fb4b68ed6061dce46b0f76c762a541fe45276e5c Mon Sep 17 00:00:00 2001 From: Sean McClelland Date: Wed, 18 Dec 2024 20:47:55 -0800 Subject: [PATCH] Add Samsung KAI Sentinel Solution Add Samsung Knox Asset Intelligence Sentinel Solution to Azure Sentinel --- ...pplicationPrivilegeEscalationOrChange.yaml | 28 + ...SamsungKnoxKeyguardDisabledFeatureSet.yaml | 28 + ...SamsungKnoxMobileDeviceBootCompromise.yaml | 29 + .../SamsungKnoxPasswordLockout.yaml | 29 + ...oxPeripheralAccessDetectionWithCamera.yaml | 25 + ...gKnoxPeripheralAccessDetectionWithMic.yaml | 27 + .../SamsungKnoxSecurityLogFull.yaml | 24 + .../SamsungKnoxSuspiciousURLs.yaml | 28 + .../Samsung_Knox_Application_CL.json | 76 + .../CustomTables/Samsung_Knox_Audit_CL.json | 92 ++ .../CustomTables/Samsung_Knox_Network_CL.json | 140 ++ .../CustomTables/Samsung_Knox_Process_CL.json | 148 ++ .../CustomTables/Samsung_Knox_System_CL.json | 240 +++ .../CustomTables/Samsung_Knox_User_CL.json | 80 + .../Data Connectors/SamsungDCDefinition.json | 119 ++ ...deploy_SamsungDataConnectorDefinition.json | 1265 ++++++++++++++++ .../Data/Solution_Samsung.json | 26 + .../Package/3.0.0.zip | Bin 0 -> 13281 bytes .../Package/createUiDefinition.json | 253 ++++ .../Package/mainTemplate.json | 1335 +++++++++++++++++ .../Package/testParameters.json | 32 + .../ReleaseNotes.md | 3 + .../SolutionMetadata.json | 16 + .../SamsungKnoxAssetIntelligence.json | 396 +++++ 24 files changed, 4439 insertions(+) create mode 100644 Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxApplicationPrivilegeEscalationOrChange.yaml create mode 100644 Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxKeyguardDisabledFeatureSet.yaml create mode 100644 Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxMobileDeviceBootCompromise.yaml create mode 100644 Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPasswordLockout.yaml create mode 100644 Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithCamera.yaml create mode 100644 Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithMic.yaml create mode 100644 Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSecurityLogFull.yaml create mode 100644 Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSuspiciousURLs.yaml create mode 100644 Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Application_CL.json create mode 100644 Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Audit_CL.json create mode 100644 Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Network_CL.json create mode 100644 Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Process_CL.json create mode 100644 Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_System_CL.json create mode 100644 Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_User_CL.json create mode 100644 Solutions/Samsung Knox Asset Intelligence/Data Connectors/SamsungDCDefinition.json create mode 100644 Solutions/Samsung Knox Asset Intelligence/Data Connectors/azuredeploy_SamsungDataConnectorDefinition.json create mode 100644 Solutions/Samsung Knox Asset Intelligence/Data/Solution_Samsung.json create mode 100644 Solutions/Samsung Knox Asset Intelligence/Package/3.0.0.zip create mode 100644 Solutions/Samsung Knox Asset Intelligence/Package/createUiDefinition.json create mode 100644 Solutions/Samsung Knox Asset Intelligence/Package/mainTemplate.json create mode 100644 Solutions/Samsung Knox Asset Intelligence/Package/testParameters.json create mode 100644 Solutions/Samsung Knox Asset Intelligence/ReleaseNotes.md create mode 100644 Solutions/Samsung Knox Asset Intelligence/SolutionMetadata.json create mode 100644 Solutions/Samsung Knox Asset Intelligence/Workbooks/SamsungKnoxAssetIntelligence.json diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxApplicationPrivilegeEscalationOrChange.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxApplicationPrivilegeEscalationOrChange.yaml new file mode 100644 index 00000000000..30c60868f83 --- /dev/null +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxApplicationPrivilegeEscalationOrChange.yaml @@ -0,0 +1,28 @@ +id: 215e89ca-cdbc-4661-b8b2-7041f6ecc7fb +name: Knox Application Privilege Escalation or Change +version: 1.0.0 +kind: NRT +description: When a Knox mobile app has transitioned from an acceptable uid/esuid/fsuid to a different, non-App id. +severity: High +status: Available +requiredDataConnectors: + - connectorId: SamsungDCDefinition + dataTypes: + - Samsung_Knox_Audit_CL +tactics: + - PrivilegeEscalation +relevantTechniques: + - T1548 +query: Samsung_Knox_Process_CL | where Name == "PROCESS_PRIVILEGE_ESCALATION" and MitreTtp has "T1548" +suppressionEnabled: false +suppressionDuration: 5h +incidentConfiguration: + createIncident: true + groupingConfiguration: + enabled: false + reopenClosedIncident: false + lookbackDuration: 5h + matchingMethod: AllEntities +eventGroupingSettings: + aggregationKind: SingleAlert + diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxKeyguardDisabledFeatureSet.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxKeyguardDisabledFeatureSet.yaml new file mode 100644 index 00000000000..5c01b73cd58 --- /dev/null +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxKeyguardDisabledFeatureSet.yaml @@ -0,0 +1,28 @@ +id: fb4853c9-28c1-4dab-830c-e086cb975170 +name: Knox Keyguard Disabled Feature Set +version: 1.0.0 +kind: NRT +description: Indicates that an admin has set disabled keyguard features on a Knox device. +severity: High +status: Available +requiredDataConnectors: + - connectorId: SamsungDCDefinition + dataTypes: + - Samsung_Knox_Audit_CL +tactics: +- InitialAccess +relevantTechniques: +- T1461 +query: Samsung_Knox_Audit_CL | where Name == "TAG_KEYGUARD_DISABLED_FEATURES_SET" and MitreTtp has "T1461" +suppressionEnabled: false +suppressionDuration: 5h +incidentConfiguration: + createIncident: true + groupingConfiguration: + enabled: false + reopenClosedIncident: false + lookbackDuration: 5h + matchingMethod: AllEntities +eventGroupingSettings: + aggregationKind: SingleAlert + diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxMobileDeviceBootCompromise.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxMobileDeviceBootCompromise.yaml new file mode 100644 index 00000000000..3924e3eb31d --- /dev/null +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxMobileDeviceBootCompromise.yaml @@ -0,0 +1,29 @@ +id: fae7e371-aee8-4d3f-8311-2255a45a30b3 +name: Knox Mobile Device Boot Compromise +version: 1.0.0 +kind: NRT +description: When Knox device boot binary is at risk of compromise. +severity: High +status: Available +requiredDataConnectors: + - connectorId: SamsungDCDefinition + dataTypes: + - Samsung_Knox_System_CL +tactics: +- Persistence +relevantTechniques: +- T1645 +query: | + Samsung_Knox_System_CL | where Name == "BOOT_COMPROMISED_SOFTWARE_BINARY" and MitreTtp has "T1645" +suppressionEnabled: false +suppressionDuration: 5h +incidentConfiguration: + createIncident: true + groupingConfiguration: + enabled: false + reopenClosedIncident: false + lookbackDuration: 5h + matchingMethod: AllEntities +eventGroupingSettings: + aggregationKind: SingleAlert + diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPasswordLockout.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPasswordLockout.yaml new file mode 100644 index 00000000000..3d042a87dbf --- /dev/null +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPasswordLockout.yaml @@ -0,0 +1,29 @@ +id: fbff0a97-1972-4df8-a78c-254ccb9879ef +name: Knox Password Lockout +version: 1.0.0 +kind: NRT +description: When maximum password attempts have reached and the Knox device is locked out. This is based on the threshold set by the MDM policy. +severity: High +status: Available +requiredDataConnectors: + - connectorId: SamsungDCDefinition + dataTypes: + - Samsung_Knox_User_CL +tactics: +- CredentialAccess +relevantTechniques: +- T1110 +query: | + Samsung_Knox_User_CL | where Name == "PASSWORD_LOCKOUT" and MitreTtp has "T1110" +suppressionEnabled: false +suppressionDuration: 5h +incidentConfiguration: + createIncident: true + groupingConfiguration: + enabled: false + reopenClosedIncident: false + lookbackDuration: 5h + matchingMethod: AllEntities +eventGroupingSettings: + aggregationKind: SingleAlert + diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithCamera.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithCamera.yaml new file mode 100644 index 00000000000..8f0b08ab6fc --- /dev/null +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithCamera.yaml @@ -0,0 +1,25 @@ +id: cd526f4d-dbe9-4149-8a0a-9ec43c3abb16 +name: Knox Peripheral Access Detection with Camera +version: 1.0.0 +kind: NRT +description: When Knox device camera access has been detected through system policy when such access is disabled. +severity: High +status: Available +requiredDataConnectors: + - connectorId: SamsungDCDefinition + dataTypes: + - Samsung_Knox_Audit_CL +query: | + Samsung_Knox_System_CL| where Name == "PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_CAMERA" and MitreTtp has "KNOX.2" +suppressionEnabled: false +suppressionDuration: 5h +incidentConfiguration: + createIncident: true + groupingConfiguration: + enabled: false + reopenClosedIncident: false + lookbackDuration: 5h + matchingMethod: AllEntities +eventGroupingSettings: + aggregationKind: SingleAlert + diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithMic.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithMic.yaml new file mode 100644 index 00000000000..d395ba149c9 --- /dev/null +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithMic.yaml @@ -0,0 +1,27 @@ +id: e4032fd2-4d05-4302-b7c0-f3f0380e2313 +name: Knox Peripheral Access Detection with Mic +version: 1.0.0 +kind: NRT +description: When Knox device microphone access has been detected through system policy when such access is disabled. +severity: High +status: Available +requiredDataConnectors: + - connectorId: SamsungDCDefinition + dataTypes: + - Samsung_Knox_Audit_CL +query: | + Samsung_Knox_System_CL | where Name == "PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_MIC" and MitreTtp has "KNOX.2" +alertDetailsOverride: + alertDynamicProperties: [] +suppressionEnabled: false +suppressionDuration: 5h +incidentConfiguration: + createIncident: true + groupingConfiguration: + enabled: false + reopenClosedIncident: false + lookbackDuration: 5h + matchingMethod: AllEntities +eventGroupingSettings: + aggregationKind: SingleAlert + diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSecurityLogFull.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSecurityLogFull.yaml new file mode 100644 index 00000000000..0c3b4938abe --- /dev/null +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSecurityLogFull.yaml @@ -0,0 +1,24 @@ +id: bf9be360-7f08-48b2-8e9d-ca240c48b404 +name: Knox Security Log Full +version: 1.0.0 +kind: NRT +description: When Security Log is full on a Knox device. +severity: High +status: Available +requiredDataConnectors: + - connectorId: SamsungDCDefinition + dataTypes: + - Samsung_Knox_Audit_CL +query: Samsung_Knox_Audit_CL| where Name == "LOG_IS_FULL" and MitreTtp has "KNOX.1" +suppressionEnabled: false +suppressionDuration: 5h +incidentConfiguration: + createIncident: true + groupingConfiguration: + enabled: false + reopenClosedIncident: false + lookbackDuration: 5h + matchingMethod: AllEntities +eventGroupingSettings: + aggregationKind: SingleAlert + diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSuspiciousURLs.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSuspiciousURLs.yaml new file mode 100644 index 00000000000..3d598c065c9 --- /dev/null +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSuspiciousURLs.yaml @@ -0,0 +1,28 @@ +id: 18d4d4f3-6605-4fd2-968c-82c171409c1c +name: Knox Suspicious URL Accessed Events +version: 1.0.0 +kind: NRT +description: When a Knox device user clicks on URLs or links detected as suspicious (potentially phishing or malicious) with a high degree of confidence. +severity: High +status: Available +requiredDataConnectors: + - connectorId: SamsungDCDefinition + dataTypes: + - Samsung_Knox_User_CL +tactics: +- InitialAccess +relevantTechniques: +- T1566 +query: Samsung_Knox_User_CL | where Name == "SUSPICIOUS_URL_ACCESSED" and ConfidenceScore > 0.9 +suppressionEnabled: false +suppressionDuration: 5h +incidentConfiguration: + createIncident: true + groupingConfiguration: + enabled: false + reopenClosedIncident: false + lookbackDuration: 5h + matchingMethod: AllEntities +eventGroupingSettings: + aggregationKind: SingleAlert + diff --git a/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Application_CL.json b/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Application_CL.json new file mode 100644 index 00000000000..6f07954f4d6 --- /dev/null +++ b/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Application_CL.json @@ -0,0 +1,76 @@ +{ + "properties": { + "schema": { + "name": "Samsung_Knox_Application_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "DateTime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "PrimaryImei", + "type": "string" + }, + { + "name": "DeviceImei1", + "type": "string" + }, + { + "name": "DeviceImei2", + "type": "string" + }, + { + "name": "DeviceSerialNumber", + "type": "string" + }, + { + "name": "DeviceWifimac", + "type": "string" + }, + { + "name": "DeviceModel", + "type": "string" + }, + { + "name": "EventGuid", + "type": "long" + }, + { + "name": "Name", + "type": "string" + }, + { + "name": "Version", + "type": "string" + }, + { + "name": "Severity", + "type": "string" + }, + { + "name": "MitreTtp", + "type": "dynamic" + }, + { + "name": "Profile", + "type": "string" + }, + { + "name": "PkgName", + "type": "string" + }, + { + "name": "AccessibilityApi", + "type": "string" + }, + { + "name": "RestrictedPerms", + "type": "dynamic" + } + ] + }, + "plan": "Analytics" + } + } \ No newline at end of file diff --git a/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Audit_CL.json b/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Audit_CL.json new file mode 100644 index 00000000000..0dcb6d7eb1f --- /dev/null +++ b/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Audit_CL.json @@ -0,0 +1,92 @@ +{ + "properties": { + "schema": { + "name": "Samsung_Knox_Audit_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "DateTime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "PrimaryImei", + "type": "string" + }, + { + "name": "DeviceImei1", + "type": "string" + }, + { + "name": "DeviceImei2", + "type": "string" + }, + { + "name": "DeviceSerialNumber", + "type": "string" + }, + { + "name": "DeviceWifimac", + "type": "string" + }, + { + "name": "DeviceModel", + "type": "string" + }, + { + "name": "EventGuid", + "type": "long" + }, + { + "name": "Name", + "type": "string" + }, + { + "name": "Version", + "type": "string" + }, + { + "name": "Severity", + "type": "string" + }, + { + "name": "MitreTtp", + "type": "dynamic" + }, + { + "name": "Profile", + "type": "string" + }, + { + "name": "UserId", + "type": "int" + }, + { + "name": "AdmUserId", + "type": "int" + }, + { + "name": "AdmPkgName", + "type": "string" + }, + { + "name": "FailureReason", + "type": "string" + }, + { + "name": "Action", + "type": "string" + }, + { + "name": "KeyMask", + "type": "int" + }, + { + "name": "PkgName", + "type": "string" + } + ] + }, + "plan": "Analytics" + } + } \ No newline at end of file diff --git a/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Network_CL.json b/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Network_CL.json new file mode 100644 index 00000000000..4def94f521d --- /dev/null +++ b/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Network_CL.json @@ -0,0 +1,140 @@ +{ + "properties": { + "schema": { + "name": "Samsung_Knox_Network_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "DateTime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "PrimaryImei", + "type": "string" + }, + { + "name": "DeviceImei1", + "type": "string" + }, + { + "name": "DeviceImei2", + "type": "string" + }, + { + "name": "DeviceSerialNumber", + "type": "string" + }, + { + "name": "DeviceWifimac", + "type": "string" + }, + { + "name": "DeviceModel", + "type": "string" + }, + { + "name": "EventGuid", + "type": "long" + }, + { + "name": "Name", + "type": "string" + }, + { + "name": "Version", + "type": "string" + }, + { + "name": "Severity", + "type": "string" + }, + { + "name": "MitreTtp", + "type": "dynamic" + }, + { + "name": "Profile", + "type": "string" + }, + { + "name": "Protocol", + "type": "int" + }, + { + "name": "SourcePort", + "type": "int" + }, + { + "name": "RemotePort", + "type": "int" + }, + { + "name": "SourceAddr", + "type": "string" + }, + { + "name": "RemoteAddr", + "type": "string" + }, + { + "name": "EventDetectedTime", + "type": "DateTime" + }, + { + "name": "Family", + "type": "int" + }, + { + "name": "PkgName", + "type": "string" + }, + { + "name": "InterfaceName", + "type": "string" + }, + { + "name": "Tid", + "type": "int" + }, + { + "name": "Pid", + "type": "int" + }, + { + "name": "Ppid", + "type": "int" + }, + { + "name": "Uid", + "type": "int" + }, + { + "name": "Gid", + "type": "int" + }, + { + "name": "ExitCode", + "type": "int" + }, + { + "name": "Syscall", + "type": "int" + }, + { + "name": "Path", + "type": "string" + }, + { + "name": "Ja3Fingerprint", + "type": "string" + }, + { + "name": "SocketType", + "type": "int" + } + ] + }, + "plan": "Analytics" + } + } \ No newline at end of file diff --git a/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Process_CL.json b/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Process_CL.json new file mode 100644 index 00000000000..c6210a8b19e --- /dev/null +++ b/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_Process_CL.json @@ -0,0 +1,148 @@ +{ + "properties": { + "schema": { + "name": "Samsung_Knox_Process_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "DateTime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "PrimaryImei", + "type": "string" + }, + { + "name": "DeviceImei1", + "type": "string" + }, + { + "name": "DeviceImei2", + "type": "string" + }, + { + "name": "DeviceSerialNumber", + "type": "string" + }, + { + "name": "DeviceWifimac", + "type": "string" + }, + { + "name": "DeviceModel", + "type": "string" + }, + { + "name": "EventGuid", + "type": "long" + }, + { + "name": "Name", + "type": "string" + }, + { + "name": "Version", + "type": "string" + }, + { + "name": "Severity", + "type": "string" + }, + { + "name": "MitreTtp", + "type": "dynamic" + }, + { + "name": "Profile", + "type": "string" + }, + { + "name": "Tid", + "type": "int" + }, + { + "name": "Pid", + "type": "int" + }, + { + "name": "Ppid", + "type": "int" + }, + { + "name": "Uid", + "type": "int" + }, + { + "name": "Gid", + "type": "int" + }, + { + "name": "ExitCode", + "type": "int" + }, + { + "name": "Syscall", + "type": "int" + }, + { + "name": "Path", + "type": "string" + }, + { + "name": "Cwd", + "type": "string" + }, + { + "name": "CmdLine", + "type": "string" + }, + { + "name": "Euid", + "type": "int" + }, + { + "name": "Egid", + "type": "int" + }, + { + "name": "Fsuid", + "type": "int" + }, + { + "name": "Fsgid", + "type": "int" + }, + { + "name": "Suid", + "type": "int" + }, + { + "name": "Sgid", + "type": "int" + }, + { + "name": "OwnerUid", + "type": "int" + }, + { + "name": "OwnerGid", + "type": "int" + }, + { + "name": "Atime", + "type": "DateTime" + }, + { + "name": "Mtime", + "type": "DateTime" + }, + { + "name": "Ctime", + "type": "DateTime" + } + ] + }, + "plan": "Analytics" + } + } \ No newline at end of file diff --git a/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_System_CL.json b/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_System_CL.json new file mode 100644 index 00000000000..e47c5d0ac12 --- /dev/null +++ b/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_System_CL.json @@ -0,0 +1,240 @@ +{ + "properties": { + "schema": { + "name": "Samsung_Knox_System_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "DateTime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "PrimaryImei", + "type": "string" + }, + { + "name": "DeviceImei1", + "type": "string" + }, + { + "name": "DeviceImei2", + "type": "string" + }, + { + "name": "DeviceSerialNumber", + "type": "string" + }, + { + "name": "DeviceWifimac", + "type": "string" + }, + { + "name": "DeviceModel", + "type": "string" + }, + { + "name": "EventGuid", + "type": "long" + }, + { + "name": "Name", + "type": "string" + }, + { + "name": "Version", + "type": "string" + }, + { + "name": "Severity", + "type": "string" + }, + { + "name": "MitreTtp", + "type": "dynamic" + }, + { + "name": "Profile", + "type": "string" + }, + { + "name": "BLBuildVersion", + "type": "string" + }, + { + "name": "BLBuildId", + "type": "string" + }, + { + "name": "BLBuildType", + "type": "string" + }, + { + "name": "KernelBuildId", + "type": "string" + }, + { + "name": "KernelBuildType", + "type": "string" + }, + { + "name": "SystemBuildId0", + "type": "string" + }, + { + "name": "SystemBuildId1", + "type": "string" + }, + { + "name": "SystemBuildId2", + "type": "string" + }, + { + "name": "BLMode", + "type": "string" + }, + { + "name": "RebootReason", + "type": "string" + }, + { + "name": "SecureBoot", + "type": "string" + }, + { + "name": "BLEventTarget", + "type": "string" + }, + { + "name": "BLEvent", + "type": "string" + }, + { + "name": "BLRP", + "type": "string" + }, + { + "name": "KernelRP", + "type": "string" + }, + { + "name": "SystemRP", + "type": "string" + }, + { + "name": "ArpDevice", + "type": "string" + }, + { + "name": "WpState", + "type": "string" + }, + { + "name": "WbFuse", + "type": "string" + }, + { + "name": "WbReason", + "type": "string" + }, + { + "name": "ImgStatus", + "type": "string" + }, + { + "name": "KernelState", + "type": "string" + }, + { + "name": "CustomCount", + "type": "string" + }, + { + "name": "AvbBootState", + "type": "string" + }, + { + "name": "AvbDeviceLocked", + "type": "string" + }, + { + "name": "AvbOsVersion", + "type": "string" + }, + { + "name": "AvbOsPatchLevel", + "type": "string" + }, + { + "name": "AvbVendorPatchLevel", + "type": "string" + }, + { + "name": "AvbBootPatchLevel", + "type": "string" + }, + { + "name": "VbMetaType", + "type": "string" + }, + { + "name": "UnlockCount", + "type": "string" + }, + { + "name": "EmStatus", + "type": "string" + }, + { + "name": "EmFuseHistory", + "type": "string" + }, + { + "name": "EmTokens", + "type": "string" + }, + { + "name": "KGState", + "type": "string" + }, + { + "name": "KGFuse", + "type": "string" + }, + { + "name": "FrpState", + "type": "string" + }, + { + "name": "CCModeState", + "type": "string" + }, + { + "name": "MDMState", + "type": "string" + }, + { + "name": "EDLCount", + "type": "string" + }, + { + "name": "RPMBState", + "type": "string" + }, + { + "name": "FOTACount", + "type": "string" + }, + { + "name": "ODINCount", + "type": "string" + }, + { + "name": "AvbVerityMode", + "type": "string" + } + ] + }, + "plan": "Analytics" + } + } \ No newline at end of file diff --git a/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_User_CL.json b/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_User_CL.json new file mode 100644 index 00000000000..873b97c3c46 --- /dev/null +++ b/Solutions/Samsung Knox Asset Intelligence/CustomTables/Samsung_Knox_User_CL.json @@ -0,0 +1,80 @@ +{ + "properties": { + "schema": { + "name": "Samsung_Knox_User_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "DateTime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "PrimaryImei", + "type": "string" + }, + { + "name": "DeviceImei1", + "type": "string" + }, + { + "name": "DeviceImei2", + "type": "string" + }, + { + "name": "DeviceSerialNumber", + "type": "string" + }, + { + "name": "DeviceWifimac", + "type": "string" + }, + { + "name": "DeviceModel", + "type": "string" + }, + { + "name": "EventGuid", + "type": "long" + }, + { + "name": "Name", + "type": "string" + }, + { + "name": "Version", + "type": "int" + }, + { + "name": "Severity", + "type": "string" + }, + { + "name": "MitreTtp", + "type": "dynamic" + }, + { + "name": "Profile", + "type": "string" + }, + { + "name": "PkgName", + "type": "string" + }, + { + "name": "Url", + "type": "string" + }, + { + "name": "ConfidenceScore", + "type": "double" + }, + { + "name": "UrlType", + "type": "int" + } + ] + }, + "plan": "Analytics" + } + } \ No newline at end of file diff --git a/Solutions/Samsung Knox Asset Intelligence/Data Connectors/SamsungDCDefinition.json b/Solutions/Samsung Knox Asset Intelligence/Data Connectors/SamsungDCDefinition.json new file mode 100644 index 00000000000..efe91a03a20 --- /dev/null +++ b/Solutions/Samsung Knox Asset Intelligence/Data Connectors/SamsungDCDefinition.json @@ -0,0 +1,119 @@ +{ + "id": "SamsungDCDefinition", + "title": "Samsung Knox Asset Intelligence (Preview)", + "publisher": "Samsung", + "descriptionMarkdown": "Samsung Knox Asset Intelligence Data Connector provides you the ability to centralize mobile security events and logs to view customizes insights in Workbooks and create incidents based on Analytics Rules templates.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Samsung User Events logs", + "baseQuery": "Samsung_Knox_Audit_CL" + } + ], + "sampleQueries": [ + { + "description" : "One-line title for your sample query 1", + "query": "Samsung_Knox_Audit_CL\n | take 10" + } + ], + "dataTypes": [ + { + "name": "Samsung_Knox_Application_CL", + "lastDataReceivedQuery": "Samsung_Knox_Application_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Samsung_Knox_Audit_CL", + "lastDataReceivedQuery": "Samsung_Knox_Audit_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Samsung_Knox_Process_CL", + "lastDataReceivedQuery": "Samsung_Knox_Process_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Samsung_Knox_Network_CL", + "lastDataReceivedQuery": "Samsung_Knox_Network_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Samsung_Knox_User_CL", + "lastDataReceivedQuery": "Samsung_Knox_User_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Samsung_Knox_System_CL", + "lastDataReceivedQuery": "Samsung_Knox_System_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "Samsung_Knox_Audit_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions on the Log Analytics Workspace are required to enable the Solution. You can either choose an existing Log Analytics workspace or create new. [See the documentation](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/quick-create-workspace?tabs=azure-portal) to learn more about Log Analytics workspace creation.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + } + ], + "customs": [ + { + "name": "Entra App", + "description": "An Entra Application needs to be registered and provisioned with 'Sentinel Contributor'/ 'Microsoft Metrics Publisher' role to setup client secret-based authentication for data transfer. [See the documentation](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app?tabs=client-secret) to learn more about Entra App creation/registration and creating Client Secret credentials" + } + ] + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "apiVersion": "2020-01-01", + "location": "[parameters('location')]", + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/',parameters('connectorId'))]", + "kind": "Office365", + "properties": { + "tenantId": "[subscription().tenantId]", + "dataTypes": { + "exchange": { + "state": "[parameters('exchangeState')]" + }, + "sharePoint": { + "state": "[parameters('sharePointState')]" + }, + "teams": { + "state": "[parameters('teamsState')]" + } + } + } + } + ], + "instructionSteps": [ + { + "title": "", + "description": "This Samsung Knox Data Connector uses Microsoft Log Ingestion API that push security events into Microsoft Sentinel from Samsung Knox Asset Intelligence solution." + }, + { + "title": "STEP 1 - Create and register an Entra Application ", + "description": ">**Note**: : Since this Data Connector is designed to support Client Secret-based authentication to securely transfer data, the user must create the Client Secret as credentials during the Entra application creation and registration. Ensure you copy the Client Secret value as soon as it is generated.\n\n>**IMPORTANT**: Save the Tenant (Directory) ID, Client (Application) ID and Client Secret (Secret Value) values" + }, + { + "title": "STEP 2 - Obtain Sentinel Data collection Details", + "description": ">**Note**: Once you have installed Samsung Knox Asset Intelligence for Microsoft Sentinel Solution in Sentinel, a Data Collection Rule (DCR) associated with a Data Collection Endpoint (DCE), is auto-generated. To view this information, navigate to [Data Collection Rules](https://portal.azure.com/#browse/microsoft.insights%2Fdatacollectionrules?) and look for DCR with its Name starting with **'samsung-knox-dcr-....'** and click on the DCR to view associated details.\n\n>**IMPORTANT**: Save the values for Immutable ID (DCR) and Data Collection Endpoint" + }, + { + "title": "STEP 3 - Connect to Samsung Knox Asset Intelligence solution to configure Microsoft Sentinel to push select Knox Security Events as Alerts -", + "description": "1. Login to [Knox Asset Intelligence administration portal](https://central.samsungknox.com/kaiadmin/dai/home) and navigate to **Dashboard Settings**; this is available at the top-right corner of the Portal\n> **Note**: Ensure the login user has access to 'Security' and 'Manage dashboard view and data collection' permissions\n\n2. Click on Security tab to view settings for Security Operations Integration and for Knox Security Logs.\n\n3. In the Security Operations Integration page, toggle on the **'Enable Microsoft Sentinel Integration'** and enter appropriate values in the required fields - \n\n a. For Tenant ID, Client ID and Client Secret, refer to the information saved from Step 1 while registering the Entra application \n\n b. For Sentinel DCE and DCR, refer to the information saved from Step 2 \n\n4. Click on the **'Test Connection'** and ensure the connection is successful.\n\n5. Before you can Save, configure Knox Security Logs by selecting wither Essential or Advanced configuration **(default: Essential)**\n\n6. To complete the Sentinel integration, click **'Save'**" + } + ] +} \ No newline at end of file diff --git a/Solutions/Samsung Knox Asset Intelligence/Data Connectors/azuredeploy_SamsungDataConnectorDefinition.json b/Solutions/Samsung Knox Asset Intelligence/Data Connectors/azuredeploy_SamsungDataConnectorDefinition.json new file mode 100644 index 00000000000..b6e81b2123d --- /dev/null +++ b/Solutions/Samsung Knox Asset Intelligence/Data Connectors/azuredeploy_SamsungDataConnectorDefinition.json @@ -0,0 +1,1265 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Log Analytics Workspace Name": { + "defaultValue": "", + "type": "String" + }, + "Log Analytics Workspace Location": { + "defaultValue": "", + "type": "String" + }, + "Log Analytics Workspace Subscription": { + "defaultValue": "", + "type": "String" + }, + "Log Analytics Workspace Resource Group": { + "defaultValue": "", + "type": "String" + }, + "dce-reuse-flag": { + "defaultValue": false, + "allowedValues": [ + false, + true + ], + "type": "Bool", + "metadata": { + "description": "The default name for the DCE is ms-sentinel-knox-dce-[function-name]-[LA-Region]. If you prefer a custom name, please set this flag to true" + } + }, + "input-dce-name": { + "defaultValue": "", + "type": "String" + }, + "dcr-normalized-data_refresh_flag": { + "defaultValue": true, + "allowedValues": [ + false, + true + ], + "type": "Bool" + }, + "dcr-normalized-data_name_input": { + "defaultValue": "", + "type": "String", + "metadata": { + "description": "Default name will be samsung-knox-dcr-[LA-Region], no need to enter if you want to use default names" + } + } + }, + "variables": { + "loganalyticsworkspace": "[parameters('Log Analytics Workspace Name')]", + "loganalyticsworkspace-location": "[parameters('Log Analytics Workspace Location')]", + "loganalyticsworkspace-subscription": "[parameters('Log Analytics Workspace Subscription')]", + "loganalyticsworkspace-resourceGroup": "[parameters('Log Analytics Workspace Resource Group')]", + "default-dce-name": "[concat('samsung-knox-dce-',replace(variables('loganalyticsworkspace-location'),' ', ''))]", + "dce-name": "[if(not(parameters('dce-reuse-flag')), variables('default-dce-name'), parameters('input-dce-name'))]", + "dcr-normalized-data": "[if(empty(parameters('dcr-normalized-data_name_input')), concat('samsung-knox-dcr-',replace(variables('loganalyticsworkspace-location'),' ', '')), parameters('dcr-normalized-data_name_input'))]", + "dcr-normalized-data_refresh_flag": "[parameters('dcr-normalized-data_refresh_flag')]", + "cust-table-audit": "Samsung_Knox_Audit_CL", + "cust-table-application": "Samsung_Knox_Application_CL", + "cust-table-process": "Samsung_Knox_Process_CL", + "cust-table-user": "Samsung_Knox_User_CL", + "cust-table-network": "Samsung_Knox_Network_CL", + "cust-table-system": "Samsung_Knox_System_CL" + }, + "resources": [ + { + "type": "Microsoft.Insights/dataCollectionEndpoints", + "apiVersion": "2022-06-01", + "name": "[variables('dce-name')]", + "location": "[variables('loganalyticsworkspace-location')]", + "dependsOn": [ + "[resourceId(variables('loganalyticsworkspace-subscription'), variables('loganalyticsworkspace-resourceGroup'), 'Microsoft.Resources/deployments', 'RestDRLATablesTemplate')]" + ], + "properties": { + "networkAcls": { + "publicNetworkAccess": "Enabled" + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "RestDRLATablesTemplate", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(variables('loganalyticsworkspace'),'/',variables('cust-table-audit'))]", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "apiVersion": "2022-10-01", + "tags": {}, + "properties": { + "plan": "Analytics", + "schema": { + "name": "[variables('cust-table-audit')]", + "columns": [ + { + "name": "TimeGenerated", + "type": "DateTime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "EventTime", + "type": "DateTime" + }, + { + "name": "PrimaryImei", + "type": "string" + }, + { + "name": "DeviceImei1", + "type": "string" + }, + { + "name": "DeviceImei2", + "type": "string" + }, + { + "name": "DeviceSerialNumber", + "type": "string" + }, + { + "name": "DeviceWifimac", + "type": "string" + }, + { + "name": "DeviceModel", + "type": "string" + }, + { + "name": "EventGuid", + "type": "long" + }, + { + "name": "Name", + "type": "string" + }, + { + "name": "Version", + "type": "int" + }, + { + "name": "Severity", + "type": "string" + }, + { + "name": "MitreTtp", + "type": "dynamic" + }, + { + "name": "Profile", + "type": "string" + }, + { + "name": "UserId", + "type": "int" + }, + { + "name": "AdmUserId", + "type": "int" + }, + { + "name": "AdmPkgName", + "type": "string" + }, + { + "name": "FailureReason", + "type": "string" + }, + { + "name": "Action", + "type": "string" + }, + { + "name": "KeyMask", + "type": "int" + }, + { + "name": "PkgName", + "type": "string" + } + ] + } + } + }, + { + "name": "[concat(variables('loganalyticsworkspace'),'/',variables('cust-table-application'))]", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "apiVersion": "2022-10-01", + "tags": {}, + "properties": { + "plan": "Analytics", + "schema": { + "name": "[variables('cust-table-application')]", + "columns": [ + { + "name": "TimeGenerated", + "type": "DateTime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "EventTime", + "type": "DateTime" + }, + { + "name": "PrimaryImei", + "type": "string" + }, + { + "name": "DeviceImei1", + "type": "string" + }, + { + "name": "DeviceImei2", + "type": "string" + }, + { + "name": "DeviceSerialNumber", + "type": "string" + }, + { + "name": "DeviceWifimac", + "type": "string" + }, + { + "name": "DeviceModel", + "type": "string" + }, + { + "name": "EventGuid", + "type": "long" + }, + { + "name": "Name", + "type": "string" + }, + { + "name": "Version", + "type": "int" + }, + { + "name": "Severity", + "type": "string" + }, + { + "name": "MitreTtp", + "type": "dynamic" + }, + { + "name": "Profile", + "type": "string" + }, + { + "name": "PkgName", + "type": "string" + }, + { + "name": "AccessibilityApi", + "type": "string" + }, + { + "name": "RestrictedPerms", + "type": "dynamic" + } + ] + } + } + }, + { + "name": "[concat(variables('loganalyticsworkspace'),'/',variables('cust-table-process'))]", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "apiVersion": "2022-10-01", + "tags": {}, + "properties": { + "plan": "Analytics", + "schema": { + "name": "[variables('cust-table-process')]", + "columns": [ + { + "name": "TimeGenerated", + "type": "DateTime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "EventTime", + "type": "DateTime" + }, + { + "name": "PrimaryImei", + "type": "string" + }, + { + "name": "DeviceImei1", + "type": "string" + }, + { + "name": "DeviceImei2", + "type": "string" + }, + { + "name": "DeviceSerialNumber", + "type": "string" + }, + { + "name": "DeviceWifimac", + "type": "string" + }, + { + "name": "DeviceModel", + "type": "string" + }, + { + "name": "EventGuid", + "type": "long" + }, + { + "name": "Name", + "type": "string" + }, + { + "name": "Version", + "type": "int" + }, + { + "name": "Severity", + "type": "string" + }, + { + "name": "MitreTtp", + "type": "dynamic" + }, + { + "name": "Profile", + "type": "string" + }, + { + "name": "Tid", + "type": "int" + }, + { + "name": "Pid", + "type": "int" + }, + { + "name": "Ppid", + "type": "int" + }, + { + "name": "Uid", + "type": "int" + }, + { + "name": "Gid", + "type": "int" + }, + { + "name": "ExitCode", + "type": "int" + }, + { + "name": "Syscall", + "type": "int" + }, + { + "name": "Path", + "type": "string" + }, + { + "name": "Cwd", + "type": "string" + }, + { + "name": "CmdLine", + "type": "string" + }, + { + "name": "Euid", + "type": "int" + }, + { + "name": "Egid", + "type": "int" + }, + { + "name": "Fsuid", + "type": "int" + }, + { + "name": "Fsgid", + "type": "int" + }, + { + "name": "Suid", + "type": "int" + }, + { + "name": "Sgid", + "type": "int" + }, + { + "name": "OwnerUid", + "type": "int" + }, + { + "name": "OwnerGid", + "type": "int" + }, + { + "name": "Atime", + "type": "long" + }, + { + "name": "Mtime", + "type": "long" + }, + { + "name": "Ctime", + "type": "long" + } + ] + } + } + }, + { + "name": "[concat(variables('loganalyticsworkspace'),'/',variables('cust-table-user'))]", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "apiVersion": "2022-10-01", + "tags": {}, + "properties": { + "plan": "Analytics", + "schema": { + "name": "[variables('cust-table-user')]", + "columns": [ + { + "name": "TimeGenerated", + "type": "DateTime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "EventTime", + "type": "DateTime" + }, + { + "name": "PrimaryImei", + "type": "string" + }, + { + "name": "DeviceImei1", + "type": "string" + }, + { + "name": "DeviceImei2", + "type": "string" + }, + { + "name": "DeviceSerialNumber", + "type": "string" + }, + { + "name": "DeviceWifimac", + "type": "string" + }, + { + "name": "DeviceModel", + "type": "string" + }, + { + "name": "EventGuid", + "type": "long" + }, + { + "name": "Name", + "type": "string" + }, + { + "name": "Version", + "type": "int" + }, + { + "name": "Severity", + "type": "string" + }, + { + "name": "MitreTtp", + "type": "dynamic" + }, + { + "name": "Profile", + "type": "string" + }, + { + "name": "PkgName", + "type": "string" + }, + { + "name": "Url", + "type": "string" + }, + { + "name": "ConfidenceScore", + "type": "real" + }, + { + "name": "UrlType", + "type": "int" + } + ] + } + } + }, + { + "name": "[concat(variables('loganalyticsworkspace'),'/',variables('cust-table-network'))]", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "apiVersion": "2022-10-01", + "tags": {}, + "properties": { + "plan": "Analytics", + "schema": { + "name": "[variables('cust-table-network')]", + "columns": [ + { + "name": "TimeGenerated", + "type": "DateTime", + "isDefaultDisplay": true + }, + { + "name": "EventTime", + "type": "DateTime" + }, + { + "name": "PrimaryImei", + "type": "string" + }, + { + "name": "DeviceImei1", + "type": "string" + }, + { + "name": "DeviceImei2", + "type": "string" + }, + { + "name": "DeviceSerialNumber", + "type": "string" + }, + { + "name": "DeviceWifimac", + "type": "string" + }, + { + "name": "DeviceModel", + "type": "string" + }, + { + "name": "EventGuid", + "type": "long" + }, + { + "name": "Name", + "type": "string" + }, + { + "name": "Version", + "type": "int" + }, + { + "name": "Severity", + "type": "string" + }, + { + "name": "MitreTtp", + "type": "dynamic" + }, + { + "name": "Profile", + "type": "string" + }, + { + "name": "Protocol", + "type": "int" + }, + { + "name": "SourcePort", + "type": "int" + }, + { + "name": "RemotePort", + "type": "int" + }, + { + "name": "SourceAddr", + "type": "string" + }, + { + "name": "RemoteAddr", + "type": "string" + }, + { + "name": "EventDetectedTime", + "type": "DateTime" + }, + { + "name": "Family", + "type": "int" + }, + { + "name": "PkgName", + "type": "string" + }, + { + "name": "InterfaceName", + "type": "string" + }, + { + "name": "Tid", + "type": "int" + }, + { + "name": "Pid", + "type": "int" + }, + { + "name": "Ppid", + "type": "int" + }, + { + "name": "Uid", + "type": "int" + }, + { + "name": "Gid", + "type": "int" + }, + { + "name": "ExitCode", + "type": "int" + }, + { + "name": "Syscall", + "type": "int" + }, + { + "name": "Path", + "type": "string" + }, + { + "name": "Ja3Fingerprint", + "type": "string" + }, + { + "name": "SocketType", + "type": "int" + } + ] + } + } + }, + { + "name": "[concat(variables('loganalyticsworkspace'),'/',variables('cust-table-system'))]", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "apiVersion": "2022-10-01", + "tags": {}, + "properties": { + "plan": "Analytics", + "schema": { + "name": "[variables('cust-table-system')]", + "columns": [ + { + "name": "TimeGenerated", + "type": "DateTime", + "isDefaultDisplay": true + }, + { + "name": "EventTime", + "type": "DateTime" + }, + { + "name": "PrimaryImei", + "type": "string" + }, + { + "name": "DeviceImei1", + "type": "string" + }, + { + "name": "DeviceImei2", + "type": "string" + }, + { + "name": "DeviceSerialNumber", + "type": "string" + }, + { + "name": "DeviceWifimac", + "type": "string" + }, + { + "name": "DeviceModel", + "type": "string" + }, + { + "name": "EventGuid", + "type": "long" + }, + { + "name": "Name", + "type": "string" + }, + { + "name": "Version", + "type": "int" + }, + { + "name": "Severity", + "type": "string" + }, + { + "name": "MitreTtp", + "type": "dynamic" + }, + { + "name": "Profile", + "type": "string" + }, + { + "name": "BLBuildVersion", + "type": "string" + }, + { + "name": "BLBuildId", + "type": "string" + }, + { + "name": "BLBuildType", + "type": "string" + }, + { + "name": "KernelBuildId", + "type": "string" + }, + { + "name": "KernelBuildType", + "type": "string" + }, + { + "name": "SystemBuildId0", + "type": "string" + }, + { + "name": "SystemBuildId1", + "type": "string" + }, + { + "name": "SystemBuildId2", + "type": "string" + }, + { + "name": "BLMode", + "type": "string" + }, + { + "name": "RebootReason", + "type": "string" + }, + { + "name": "SecureBoot", + "type": "string" + }, + { + "name": "BLEventTarget", + "type": "string" + }, + { + "name": "BLEvent", + "type": "string" + }, + { + "name": "BLRP", + "type": "string" + }, + { + "name": "KernelRP", + "type": "string" + }, + { + "name": "SystemRP", + "type": "string" + }, + { + "name": "ArpDevice", + "type": "string" + }, + { + "name": "WpState", + "type": "string" + }, + { + "name": "WbFuse", + "type": "string" + }, + { + "name": "WbReason", + "type": "string" + }, + { + "name": "ImgStatus", + "type": "string" + }, + { + "name": "KernelState", + "type": "string" + }, + { + "name": "CustomCount", + "type": "string" + }, + { + "name": "AvbBootState", + "type": "string" + }, + { + "name": "AvbDeviceLocked", + "type": "string" + }, + { + "name": "AvbOsVersion", + "type": "string" + }, + { + "name": "AvbOsPatchLevel", + "type": "string" + }, + { + "name": "AvbVendorPatchLevel", + "type": "string" + }, + { + "name": "AvbBootPatchLevel", + "type": "string" + }, + { + "name": "VbMetaType", + "type": "string" + }, + { + "name": "UnlockCount", + "type": "string" + }, + { + "name": "EmStatus", + "type": "string" + }, + { + "name": "EmFuseHistory", + "type": "string" + }, + { + "name": "EmTokens", + "type": "string" + }, + { + "name": "KGState", + "type": "string" + }, + { + "name": "KGFuse", + "type": "string" + }, + { + "name": "FrpState", + "type": "string" + }, + { + "name": "CCModeState", + "type": "string" + }, + { + "name": "MDMState", + "type": "string" + }, + { + "name": "EDLCount", + "type": "string" + }, + { + "name": "RPMBState", + "type": "string" + }, + { + "name": "FOTACount", + "type": "string" + }, + { + "name": "ODINCount", + "type": "string" + }, + { + "name": "AvbVerityMode", + "type": "string" + } + ] + } + } + } + + ] + }, + "parameters": {} + }, + "subscriptionId": "[variables('loganalyticsworkspace-subscription')]", + "resourceGroup": "[variables('loganalyticsworkspace-resourceGroup')]" + }, + { + "type": "Microsoft.Insights/dataCollectionRules", + "apiVersion": "2022-06-01", + "name": "[variables('dcr-normalized-data')]", + "location": "[variables('loganalyticsworkspace-location')]", + "tags": { + "createdBy": "Sentinel" + }, + "dependsOn": [ + "[resourceId('Microsoft.Insights/dataCollectionEndpoints', variables('dce-name'))]" + ], + "properties": { + "dataCollectionEndpointId": "[resourceId(subscription().subscriptionId,resourceGroup().name,'Microsoft.Insights/dataCollectionEndpoints', variables('dce-name'))]", + "streamDeclarations": { + "Custom-Samsung": { + "columns": [ + { + "name": "imei1", + "type": "string", + "description": "Device Imei1" + }, + { + "name": "imei2", + "type": "string", + "description": "Device Imei2" + }, + { + "name": "serial", + "type": "string", + "description": "Device Serial" + }, + { + "name": "mac", + "type": "string", + "description": "Device Wifi Mac" + }, + { + "name": "model", + "type": "string", + "description": "Device Model" + }, + { + "name": "timestamp", + "type": "long", + "description": "The time at which the data was generated" + }, + { + "name": "event_id", + "type": "long", + "description": "id" + }, + { + "name": "version", + "type": "int", + "description": "device event version" + }, + { + "name": "name", + "type": "string", + "description": "event name like TAG_KEYGUARD_DISMISSED" + }, + { + "name": "severity", + "type": "string", + "description": "Severity" + }, + { + "name": "private", + "type": "string", + "description": "Profile, Allowable values: PRIVATE, PUBLIC" + }, + { + "name": "maturity", + "type": "string" + }, + { + "name": "source", + "type": "string" + }, + { + "name": "tag_table", + "type": "string", + "description": "tag for events" + }, + { + "name": "mitre_attack_techniques", + "type": "dynamic", + "description": "MitreTtp" + }, + { + "name": "addon_content", + "type": "dynamic", + "description": "userId, admUserId, admPkgName, reason, action, keyMask, pkgName, interfaceName" + }, + { + "name": "tid", + "type": "int", + "description": "Tid" + }, + { + "name": "pid", + "type": "int", + "description": "Pid" + }, + { + "name": "ppid", + "type": "int", + "description": "Ppid" + }, + { + "name": "uid", + "type": "int", + "description": "Uid" + }, + { + "name": "gid", + "type": "int", + "description": "Gid" + }, + { + "name": "exit_code", + "type": "int", + "description": "ExitCode" + }, + { + "name": "syscall", + "type": "int", + "description": "Syscall" + }, + { + "name": "path", + "type": "string", + "description": "Path" + }, + { + "name": "cwd", + "type": "string", + "description": "Cwd" + }, + { + "name": "cmdline", + "type": "string", + "description": "CmdLine" + }, + { + "name": "euid", + "type": "int", + "description": "Euid" + }, + { + "name": "egid", + "type": "int", + "description": "Egid" + }, + { + "name": "fsuid", + "type": "int", + "description": "Fsuid" + }, + { + "name": "fsgid", + "type": "int", + "description": "Fsgid" + }, + { + "name": "suid", + "type": "int", + "description": "Suid" + }, + { + "name": "sgid", + "type": "int", + "description": "Sgid" + }, + { + "name": "owner_uid", + "type": "int", + "description": "OwnerUid" + }, + { + "name": "owner_gid", + "type": "int", + "description": "OwnerGid" + }, + { + "name": "atime", + "type": "long", + "description": "Atime" + }, + { + "name": "mtime", + "type": "long", + "description": "Mtime" + }, + { + "name": "ctime", + "type": "long", + "description": "Ctime" + }, + { + "name": "package_name", + "type": "string", + "description": "PkgName" + }, + { + "name": "accessbility_api", + "type": "string", + "description": "AccessibilityApi" + }, + { + "name": "restricted_permissions", + "type": "dynamic", + "description": "RestrictedPerms" + }, + { + "name": "url", + "type": "string", + "description": "Url" + }, + { + "name": "confidence_score", + "type": "real", + "description": "ConfidenceScore" + }, + { + "name": "url_type", + "type": "int", + "description": "UrlType" + }, + { + "name": "protocol", + "type": "int", + "description": "Protocol" + }, + { + "name": "local_port", + "type": "int", + "description": "SourcePort" + }, + { + "name": "remote_port", + "type": "int", + "description": "RemotePort" + }, + { + "name": "local_address", + "type": "string", + "description": "SourceAddr" + }, + { + "name": "remote_address", + "type": "string", + "description": "RemoteAddr" + }, + { + "name": "eventTime", + "type": "datetime", + "description": "EventDetectedTime" + }, + { + "name": "family", + "type": "int", + "description": "Family" + }, + + { + "name": "JA3_fingerprint", + "type": "string", + "description": "Ja3Fingerprint" + }, + { + "name": "type", + "type": "int", + "description": "SocketType" + } + ] + } + }, + "destinations": { + "logAnalytics": [ + { + "name": "SentinelWorkspace", + "workspaceResourceId": "[resourceId(variables('loganalyticsworkspace-subscription'), variables('loganalyticsworkspace-resourceGroup'),'Microsoft.OperationalInsights/Workspaces', variables('loganalyticsworkspace'))]" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Custom-Samsung" + ], + "destinations": [ "SentinelWorkspace" ], + "transformKql": "source \r\n|where (name == 'TAG_FAILED_TO_WIPE_USER_DATA' or name == 'TAG_WIPING_DATA_IS_NOT_ALLOWED_FOR_THIS_USER' or name == 'TAG_ADMIN_HAS_REQUESTED_FULL_WIPE_OF_DEVICE' or name == 'TAG_PACKAGE_NAME_HAS_BEEN_ACTIVATED_AS_ADMIN' or name == 'TAG_PACKAGE_NAME_HAS_BEEN_REMOVED_AS_ADMIN' or name == 'TAG_APPLICATION_ACTION_FAILED_BECAUSE_OF_SIGNATURE_VERIFICATION_FAILURE' or name == 'LOG_IS_FULL' or name == 'TAG_ADB_SHELL_INTERACTIVE' or name == 'TAG_KEYGUARD_DISABLED_FEATURES_SET' or name == 'TAG_KEYGUARD_DISMISSED') \r\n | extend PrimaryImei = case(isempty(imei1), imei2, imei1) \r\n |extend parsedAC = parse_json(addon_content) \r\n| extend UserId = toint(parsedAC.userId) \r\n| extend AdmUserId = toint(parsedAC.admUserId) \r\n| extend AdmPkgName = tostring(parsedAC.admPkgName) \r\n| extend FailureReason = tostring(parsedAC.reason) \r\n| extend Action = tostring(parsedAC.action) \r\n| extend KeyMask = toint(parsedAC.mask) \r\n| extend PkgName = tostring(parsedAC.pkgName) \n| extend eventDatetime = datetime_add('milliSecond', tolong(timestamp), todatetime('1970-01-01'))\n | extend TimeGenerated = iff(isnotempty(eventDatetime), eventDatetime, now()) \r\n| project-rename EventGuid = event_id,\r\n Name = name,\r\n Version = version,\r\n Severity = severity,\r\n MitreTtp = mitre_attack_techniques,\r\n Profile = private,\r\n DeviceImei1=imei1,\r\n DeviceImei2=imei2,\r\n DeviceSerialNumber=serial,\r\n DeviceWifimac=mac,\r\n DeviceModel=model, EventTime= eventDatetime ", + "outputStream": "[concat('Custom-', variables('cust-table-audit'))]" + }, + { + "streams": [ + "Custom-Samsung" + ], + "destinations": [ "SentinelWorkspace" ], + "transformKql": "source \r\n|where (name == 'PREVENT_APP_REMOVAL_CAPABILITY' or name == 'KEY_INPUT_CAPTURE_CAPABILITY'or name == 'SCREEN_CAPTURE_CAPABILITY' or name == 'USER_INTERACTION_CONTROL_CAPABILITY' or name == 'ACCESS_NOTIFICATION_PERMISSION' or name == 'VIDEO_CAPTURE_PERMISSION' or name == 'ACCESS_CALL_LOG_PERMISSION') \r\n | extend PrimaryImei = case(isempty(imei1), imei2, imei1) \n| extend eventDatetime = datetime_add('milliSecond', tolong(timestamp), todatetime('1970-01-01'))\n | extend TimeGenerated = iff(isnotempty(eventDatetime), eventDatetime, now()) \r\n| project-rename EventGuid = event_id,\r\n Name = name,\r\n Version = version,\r\n Severity = severity,\r\n MitreTtp = mitre_attack_techniques,\r\n Profile = private,\r\n PkgName = package_name,\r\n AccessibilityApi = accessbility_api,\r\n RestrictedPerms = restricted_permissions,\r\n DeviceImei1=imei1,\r\n DeviceImei2=imei2,\r\n DeviceSerialNumber=serial,\r\n DeviceWifimac=mac,\r\n DeviceModel=model, EventTime= eventDatetime ", + "outputStream": "[concat('Custom-', variables('cust-table-application'))]" + }, + { + "streams": [ + "Custom-Samsung" + ], + "destinations": [ "SentinelWorkspace" ], + "transformKql": "source \r\n|where (name == 'PROCESS_PRIVILEGE_ESCALATION') \r\n | extend PrimaryImei = case(isempty(imei1), imei2, imei1) \n| extend eventDatetime = datetime_add('milliSecond', tolong(timestamp), todatetime('1970-01-01'))\n | extend TimeGenerated = iff(isnotempty(eventDatetime), eventDatetime, now()) \r\n| project-rename EventGuid = event_id,\r\n Name = name,\r\n Version = version,\r\n Severity = severity,\r\n MitreTtp = mitre_attack_techniques,\r\n Profile = private,\r\n Tid = tid,\r\n Pid = pid,\r\n Ppid = ppid,\r\n Uid = uid,\r\n Gid = gid,\r\n ExitCode = exit_code,\r\n Syscall = syscall,\r\n Path = path,\r\n Cwd = cwd,\r\n CmdLine = cmdline,\r\n Euid = euid,\r\n Egid = egid,\r\n Fsuid = fsuid,\r\n Fsgid = fsgid,\r\n Suid = suid,\r\n Sgid = sgid,\r\n OwnerUid = owner_uid,\r\n OwnerGid = owner_gid,\r\n Atime = atime,\r\n Mtime = mtime,\r\n Ctime = ctime,\r\n DeviceImei1=imei1,\r\n DeviceImei2=imei2,\r\n DeviceSerialNumber=serial,\r\n DeviceWifimac=mac,\r\n DeviceModel=model, EventTime= eventDatetime ", + "outputStream": "[concat('Custom-', variables('cust-table-process'))]" + }, + { + "streams": [ + "Custom-Samsung" + ], + "destinations": [ "SentinelWorkspace" ], + "transformKql": "source \r\n|where (name == 'SUSPICIOUS_URL_ACCESSED' or name == 'PASSWORD_LOCKOUT') \r\n | extend PrimaryImei = case(isempty(imei1), imei2, imei1) \n| extend eventDatetime = datetime_add('milliSecond', tolong(timestamp), todatetime('1970-01-01'))\n | extend TimeGenerated = iff(isnotempty(eventDatetime), eventDatetime, now()) \r\n| project-rename EventGuid = event_id,\r\n Name = name,\r\n Version = version,\r\n Severity = severity,\r\n MitreTtp = mitre_attack_techniques,\r\n Profile = private,\r\n PkgName = package_name,\r\n Url = url,\r\n ConfidenceScore = confidence_score,\r\n UrlType = url_type,\r\n DeviceImei1=imei1,\r\n DeviceImei2=imei2,\r\n DeviceSerialNumber=serial,\r\n DeviceWifimac=mac,\r\n DeviceModel=model, EventTime= eventDatetime | extend MitreTtp = case(Name == 'SUSPICIOUS_URL_ACCESSED', array_concat(MitreTtp, parse_json(\"['T1566']\")), MitreTtp)", + "outputStream": "[concat('Custom-', variables('cust-table-user'))]" + }, + { + "streams": [ + "Custom-Samsung" + ], + "destinations": [ "SentinelWorkspace" ], + "transformKql": "source \r\n|where (name == 'TAG_NETWORK_EVENT_INSECURE_PACKET') \r\n | extend PrimaryImei = case(isempty(imei1), imei2, imei1) \r\n| extend parsedAC = parse_json(addon_content) \r\n| extend EventDetectedTime = datetime_add('milliSecond', tolong(parsedAC.eventTime), todatetime('1970-01-01')) \r\n| extend PkgName = tostring(parsedAC.pkgName) \r\n| extend InterfaceName = tostring(parsedAC.interfaceName) \n| extend eventDatetime = datetime_add('milliSecond', tolong(timestamp), todatetime('1970-01-01'))\n | extend TimeGenerated = iff(isnotempty(eventDatetime), eventDatetime, now()) \r\n| project-rename EventGuid = event_id,\r\n Name = name,\r\n Version = version,\r\n Severity = severity,\r\n MitreTtp = mitre_attack_techniques,\r\n Profile = private,\r\n Protocol = protocol,\r\n SourcePort = local_port,\r\n RemotePort = remote_port,\r\n SourceAddr = local_address,\r\n RemoteAddr = remote_address,\r\n Family = family,\r\n Tid = tid,\r\n Pid = pid,\r\n Ppid = ppid,\r\n Uid = uid,\r\n Gid = gid,\r\n ExitCode = exit_code,\r\n Syscall = syscall,\r\n Path = path,\r\n Ja3Fingerprint = JA3_fingerprint,\r\n SocketType = type,\r\n DeviceImei1=imei1,\r\n DeviceImei2=imei2,\r\n DeviceSerialNumber=serial,\r\n DeviceWifimac=mac,\r\n DeviceModel=model , EventTime= eventDatetime ", + "outputStream": "[concat('Custom-', variables('cust-table-network'))]" + }, + { + "streams": [ + "Custom-Samsung" + ], + "destinations": [ "SentinelWorkspace" ], + "transformKql": "source \r\n|where (name == 'BOOT_COMPROMISED_SOFTWARE_BINARY' or name == 'PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_CAMERA' or name == 'PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_MIC' or name == 'BOOT_STATE' or name == 'BOOT_SECURITY_ABNORMALITY') \r\n | extend PrimaryImei = case(isempty(imei1), imei2, imei1) \r\n| extend parsedAC = parse_json(addon_content) \r\n| extend BLBuildVersion = tostring(parsedAC.BOOTLOADER_BUILD_VERSION) \r\n| extend BLBuildId = tostring(parsedAC.BOOTLOADER_BUILD_ID) \r\n| extend BLBuildType = tostring(parsedAC.BOOTLOADER_BUILD_TYPE) \r\n| extend KernelBuildId = tostring(parsedAC.KERNEL_BUILD_ID) \r\n| extend KernelBuildType = tostring(parsedAC.KERNEL_BUILD_TYPE) \r\n| extend SystemBuildId0 = tostring(parsedAC.SYSTEM_BUILD_ID0) \r\n| extend SystemBuildId1 = tostring(parsedAC.SYSTEM_BUILD_ID1) \r\n| extend SystemBuildId2 = tostring(parsedAC.SYSTEM_BUILD_ID2) \r\n| extend BLMode = tostring(parsedAC.BOOTLOADER_MODE) \r\n| extend RebootReason = tostring(parsedAC.REBOOT_REASON) \r\n| extend SecureBoot = tostring(parsedAC.SECURE_BOOT) \r\n| extend BLEventTarget = tostring(parsedAC.BOOTLOADER_EVENT_TARGET) \r\n| extend BLEvent = tostring(parsedAC.BOOTLOADER_EVENT) \r\n| extend BLRP = tostring(parsedAC.BOOTLOADER_RP) \r\n| extend KernelRP = tostring(parsedAC.KERNEL_RP) \r\n| extend SystemRP = tostring(parsedAC.SYSTEM_RP) \r\n| extend ArpDevice = tostring(parsedAC.ARP_DEVICE) \r\n| extend WpState = tostring(parsedAC.WP_STATE) \r\n| extend WbFuse = tostring(parsedAC.WB_FUSE) \r\n| extend WbReason = tostring(parsedAC.WB_REASON) \r\n| extend ImgStatus = tostring(parsedAC.IMG_STATUS) \r\n| extend KernelState = tostring(parsedAC.KERNEL_STATE) \r\n| extend CustomCount = tostring(parsedAC.CUSTOM_COUNT) \r\n| extend AvbBootState = tostring(parsedAC.AVB_BOOT_STATE) \r\n| extend AvbDeviceLocked = tostring(parsedAC.AVB_DEVICE_LOCKED) \r\n| extend AvbOsVersion = tostring(parsedAC.AVB_OS_VERSION) \r\n| extend AvbOsPatchLevel = tostring(parsedAC.AVB_OS_PATCH_LEVEL) \r\n| extend AvbVendorPatchLevel = tostring(parsedAC.AVB_VENDOR_PATCH_LEVEL) \r\n| extend AvbBootPatchLevel = tostring(parsedAC.AVB_BOOT_PATCH_LEVEL) \r\n| extend VbMetaType = tostring(parsedAC.VBMETA_TYPE) \r\n| extend UnlockCount = tostring(parsedAC.UNLOCK_COUNT) \r\n| extend EmStatus = tostring(parsedAC.EM_STATUS) \r\n| extend EmFuseHistory = tostring(parsedAC.EM_FUSE_HISTORY) \r\n| extend EmTokens = tostring(parsedAC.EM_TOKENS) \r\n| extend KGState = tostring(parsedAC.KG_STATE) \r\n| extend KGFuse = tostring(parsedAC.KG_FUSE) \r\n| extend FrpState = tostring(parsedAC.FRP_STATE) \r\n| extend CCModeState = tostring(parsedAC.CC_MODE_STATE) \r\n| extend MDMState = tostring(parsedAC.MDM_STATE) \r\n| extend EDLCount = tostring(parsedAC.EDL_COUNT) \r\n| extend RPMBState = tostring(parsedAC.RPMB_STATE) \r\n| extend FOTACount = tostring(parsedAC.FOTA_COUNT) \r\n| extend ODINCount = tostring(parsedAC.ODIN_COUNT) \r\n| extend AvbVerityMode = tostring(parsedAC.AVB_VERITY_MODE) \r\n| extend eventDatetime = datetime_add('milliSecond', tolong(timestamp), todatetime('1970-01-01'))\n | extend TimeGenerated = iff(isnotempty(eventDatetime), eventDatetime, now())\r\n | project-rename EventGuid = event_id,\r\n Name = name,\r\n Version = version,\r\n Severity = severity,\r\n MitreTtp = mitre_attack_techniques,\r\n Profile = private,\r\n DeviceImei1=imei1,\r\n DeviceImei2=imei2,\r\n DeviceSerialNumber=serial,\r\n DeviceWifimac=mac,\r\n DeviceModel=model, EventTime= eventDatetime ", + "outputStream": "[concat('Custom-', variables('cust-table-system'))]" + } + ] + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/Solutions/Samsung Knox Asset Intelligence/Data/Solution_Samsung.json b/Solutions/Samsung Knox Asset Intelligence/Data/Solution_Samsung.json new file mode 100644 index 00000000000..b4e1732af31 --- /dev/null +++ b/Solutions/Samsung Knox Asset Intelligence/Data/Solution_Samsung.json @@ -0,0 +1,26 @@ +{ + "Name": "Samsung Knox Asset Intelligence", + "Author": "Samsung - kai.sme@samsung.com", + "Logo": "", + "Description": "The Knox Asset Intelligence for Microsoft Sentinel solution enables enterprise IT and SecOps (Security Operations) administrators to view and manage security threats to their Samsung Knox mobile devices. By integrating security events and logs from Knox Asset Intelligence with the Azure Monitor Log Ingestion API, the solution lets enterprise organizations easily view, identify and investigate security threats in near-real-time with Microsoft Sentinel.", + "Data Connectors": [ + "Data Connectors/SamsungDCDefinition.json" + ], + "Workbooks": ["Solutions/Samsung Knox Asset Intelligence/Workbooks/SamsungKnoxAssetIntelligence.json"], + "WorkbookBladeDescription":"This Knox Asset Intelligence for Microsoft Sentinel solution installs a workbook that summarizes the mobile security events reported by Samsung Knox devices over a selected reporting period. You can use this workbook to quickly assess the threat type and severity, or identify patterns and anomalies in order to help prioritize incident responses or further investigations.", + "AnalyticalRuleBladeDescription": "This solution comes with the following analytic rule templates, based on critical mobile security event data captured from Samsung Knox devices. You can also customize these analytic rule templates based on your organization’s needs.", + "Analytic Rules": [ + "Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxApplicationPrivilegeEscalationOrChange.yaml", + "Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxKeyguardDisabledFeatureSet.yaml", + "Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxMobileDeviceBootCompromise.yaml", + "Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPasswordLockout.yaml", + "Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithCamera.yaml", + "Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithMic.yaml", + "Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSuspiciousURLs.yaml" + ], + "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Samsung Knox Asset Intelligence", + "Version": "3.0.0", + "Metadata": "SolutionMetadata.json", + "TemplateSpec": true, + "Is1PConnector": false + } \ No newline at end of file diff --git a/Solutions/Samsung Knox Asset Intelligence/Package/3.0.0.zip b/Solutions/Samsung Knox Asset Intelligence/Package/3.0.0.zip new file mode 100644 index 0000000000000000000000000000000000000000..a48f92a9bd1faa908e657bb46561b543e0a68a90 GIT binary patch literal 13281 zcmZ{rW2`9QvZj~4m${d1+qP}nwr$(CZQHhO+q2J|dw|_ZD=eUZEdbK zE^RPJQGRYq(d(#%pt{B+u+T)Z`C7J=!j>RX5DVi#^xHVMvMpRq85t=vTtJVQKU!l` zNY7nOZjTmHs8n1cKSIrBW{$Ob9D5v1-hU7byLT~Zk?C)_4ZG(ymbfyd9^&n%kZ{7( zh+L+2jWwdUQP5_mj7-1Wx;Q18+fod8+{-~*4@v{Q=@Y}76o?NCsTv+m-M(B46Lz0N zoRr3pco8#VI1+MHM5eFYX05l^@Nzw=oBCOpTAh`Cn2s|>2Ml0Ix<(;JxRR%gr)9_{h0)1(;*nPM7^ z{xU=?;{S4T^yf(lG5IIs?H$R1PDshPSv3%~ec{X7(!NF^ygUG07K(up+z+j3fuC}- zr1t!=KUgF^*Yx@m3?rcF{rkejF5A-jTT$iK(mfqR*dMK@F%@K@LXQc>q9|WL!<8}LwU}mSl?nY zB1o1{{|*wfSmR(UP%)&gPwRGcsg8$-k@`B|8^XPP(V(vlSJ2LoKCcP?J!{cS8>eV0 zY0^q8-Utf2$RzmPG2W0lIbM$^>!yF^Y8Yrk9bry9P4Swb20z~(T!@0sszkX<<(yq_ zAK+-OF9w+b;0j>RPzNt+(d+h2Z%ss<$Z8T^0-TG#iz6Fj3%@XU(Q&LuHYJNXi;tnb zgd6xMQn}f90I~lWVz(eZ*&ctpLUzQR?%Hv3T{4+yfN)VkiyNom`kGZjS30?)Li7a@ zhq~%%?Ggs3Xuq^+cpX1RQculnrj())+q4>Bxp)z=8u$gSr9%>h7gtA%e_M4YkF{zs zeY|AaONEq!YtSLtTo%jH`Ojhpk;h6}U&ed;$iDnAc;dy{Nc`o>{TUv8(%6&{Y-L6g zut#DOm*)UK{@vU~RsCe)iD|v5bT~2m-=#D^OL28Fm$uiEgkJn;?V7`5di||cH;o2{5=xS9vUT68P_8}hpr2fvb;0z-;1VT{v{$7 zr_p`8y!_oLzAS?8eHGy6);~$NZWN-z^iN){rmm(98hZ#b{HS2wX$IaiOXD^e?D%p2rpRN5AxZ64 z2ws&%n%=zv1gS`|6@H%_Py-(~wJ()S8g$GtVjYmsvK~{|Bq*sgE`6O^30Uc4s&K_!5G{H< zBKf&f#cKcj+raaI9#5sJXKkbA4n@L6MbhLzr{Qs=%U5W0k&4m*;k@0fL#sT}l6qZP zBrm;PB~6+=uuUDW#K3I_^}ZC+IKkG%U^-Jw5@}d-%o$HwSU|631JEp%3|6kd*7_hl z&(9FN0OFZ?q)CMrS6C50QLCt85+Ni%nU5|u-U&4CXlCLd{vZ<*Pp%z94<9V_w}8J2 zlOI`gOi_HN;6Z2@Ajq!Rf5B&GAe2A?Lqjrnc@Alos}+kO1DS>NJl=&dTG6?%(n397=avb&P_9QUh?!N4D+?o$OYzzG6R2`$GtSW{xeNd&Y$Y#vTiKLneS9hk;`>}V*y{Ase z3~hC~aO-Ecn;m;}r}!xsmoQsjrTDnG6S3E-XM2N8G(}_=OY~$Zz9fFimTA2{Wwnn| zqeT_$ZW=ruN;iZHl4U48`EPD0<8Bbp{gQ{^z+zG`7FMCV!IrcEMl!NT4ynSWhAvYJ zlK$Ck)DL2!-O1#-lv$eo7-Djip0wQjx7Y!!TATN!CnePv9xDGx^XyA8ezNzAsb9L< zflyV^-etow5-aX{iu{I-n+DNyFLu-KPawFsc-I>1Zj?=P{jn z0pNrEtZ>o5SDotcUXQ_keaWxpVH`KTh!C=@&_Rh)MGJ`(j8~{-ExYxlx=!DEwQMk1BQL!7%&h3m zzOky?g7=amgo-tGw-u9zr_bY(w?o^W*9xI0oYy*%^$(K0?1ex3fYRq|m2ZHc>W?S$ z(}ljka{q_GJZ`M}(@F*aK&$`=fbdUXTI-wJC>dMZS^bll|65vmf2(XtG~E6^B6oY; zsPokre_4<19AN4O5HjUCPWQIDc(w#GIZ*Q6FqgR#sOWxwQ_@J{+9YOUaXG9FLi z4FlFp=Y|y9URK^#US964vH5<3#xMTuj{?NLC|)gMy8A}(?Cz${Q3~lOd_9lj@DctU zT`NQx#GY`q>eQ*ewpcDvskY8^GU|j=yNQ4mZMj*T@TFUQPgTG;$E-OVtn5{YRj&!0 zUZPO`%5~!|>an@tY54{A2_^kl!)?Ps?OF=8x_Sy1v2m^(2zlB~cMHh6yU6;1&ot=@ zu#ELK3w}#LSa9Sn81r)4x;4tBzeqIP8*i!RafZ+CsY>HSRRIGV%1>v`kW)UGTq z?G-5}@e)xq1T*_r+(jZ+D>n**d9sM}C0wvvT>7BXsEAR-$+qnMhx!TRaePWM81UR~6!2ApDpv_ku)$_{T4yceitg8uJ`%89C9H^c8p#9X=8v z(PIUhY5j2vpVp^AHUNrv{DtuMRUUSQsGI9MD+M$dr6Z7JGWM!olLqODcI)z-Z^I_~mxLFu$FRt=8 ze3SGu#)kJTrC;x1bBUi}v7@4;U z?LIZSPg4N!`Dg7Yo2JZR`bi5MtZl`dsdCz*bYtgQiSnV_1-jaTqoqPUUWJ)N)VIK$ zpNB&KjfCK2jl(WGXPKA95&<6$4%U3ufr^JJ!lA${$>~Trh$V)F%axC5l@q>EEXJio zDY7M9o~qJY*xx5KfQ=4q!4NAmQ|IkaL{BZb5#hPbaPHc$Y##T`it`S{s!*yxhR6+2 zr$~xGiKd+Xh3Xd{58)7MT*zo5A-l6==_h@eUeQBn`Z<-*A}?XJpoT@TRLf}RlRbRtN{O(9$ zzmfBD`1uG@BRW;i+>c=Ra09(Lw)r-*KDu~yEL;RlVQFN&^lZm3;EH0T2;cmwx=Elm3bpA_ zNUM(Je73gWDomrL*|bY%iL+~mbG4%NiifoYdbSQL5ppr(b`;5z>uyO->~oU&9-i%y zInPo(2)HFZ!?xsKbs7AY0)wLHF$Jh9PiRUz_5fd< zu&)kH-QJrMM01;M>#4bI5u5E}Vo#3iIg!$m^Q0Sq#AqBk^-A++kIG_JO^?D2Yol`; zL(q=Q!uPF?O|{g2i3GhjEIxqS(}WBEJX!gj)Bg;zPwQ&sMJIN3%Vs%nVmG$*?G?I4 z_cBvop9@E4Q)+SNwDQ~b`t<3__Q}SV4G#XprOhMS+%^}%baiJnM#ttvb!S(Re#^zR z&f?M(&GvFe^GQuhp{lcW>fh;*`MJ(*4Ngf{&Hn+h{BMv=jsF3eo!fT#4~Ti=M%k-W zQ?-SpB};{K^(K9VM(unhi%Uh*PMPrt%=NJ|tL$UDb89!r_B5%G&$e}~uB&4>Q|pb3 z$(apl>rF%gr^%w#%U_MoXeoluPU|!*mkW_#G0C7jz9Q zNqC^f!)ZiAl{E&CI`Bg>7T?e`S4I4Vet`=7){i@(L~}FvWxSo4eHnASr9#?RPtitM z6BD`@RWSmt)2U_^stIO!ILj8k9ZYcGWbuSH1>Y8TI%~9 z;gh=JX|nzIy+wxbS~ks8x{_sKim|LdC^hW%O(sESE-3J$HDxgS$@4;PmVpOX7ImC1 zvTOz7g=aGRYso-vE<=p6O?>-H_9f?d)4hRg?4%vtuiA;D(0;XL%}=CpazRoA=11w( zM*5W}b^lO?8WJpWjNj;}ANw&2x!ZC*FEA~@$S=UX!}>cgAs;%HTwg&DvU@OyrGS&9 zew$}-fee{`WXd&EE>OP&RTbmSzpR^9e(;XW17ngt&zNX&8G{*;EsG8k;?xJ#jYviO zHn68O7VOs&Mk3xI@j`Zk?r|e8I8U15`*`BnS@TUe_Am0|hyv!ZvNcqiFC}Pba zmpf$AFku1819*gh#rne!z4D4>=vSiNlCZ_H@$pE1ClG6k-_(Tes5@4)mE;>SRo z0MR3s=iY-qza-^Zpx@l=P4E^{R1`rqXP7@M9((|#imqOReEti4qJP>&{1j|gBKySo zpL+sFk2NIp1f@XkMHtP&>(_x47 zP!G<&Qw8K3;XtT~^=wJ!=PZTf!wS?zAd=Df!*jyxa(ri*QKq&UDPNKlCkJ_FaJ- zZB7Tu$Q#P|zJZ`2`J6!-cUy!bea;w4!Qi{pCz|jAq%nXXNBDb5l3<}bs$;8?6lR$< z^de1sSkmiCWr5Ppv*khLL18R%qL_`=F+5?t&H0yVbpRV9YTlS?tTxQ^VW>=Bwmmz> zo&|4X&wB24!3*{ubp#J~^+z$^Qa$Y4N!}N3WB18{`6`6`r!tk3Fs@0xO@H$ru_h=h zw+c!4@OLp6ttPTsY);5c6*9q)8KFzu1FlZXd4RH+bt6qWPs>e8O*#m*fRG@zOP{R_ z`kQX!@-iac-uFp+WNr$opZJf-HJ~>zRROW!-m-!1G5h1ug50?(IY+84t|2PKWZpND z;~j(1tl(#bGaZL9FbvjE;rmfKMZKk~>h8DxDx^^DOT^T=`m2UMm$gP&+gIsj(w_BG zTDDn%e+cSp>_u?vDjHaRm=Re?(v?G!EJjnFjrV1>fMW0e3h)7PkNLxYBrFb&W?|c1 zt24@nh#coYG$8Olo0`Dad2~^m832J)5df)WH>k`CU6kxQ@?UG^k$SYP_n9_TAmluY zfpP}EpvbtbT&javH)*a5o9+egll5zzlyMWV+<=Aj{F8vU4eSznh>G6S-!?E#rMW}P ziV_BTf}|p1%e_ObnENaI8@W+!y7RbwK|VJcF}-B8_`%2R_vJiU%kJq>cN6VyYV$@( zykWzMRXb_8t6fj$X6{)x7JBt>;s+oroF+-aGs*^Q4lq!IZMfUKykMiXpGHh3fslD< zA`8--3FEW5GXYu4DJsUyk#j+7wmRJ(Ady|FwK|EbM+*aB-dEv4cVA3&ZD^uFWma4R zaWp)JMY4%r62UilFM@Q65AKaqrW5o)y@FxPN^uczhe+`=1&#>xqivc~li};qu|tp+ zDThd!P9>Fm`e0giML0mcp-CZc3<#NqGzxz9kMegt8uQ9E*_PlOS8q>WR|giqizqJ} z#Xh8IJqJHgRyYDlVcsuw!ZC1@72(rjOo6m)f%hk@$Gu-d*C~4@6HmxD=~~#?iGSzE z{LlL3oX#}3sWUt*q&Wnc2V!vaPV>qyTK-hfOD@wFNzf0$yvXAS$<<{gdog4#4Yt&k7pCSro6&KkOejL zHQyo4bMXlk?#1eMZ-ik(v;2{*?8}W-trhA5_pqx(Ef$lq<`w3c{@0_dTXl>;|2gKu zh6^>!rPbtbK8EL0RL{;)t-Q=zHr3W6#&Y9lydrQQQ}ag5u2G(w)!d5oo?g({#?p{M zSBSia9o4-7t|;7KBhva~;~cpf6S%rSE4P7l)?iL9I z3_uZqdtjU3U?J>co8wdmu|NNwTx`pmcoGM3VspXeia@bs|NSh9SzO^L?fv%W0kGOMu98A7<~w zR%zB@;U?zMMJ3Cvi-1Z%gBXM5BZL7n#&6yV(n@3k0COOsOGPk7D5-#f*3K=)&{4cl z-4I(}P*_E2gW2V&q<;Mxv!N27LVYd}JiD+8Shf%US3EB}zK(G}`!_ivs&xe-+ zeFfgKQE}vZu^L}LgJKc*U@BrC5w+2s#*lPW(-LEN{FCe z?b%s75nQi`Yi&BMNXI;3eBw2(T59|dGf)5*d*$Cg!OteRp8v$JtInEhl5NEb9r_eNQor?&Ld8# zQ}__UrDUD4maI)PkJImOZ*Ky!qL~&%E1lE7@6=9H@j1Y`eTpW$CY6~K3Gvt*=|bPs z#SI&Q;??APlT8+k$&3oZAAXWKAer{@3QcXWP#-8*VVJWFRH}qb}19>0M1I|mKNLIcca|zUrp8B>*!3^e|yv!II zj~Hd?rxQ_rDNP4w2W(F!J${)Rx6u;pB~(6ZGp2juvJ@Lue3z}BgO8>rBz}n-=g|`A zI4{4@rdeiP#@-ty82eAs)sGY#Mso#M-deM^*}j)Hgkk(+3vkT%HoD1Q6OV<)7la@53CYb%pem5)O*hDM|!V+g;kGG z%XuRgY8MpBRAU;ErpI@U;2$;`ywO&e_i}y@TuKPh6z3WHG=h`sOMMEl zQ?xuIMJap4E<>jE20C9QWww>wUj_OoS0-^j+B}ilLDStcV!NYI)Sz9dR4aLWnE;v- z-d|ZO2mcA@vlTqLfYfIT355GwH;bY=D#wb4{6JBzPEtE}(bDm+?ONV=zKK~W>h366 zv=J-}QMbK$>A2pI2}K%PhMJg>#IhSgdUc_>(_;69ga)^GY`s5Ks3D1%q%k^!f@5Q% z)TwL^gI6mf@qmiqA`6$oP|7|C6zPoc#hDyO?zHVgOw0A8 z6-x5rAt=N{c~#v#?lWrgq<;DL3n2*04)qAWxpP{ibiUF8yRgJ^I;OqQ+1bKEyURE)k{A^KSVD~nd8CV*2U19a}U^`K2HeOIA0ow zsaor5mC)ZB3(nfg=GEnk-*%ee4i#G!PwqjwzRFAGxgQP5&FcV2rn2_VO`HAUeNJen z>WA!!d18+@h7UCtTWp`GDa5WU^q{p5Ws&)_&O)ID@RROq7iUf{h9Kh*=W%yv+#hC?m`Dp8tS4oii?qfB^lEIG4!Pj55MbOs1`tXK-^7f3vP zPVslF>G()I@ad@gW1_vC)0i;~li7@qxK{TTM*L|*miN&v^PRQx(q(BXJOML*2vk_L z?$r`0am)xSVD_t^BriC6U{239yf=iZO+H?8IB`HVRz`P$O30o_W*pSx`3yyf;1%_D zK)<4+HIdmAjADWHGc|c@2D>7kltAu(?pfdbRpCNiSfbq;bb=6n{Fcyh57UDNiZYS^ z66UKih6^c7E0p2ku_p#e*h!S%LOf@S6C^;SoUQkD-vz@*#k~V;m|$e;`U-K+9=2B3 zg``2W?MhVVNeEH=dA@Da*k5C9Q5bw@%nLi~rhQ2DAtGpB{W9*OnQB!B-B*^ITEdNE zR9iJT$6UO4z6m z@upR-77OZ#2qZ#7(1hm-dN&2XS-XFQ`NA~vKSxD#Fb1MPkQJbmBwjzbpj;js-MZq7 z6)4__sw97sU&E^n)U+(?Dp;3m|7H`$^<8_?HaTm#u@=#>0Zlf-?b2e!9O3mNS@j>H{2l12b^LBNA3Rc}~rH1wK5lm1) zP~d}r;7tF?J$ywv%ci&VOK8_s%kJ>dR^J-xZ24^c21n1S7S&awGX6vE#`0AU#_Mol z`~dQ3N--ZdYJN1JAVx-D_T$dR01WP@Gvd|bzlQEpXeTxu{Sb1!V{2z&;0gk9_bjhw zY8yL75$*6rPAVtMCFF6e(VmfYo>`yHGgM))c2di*%lrIvrP<=O`bx#fvl^k4JO&%N zzj2uFSn)Z+M-Up111(`lrwoS^#D+ymht&>a($?C6W*ezFlk7LCe?pP0Y#DEW51lJ; z#V`QaSA|NW?)EY%kJ>{c70E;z<5P$gTUIWg)6MCE44S= zd7imOC=TYjMFCgfFVjFv+sIVYlDL!ErZ@>!W8H99e3{es@wI zfUhuF|Bcu>fzYK?{v(buG-0viql9Zbdu#>l3dxY+me=CZ$>zNkKbBW}g%AD>ASGLh zjPWaOkO$v(&gc2Fls`*Xs1bq@?F5m0BolDRp>(iysGsU_>t-(xJ3#nVzCvCoh5&?r zVWTkk_n-yoM*VEJdf)ABX3@Q6JAb*=izGGnVY_(QwF(DBGzPcJhRXrpes`ZbcV_?; zeQ+6r$0M{ndThdQL!w+|T8(14!am6d5~f>?1bH&ZAYG0M$>)Z_KeXX(1=s@qEtYBm zfe`V}1||l-XPx;s1F*{u!nhVb*SvQCMN-)3P$nK~<_X8)=9fGrisLww0zxbjY2lO^ z3*_)v)zYSQ9ndzo$rPwdfJO}aCR5O`5{z5ph1PNxZ<}!z77H|*FMQcE*{@lYksMXD1z(s5bMnz_wHh# zFAB<6`l&hggOaVoMaEtPeKVAj2G?P19hOYr9kNO(i&QP^)Tp9%X1H!WyzFxXhE5zn z$nWj}uRWm@mopzBK1m*+YU!vdn&=VK0LCbgsYDDM>w1cT>?_wd;N~zVuq^d%q3TZ= z)=Bty804&*VO$V)K)I`dqUps6acoSOHT^HBs0g{7NnLOYKvFw_-Z;aXtZW!%I*krc zd@%KQSvBlWe+mO$UVCPGfPp?EhSa(oJooDl2$I7*laP+DL|$hm#%YVO3?+`IGU;H9bU1coApb^_p-mRMJD2oY1Xu1# z>sNo<$WesBq_jd?$4`lj~gwGEsz*FNQJ9cXFCn>q8|GspGE&)J{;=C$&U zJfW5EE`Ky=I0_T2YQPrrU6fYy@|tuX(8=0+?wF3ZiWAvSoY22BSD0PPX*8b*F+=IC zzQ6epzD01Ji%BVzi?(jUexI-hz)=P-2bI`W_DGcjHy^$6Vv(N12%XGW^`FrouY))b zg`;zubA34w*OaE(Q7XMYNW%l338ksYDfV1Li31Y&3KQbAjjDr%oxS0eZ!ZShyycL+ zprpREWM9_X^N!oNNAof)HxZ~lifAaF6&r@c6(8nkMZ&b{vkhJByuS&zeO58_p&FXh=! zeCW0K$om{&^5Hz$ZQo^WpJu_XxWV#$?WWu6Z-DWHK2tEb+3w)LAj39G%(ETTJa&k` zd*hSsB<3wF6q=u)HL@9UI6kf#OGXYmrAai;(ogn#S(fB_vKioIvcuI&UZ3X&7SFFN z)8X9v@-zjJ!bL+?PxE2BT;sNH$Eo;bo1o62x}xlet)Vg0j+qQ!ouR&jLIp@%y;Amn zbV*_^&D@lmk~?}NX2cCJFx%nj>%WFwdl&<$Wc>pK76k5Nzr$Cu%LW zHwjmZA0rzB3nwQtA0rQYadNS`c{|uUxYl^rdpUSMowN_^;x`-*yIr(9Dw;DmSBsxC zV?bVlsJsB0rKy1@dFo)4$^_kGp>-8>mU*Vge3%q}_9(%Ny`8nsn3;^_OX@PxpgZgygxUof;!IugUCS0NuN2I3_CAt6fKy)=daQBx zjX%y*7oW(1CHp742(4-E`h$2+b)?`8_MbAl@fkS{{MkL7F_{}{0;NGh5?%3S_}d)A z8E_xEjf{}Ol?(>y!Kr%8gviTL?cBTM08`O&MP*e!+s&2+Xo$lVjNOx#si92_RNsvu z^UE>PRu+g<_e67f!Blen{g2H#k_|)rv z8tiL5N+@f4*|sj%=SZZC@AbzRery+;>P~G{5<{)?@#aFAOCD777k{*ihio*(#Fu((!|y@ z@Ku|1s`zQp;x2KZqU~Nk!t5;ftLJfpW-0fngJv<~W+lT2=~3ulW-05!&PX5_tFu|w z_#KPyReAXr6lwIS-wXU#=(xpYNTWkXQt@6@*QFmQd==FTFyeDNLKVAsO`kK5FGwXl zaK8mI#L5MHm10f{0jznivo^$0D4&s8J+I@5iUP3l@W`Y{-QV<`&iey+s+@Kd|9mkt zC)`@{)o$<~euG>$)Xw2qSWJK6qmhar`SD6Phzu0SYl~zxWxE4>&?*m47Z+zoI~NZh zdlwHccPBST_m`WC$)Dl*>CHpgPc+}jfQpUj6=(AAK5IagVQAwl9(NkEW%dnPx@gIq zWPRm49#9o!J!Mc8W?YqI7Re0g&7is7z|6~47=s)I> zivKXzRs4s!uHrw;(e3pW|IJ)g!46z$fvUEAQCH!ZO}{rYG|S(4$m1E zmXS`=`OW}H@lFm*C!7BUa;yF~#!Ce31Dm)`0yvnFJt{DjS@@nR5+T!gVzT2A946SmvvMGp8wd)opNaaZr)L!Ftkd?2jvXC(#0(YPj9_B*nrE>W!|B4|^wD z7dt!Wo7)RJ<8wtwt_j&)Rr@`av-FrFeyi@lTIQCazGR&(7MGdK#P!RmG~q;i;}8ZY{bY*CDmaSGI$|$0W2mGi16k!FfB3? zkD$8F9z!!W81qV80GYpu${^pqkPfB9xsy;fX)#SLOgkQ5CP&lXLajxCSMz(xRzN83 zi1-vW9+Yf~&Y#}${L+VVflLsCRRI~#)sUZXM?$jwE8O72j9Nw~dHf<9qaMqU-ZCDZ zi+~m=@TyNi%!z>!(jr#D%$rjKn-ql9Q5P~O_1qD~D0TD5%2DG~{(YVPRaT{8qXWM> zi{>~SzuK*;7a%8@ScI>Dn>B}-bR4B^?ljia*W8)#MoJI9&bgmAKMi~iHge&A>5 zOj+U5Xn1B)q?RK+r}L3vzH&|a+-Ryy6lRmb=AHS%4Cw6|7KT+VOm83M%0E4BI{q?J zQ2qrN;}2Cxq)-*}lC`{%^C0PZuB#QJb?98GcnDUzy}!u!pT!bAx7|D(#oi9@6&2jzw#v zp+D%JGJwt_pw9RjsL5?JpicHNK<&S(fp(ol*yn)UO`vH?RDkZG&?*7wfbJ##t6CrB zzp6pqO<;e}`Z*cjZ+WMHPmH(a~QMKs)_E7s0p0X@s=qxS<26x^* zTsnKySa-g*LEJ9j(C|}(uXyxPa`nGXFao5{XIg@X{r3KT**f%xQmOcT!AiQ|b-QA} zZSznajcVUmzak_e`dX$!0I)6Xyy%s~5f@x6t*;(uXY4_!k~ z1oK0x8=L8*?u?NJ@qTz~`XU{^Mbu7)egKc94^;S6s)kr)imxQe!IVULjvBzA>db-s zMu+Lvg9dz*3_2iiLVqqA2tg{46pr8E$hpeE5{jyLl0I%$;>CVFYr=Kvr>DlXqSkZhYOz)up= zGvh{Nf`T#(Q5;3oMmYwaKROJ*1;?cHq^LgqC)G*3l8v8n*aTA?LzzCqW@N&w*@yBw zO8aeFPBaDoT4fTA5Mjw02SbF!!T$+IH>#FW%BS7i?5InccB>}g?U4#gIS-mPCTAWE zOg0Hb&Go~AjY4-S-*F!GiGbH?|4p|hrBCp$PpgR+;i0>pBP*49ROGTh!NMM*9S;cq zH~301qrC{<^XqB}v2leFPjmnD8FA+X5hlU0E+hNFDQCcX=ga^NO}$5A0f^$V+DqeK zlKumran&TUyRTZulja+^yL$vR*dW+db!_Ysy(GNyG`uVjS<#NBIFHWde9z=OpX6DO zY)#^A-_%z?_G@5vL11=2JZnf*)rZZ49w(kvc=Yfd=xS~LyQpt)2$4k++>_a@Shz$C zh9Y}Fy$)q9LWu*iOD?;8H3pGpNVFu{O1d)Kc*jH>?y&y|VNZKWHPTzr&2+gqpF#Q- z@a5FLFkV7sWMP@=+A~X4d*i8bnc&(J`%rZwbK*SCxr<#}+1YKX{V?PDIC>EiS1q~o zE|XV9Gi>(HmD*UxktaUEiNtZOj`KJRO65Stpa)N7fv=!sIeefJ%uZ|&jn@L5BmBZA z`Ii3Hb6GsZToRein)q2+tan@$PucUAs7@ko+_BinAGw1iy{mc4WOd4m#40^fGaz}@ z>?+bKqnGRF`1jwGBOnkm@c)02=HIB}e_ciX|1tlcwVMC?kpFvF@_!!z08r$w|8Ga< Z{~4W>lLQ6(PYBSzJLsPkW&F?E{{jie{B!^S literal 0 HcmV?d00001 diff --git a/Solutions/Samsung Knox Asset Intelligence/Package/createUiDefinition.json b/Solutions/Samsung Knox Asset Intelligence/Package/createUiDefinition.json new file mode 100644 index 00000000000..b43f921e192 --- /dev/null +++ b/Solutions/Samsung Knox Asset Intelligence/Package/createUiDefinition.json @@ -0,0 +1,253 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "config": { + "isWizard": false, + "basics": { + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Samsung%20Knox%20Asset%20Intelligence/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Knox Asset Intelligence for Microsoft Sentinel solution enables enterprise IT and SecOps (Security Operations) administrators to view and manage security threats to their Samsung Knox mobile devices. By integrating security events and logs from Knox Asset Intelligence with the Azure Monitor Log Ingestion API, the solution lets enterprise organizations easily view, identify and investigate security threats in near-real-time with Microsoft Sentinel.\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 7\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "subscription": { + "resourceProviders": [ + "Microsoft.OperationsManagement/solutions", + "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "Microsoft.Insights/workbooks", + "Microsoft.Logic/workflows" + ] + }, + "location": { + "metadata": { + "hidden": "Hiding location, we get it from the log analytics workspace" + }, + "visible": false + }, + "resourceGroup": { + "allowExisting": true + } + } + }, + "basics": [ + { + "name": "getLAWorkspace", + "type": "Microsoft.Solutions.ArmApiControl", + "toolTip": "This filters by workspaces that exist in the Resource Group selected", + "condition": "[greater(length(resourceGroup().name),0)]", + "request": { + "method": "GET", + "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" + } + }, + { + "name": "workspace", + "type": "Microsoft.Common.DropDown", + "label": "Workspace", + "placeholder": "Select a workspace", + "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", + "constraints": { + "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", + "required": true + }, + "visible": true + } + ], + "steps": [ + { + "name": "dataconnectors", + "label": "Data Connectors", + "bladeTitle": "Data Connectors", + "elements": [ + { + "name": "dataconnectors1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for Samsung Knox Asset Intelligence. You can get Samsung Knox Asset Intelligence custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } + }, + { + "name": "dataconnectors-link2", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more about connecting data sources", + "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" + } + } + } + ] + }, + { + "name": "workbooks", + "label": "Workbooks", + "subLabel": { + "preValidation": "Configure the workbooks", + "postValidation": "Done" + }, + "bladeTitle": "Workbooks", + "elements": [ + { + "name": "workbooks-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Knox Asset Intelligence for Microsoft Sentinel solution installs a workbook that summarizes the mobile security events reported by Samsung Knox devices over a selected reporting period. You can use this workbook to quickly assess the threat type and severity, or identify patterns and anomalies in order to help prioritize incident responses or further investigations." + } + }, + { + "name": "workbooks-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data" + } + } + }, + { + "name": "workbook1", + "type": "Microsoft.Common.Section", + "label": "Samsung Knox Asset Intelligence", + "elements": [ + { + "name": "workbook1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Knox Asset Intelligence for Microsoft Sentinel solution installs a workbook that summarizes the mobile security events reported by Samsung Knox devices over a selected reporting period. You can use this workbook to quickly assess the threat type and severity, or identify patterns and anomalies in order to help prioritize incident responses or further investigations." + } + } + ] + } + ] + }, + { + "name": "analytics", + "label": "Analytics", + "subLabel": { + "preValidation": "Configure the analytics", + "postValidation": "Done" + }, + "bladeTitle": "Analytics", + "elements": [ + { + "name": "analytics-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution comes with the following analytic rule templates, based on critical mobile security event data captured from Samsung Knox devices. You can also customize these analytic rule templates based on your organization’s needs." + } + }, + { + "name": "analytics-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + }, + { + "name": "analytic1", + "type": "Microsoft.Common.Section", + "label": "Knox Application Privilege Escalation or Change", + "elements": [ + { + "name": "analytic1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "When a Knox mobile app has transitioned from an acceptable uid/esuid/fsuid to a different, non-App id." + } + } + ] + }, + { + "name": "analytic2", + "type": "Microsoft.Common.Section", + "label": "Knox Keyguard Disabled Feature Set", + "elements": [ + { + "name": "analytic2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Indicates that an admin has set disabled keyguard features on a Knox device." + } + } + ] + }, + { + "name": "analytic3", + "type": "Microsoft.Common.Section", + "label": "Knox Mobile Device Boot Compromise", + "elements": [ + { + "name": "analytic3-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "When Knox device boot binary is at risk of compromise." + } + } + ] + }, + { + "name": "analytic4", + "type": "Microsoft.Common.Section", + "label": "Knox Password Lockout", + "elements": [ + { + "name": "analytic4-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "When maximum password attempts have reached and the Knox device is locked out. This is based on the threshold set by the MDM policy." + } + } + ] + }, + { + "name": "analytic5", + "type": "Microsoft.Common.Section", + "label": "Knox Peripheral Access Detection with Camera", + "elements": [ + { + "name": "analytic5-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "When Knox device camera access has been detected through system policy when such access is disabled." + } + } + ] + }, + { + "name": "analytic6", + "type": "Microsoft.Common.Section", + "label": "Knox Peripheral Access Detection with Mic", + "elements": [ + { + "name": "analytic6-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "When Knox device microphone access has been detected through system policy when such access is disabled." + } + } + ] + }, + { + "name": "analytic7", + "type": "Microsoft.Common.Section", + "label": "Knox Suspicious URL Accessed Events", + "elements": [ + { + "name": "analytic7-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "When a Knox device user clicks on URLs or links detected as suspicious (potentially phishing or malicious) with a high degree of confidence." + } + } + ] + } + ] + } + ], + "outputs": { + "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", + "location": "[location()]", + "workspace": "[basics('workspace')]" + } + } +} diff --git a/Solutions/Samsung Knox Asset Intelligence/Package/mainTemplate.json b/Solutions/Samsung Knox Asset Intelligence/Package/mainTemplate.json new file mode 100644 index 00000000000..d0c689f4ad7 --- /dev/null +++ b/Solutions/Samsung Knox Asset Intelligence/Package/mainTemplate.json @@ -0,0 +1,1335 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "Samsung - kai.sme@samsung.com", + "comments": "Solution template for Samsung Knox Asset Intelligence" + }, + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "workbook1-name": { + "type": "string", + "defaultValue": "Samsung Knox Asset Intelligence", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + } + }, + "variables": { + "email": "kai.sme@samsung.com", + "_email": "[variables('email')]", + "_solutionName": "Samsung Knox Asset Intelligence", + "_solutionVersion": "3.0.0", + "solutionId": "samsungelectronics1734042706970.samsung-knox-asset-intelligence-sentinel", + "_solutionId": "[variables('solutionId')]", + "uiConfigId1": "SamsungDCDefinition", + "_uiConfigId1": "[variables('uiConfigId1')]", + "dataConnectorContentId1": "SamsungDCDefinition", + "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", + "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "_dataConnectorId1": "[variables('dataConnectorId1')]", + "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", + "dataConnectorVersion1": "1.0.0", + "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", + "workbookVersion1": "1.0.0", + "workbookContentId1": "SamsungKnoxAssetIntelligence.json", + "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", + "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", + "_workbookContentId1": "[variables('workbookContentId1')]", + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", + "analyticRuleObject1": { + "analyticRuleVersion1": "1.0.0", + "_analyticRulecontentId1": "215e89ca-cdbc-4661-b8b2-7041f6ecc7fb", + "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '215e89ca-cdbc-4661-b8b2-7041f6ecc7fb')]", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('215e89ca-cdbc-4661-b8b2-7041f6ecc7fb')))]", + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','215e89ca-cdbc-4661-b8b2-7041f6ecc7fb','-', '1.0.0')))]" + }, + "analyticRuleObject2": { + "analyticRuleVersion2": "1.0.0", + "_analyticRulecontentId2": "fb4853c9-28c1-4dab-830c-e086cb975170", + "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'fb4853c9-28c1-4dab-830c-e086cb975170')]", + "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('fb4853c9-28c1-4dab-830c-e086cb975170')))]", + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fb4853c9-28c1-4dab-830c-e086cb975170','-', '1.0.0')))]" + }, + "analyticRuleObject3": { + "analyticRuleVersion3": "1.0.0", + "_analyticRulecontentId3": "fae7e371-aee8-4d3f-8311-2255a45a30b3", + "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'fae7e371-aee8-4d3f-8311-2255a45a30b3')]", + "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('fae7e371-aee8-4d3f-8311-2255a45a30b3')))]", + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fae7e371-aee8-4d3f-8311-2255a45a30b3','-', '1.0.0')))]" + }, + "analyticRuleObject4": { + "analyticRuleVersion4": "1.0.0", + "_analyticRulecontentId4": "fbff0a97-1972-4df8-a78c-254ccb9879ef", + "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'fbff0a97-1972-4df8-a78c-254ccb9879ef')]", + "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('fbff0a97-1972-4df8-a78c-254ccb9879ef')))]", + "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fbff0a97-1972-4df8-a78c-254ccb9879ef','-', '1.0.0')))]" + }, + "analyticRuleObject5": { + "analyticRuleVersion5": "1.0.0", + "_analyticRulecontentId5": "cd526f4d-dbe9-4149-8a0a-9ec43c3abb16", + "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'cd526f4d-dbe9-4149-8a0a-9ec43c3abb16')]", + "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('cd526f4d-dbe9-4149-8a0a-9ec43c3abb16')))]", + "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','cd526f4d-dbe9-4149-8a0a-9ec43c3abb16','-', '1.0.0')))]" + }, + "analyticRuleObject6": { + "analyticRuleVersion6": "1.0.0", + "_analyticRulecontentId6": "e4032fd2-4d05-4302-b7c0-f3f0380e2313", + "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'e4032fd2-4d05-4302-b7c0-f3f0380e2313')]", + "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('e4032fd2-4d05-4302-b7c0-f3f0380e2313')))]", + "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e4032fd2-4d05-4302-b7c0-f3f0380e2313','-', '1.0.0')))]" + }, + "analyticRuleObject7": { + "analyticRuleVersion7": "1.0.0", + "_analyticRulecontentId7": "18d4d4f3-6605-4fd2-968c-82c171409c1c", + "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '18d4d4f3-6605-4fd2-968c-82c171409c1c')]", + "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('18d4d4f3-6605-4fd2-968c-82c171409c1c')))]", + "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','18d4d4f3-6605-4fd2-968c-82c171409c1c','-', '1.0.0')))]" + }, + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Samsung Knox Asset Intelligence data connector with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId1')]", + "title": "Samsung Knox Asset Intelligence (Preview)", + "publisher": "Samsung", + "descriptionMarkdown": "Samsung Knox Asset Intelligence Data Connector provides you the ability to centralize mobile security events and logs to view customizes insights in Workbooks and create incidents based on Analytics Rules templates.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Samsung User Events logs", + "baseQuery": "Samsung_Knox_Audit_CL" + } + ], + "sampleQueries": [ + { + "description": "One-line title for your sample query 1", + "query": "Samsung_Knox_Audit_CL\n | take 10" + } + ], + "dataTypes": [ + { + "name": "Samsung_Knox_Application_CL", + "lastDataReceivedQuery": "Samsung_Knox_Application_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Samsung_Knox_Audit_CL", + "lastDataReceivedQuery": "Samsung_Knox_Audit_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Samsung_Knox_Process_CL", + "lastDataReceivedQuery": "Samsung_Knox_Process_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Samsung_Knox_Network_CL", + "lastDataReceivedQuery": "Samsung_Knox_Network_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Samsung_Knox_User_CL", + "lastDataReceivedQuery": "Samsung_Knox_User_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Samsung_Knox_System_CL", + "lastDataReceivedQuery": "Samsung_Knox_System_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "Samsung_Knox_Audit_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions on the Log Analytics Workspace are required to enable the Solution. You can either choose an existing Log Analytics workspace or create new. [See the documentation](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/quick-create-workspace?tabs=azure-portal) to learn more about Log Analytics workspace creation.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + } + ], + "customs": [ + { + "name": "Entra App", + "description": "An Entra Application needs to be registered and provisioned with 'Sentinel Contributor'/ 'Microsoft Metrics Publisher' role to setup client secret-based authentication for data transfer. [See the documentation](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app?tabs=client-secret) to learn more about Entra App creation/registration and creating Client Secret credentials" + } + ] + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "apiVersion": "2020-01-01", + "location": "[parameters('location')]", + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/',parameters('connectorId'))]", + "kind": "Office365", + "properties": { + "tenantId": "[subscription().tenantId]", + "dataTypes": { + "exchange": { + "state": "[parameters('exchangeState')]" + }, + "sharePoint": { + "state": "[parameters('sharePointState')]" + }, + "teams": { + "state": "[parameters('teamsState')]" + } + } + } + } + ], + "instructionSteps": [ + { + "description": "This Samsung Knox Data Connector uses Microsoft Log Ingestion API that push security events into Microsoft Sentinel from Samsung Knox Asset Intelligence solution." + }, + { + "description": ">**Note**: : Since this Data Connector is designed to support Client Secret-based authentication to securely transfer data, the user must create the Client Secret as credentials during the Entra application creation and registration. Ensure you copy the Client Secret value as soon as it is generated.\n\n>**IMPORTANT**: Save the Tenant (Directory) ID, Client (Application) ID and Client Secret (Secret Value) values", + "title": "STEP 1 - Create and register an Entra Application " + }, + { + "description": ">**Note**: Once you have installed Samsung Knox Asset Intelligence for Microsoft Sentinel Solution in Sentinel, a Data Collection Rule (DCR) associated with a Data Collection Endpoint (DCE), is auto-generated. To view this information, navigate to [Data Collection Rules](https://portal.azure.com/#browse/microsoft.insights%2Fdatacollectionrules?) and look for DCR with its Name starting with **'samsung-knox-dcr-....'** and click on the DCR to view associated details.\n\n>**IMPORTANT**: Save the values for Immutable ID (DCR) and Data Collection Endpoint", + "title": "STEP 2 - Obtain Sentinel Data collection Details" + }, + { + "description": "1. Login to [Knox Asset Intelligence administration portal](https://central.samsungknox.com/kaiadmin/dai/home) and navigate to **Dashboard Settings**; this is available at the top-right corner of the Portal\n> **Note**: Ensure the login user has access to 'Security' and 'Manage dashboard view and data collection' permissions\n\n2. Click on Security tab to view settings for Security Operations Integration and for Knox Security Logs.\n\n3. In the Security Operations Integration page, toggle on the **'Enable Microsoft Sentinel Integration'** and enter appropriate values in the required fields - \n\n a. For Tenant ID, Client ID and Client Secret, refer to the information saved from Step 1 while registering the Entra application \n\n b. For Sentinel DCE and DCR, refer to the information saved from Step 2 \n\n4. Click on the **'Test Connection'** and ensure the connection is successful.\n\n5. Before you can Save, configure Knox Security Logs by selecting wither Essential or Advanced configuration **(default: Essential)**\n\n6. To complete the Sentinel integration, click **'Save'**", + "title": "STEP 3 - Connect to Samsung Knox Asset Intelligence solution to configure Microsoft Sentinel to push select Knox Security Events as Alerts -" + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "Samsung Knox Asset Intelligence", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Samsung", + "email": "[variables('_email')]" + }, + "support": { + "name": "Samsung Electronics Co., Ltd.", + "email": "kai.sme@samsung.com", + "tier": "Partner", + "link": "https://www2.samsungknox.com/en/support" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId1')]", + "contentKind": "DataConnector", + "displayName": "Samsung Knox Asset Intelligence (Preview)", + "contentProductId": "[variables('_dataConnectorcontentProductId1')]", + "id": "[variables('_dataConnectorcontentProductId1')]", + "version": "[variables('dataConnectorVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId1')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "Samsung Knox Asset Intelligence", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Samsung", + "email": "[variables('_email')]" + }, + "support": { + "name": "Samsung Electronics Co., Ltd.", + "email": "kai.sme@samsung.com", + "tier": "Partner", + "link": "https://www2.samsungknox.com/en/support" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "Samsung Knox Asset Intelligence (Preview)", + "publisher": "Samsung", + "descriptionMarkdown": "Samsung Knox Asset Intelligence Data Connector provides you the ability to centralize mobile security events and logs to view customizes insights in Workbooks and create incidents based on Analytics Rules templates.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Samsung User Events logs", + "baseQuery": "Samsung_Knox_Audit_CL" + } + ], + "dataTypes": [ + { + "name": "Samsung_Knox_Application_CL", + "lastDataReceivedQuery": "Samsung_Knox_Application_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Samsung_Knox_Audit_CL", + "lastDataReceivedQuery": "Samsung_Knox_Audit_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Samsung_Knox_Process_CL", + "lastDataReceivedQuery": "Samsung_Knox_Process_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Samsung_Knox_Network_CL", + "lastDataReceivedQuery": "Samsung_Knox_Network_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Samsung_Knox_User_CL", + "lastDataReceivedQuery": "Samsung_Knox_User_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Samsung_Knox_System_CL", + "lastDataReceivedQuery": "Samsung_Knox_System_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "Samsung_Knox_Audit_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "sampleQueries": [ + { + "description": "One-line title for your sample query 1", + "query": "Samsung_Knox_Audit_CL\n | take 10" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions on the Log Analytics Workspace are required to enable the Solution. You can either choose an existing Log Analytics workspace or create new. [See the documentation](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/quick-create-workspace?tabs=azure-portal) to learn more about Log Analytics workspace creation.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + } + ], + "customs": [ + { + "name": "Entra App", + "description": "An Entra Application needs to be registered and provisioned with 'Sentinel Contributor'/ 'Microsoft Metrics Publisher' role to setup client secret-based authentication for data transfer. [See the documentation](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app?tabs=client-secret) to learn more about Entra App creation/registration and creating Client Secret credentials" + } + ] + }, + "instructionSteps": [ + { + "description": "This Samsung Knox Data Connector uses Microsoft Log Ingestion API that push security events into Microsoft Sentinel from Samsung Knox Asset Intelligence solution." + }, + { + "description": ">**Note**: : Since this Data Connector is designed to support Client Secret-based authentication to securely transfer data, the user must create the Client Secret as credentials during the Entra application creation and registration. Ensure you copy the Client Secret value as soon as it is generated.\n\n>**IMPORTANT**: Save the Tenant (Directory) ID, Client (Application) ID and Client Secret (Secret Value) values", + "title": "STEP 1 - Create and register an Entra Application " + }, + { + "description": ">**Note**: Once you have installed Samsung Knox Asset Intelligence for Microsoft Sentinel Solution in Sentinel, a Data Collection Rule (DCR) associated with a Data Collection Endpoint (DCE), is auto-generated. To view this information, navigate to [Data Collection Rules](https://portal.azure.com/#browse/microsoft.insights%2Fdatacollectionrules?) and look for DCR with its Name starting with **'samsung-knox-dcr-....'** and click on the DCR to view associated details.\n\n>**IMPORTANT**: Save the values for Immutable ID (DCR) and Data Collection Endpoint", + "title": "STEP 2 - Obtain Sentinel Data collection Details" + }, + { + "description": "1. Login to [Knox Asset Intelligence administration portal](https://central.samsungknox.com/kaiadmin/dai/home) and navigate to **Dashboard Settings**; this is available at the top-right corner of the Portal\n> **Note**: Ensure the login user has access to 'Security' and 'Manage dashboard view and data collection' permissions\n\n2. Click on Security tab to view settings for Security Operations Integration and for Knox Security Logs.\n\n3. In the Security Operations Integration page, toggle on the **'Enable Microsoft Sentinel Integration'** and enter appropriate values in the required fields - \n\n a. For Tenant ID, Client ID and Client Secret, refer to the information saved from Step 1 while registering the Entra application \n\n b. For Sentinel DCE and DCR, refer to the information saved from Step 2 \n\n4. Click on the **'Test Connection'** and ensure the connection is successful.\n\n5. Before you can Save, configure Knox Security Logs by selecting wither Essential or Advanced configuration **(default: Essential)**\n\n6. To complete the Sentinel integration, click **'Save'**", + "title": "STEP 3 - Connect to Samsung Knox Asset Intelligence solution to configure Microsoft Sentinel to push select Knox Security Events as Alerts -" + } + ], + "id": "[variables('_uiConfigId1')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SamsungKnoxAssetIntelligence Workbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('workbookVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId1')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "This Knox Asset Intelligence for Microsoft Sentinel solution installs a workbook that summarizes the mobile security events reported by Samsung Knox devices over a selected reporting period. You can use this workbook to quickly assess the threat type and severity, or identify patterns and anomalies in order to help prioritize incident responses or further investigations." + }, + "properties": { + "displayName": "[parameters('workbook1-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"5b5bf4e9-62b8-4ef2-aeb3-ecd249fb6187\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CustomTimeRange\",\"label\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":3600000},{\"durationMs\":86400000},{\"durationMs\":604800000},{\"durationMs\":2592000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":604800000}},{\"id\":\"6b4373f0-7c1a-47d8-baed-bc5d0cd7233e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"timebrush\",\"label\":\"Time Filter\",\"type\":4,\"isRequired\":true,\"isHiddenWhenLocked\":true,\"typeSettings\":{\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":60000,\"endTime\":\"2016-12-12T18:01:00Z\"}},{\"id\":\"a40ffccc-08a0-4e15-9bf2-3ed99658d4d8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"selectedseverity\",\"label\":\"Severity\",\"type\":2,\"description\":\"Filter on Security Events by Severity\",\"isRequired\":true,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"jsonData\":\"[\\\"high\\\", \\\"med\\\",\\\"low\\\"]\",\"value\":[\"value::all\"]},{\"id\":\"e2572416-ae1f-42db-8c31-8d0d4c4315d4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"selectedtype\",\"label\":\"Type\",\"type\":2,\"description\":\"Filter on Security Events by Type\",\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"jsonData\":\"[\\\"Audit\\\",\\\"Application\\\", \\\"Process\\\", \\\"User\\\", \\\"Network\\\", \\\"System\\\"]\",\"defaultValue\":\"value::all\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let audit = view(){\\n Samsung_Knox_Audit_CL\\n };\\nlet application= view(){\\n Samsung_Knox_Application_CL\\n };\\n let system= view(){\\n Samsung_Knox_System_CL\\n };\\n let process= view(){\\n Samsung_Knox_Process_CL\\n };\\n let user= view(){\\n Samsung_Knox_User_CL\\n };\\n let network= view(){\\n Samsung_Knox_Network_CL\\n };\\nlet selectedtables = dynamic([{selectedtype}]);\\nlet severityParam = dynamic([{selectedseverity}]);\\nlet maxdatapoints = 10000;\\nlet starttime = {CustomTimeRange:start};\\nlet endtime = {CustomTimeRange:end};\\nlet day = datetime_diff('day',endtime,starttime);\\nlet initialbinsize = case(day >=30, 1d, day >=7, 1d, day >=1,1h,5m);\\nlet datapoints = (binsize : timespan){\\nunion (audit() | where \\\"Audit\\\" in (selectedtables)), (application() | where \\\"Application\\\" in (selectedtables)),(process() | where \\\"Process\\\" in (selectedtables)),(user() | where \\\"User\\\" in (selectedtables)),(network() | where \\\"Network\\\" in (selectedtables)),(system() | where \\\"System\\\" in (selectedtables))\\n| where TimeGenerated >= {CustomTimeRange:start} and TimeGenerated <={CustomTimeRange:end} \\n| where Severity in (severityParam)\\n| summarize Count=count() by Name, bin(TimeGenerated,binsize)};\\n\\nlet totalpoints = datapoints(initialbinsize) |summarize totalrows = count();\\nlet inttotalpoints = toint(toscalar(totalpoints));\\nlet binsizefactor = inttotalpoints/maxdatapoints +1;\\nlet binsize = binsizefactor * initialbinsize;\\n\\nunion (audit() | where \\\"Audit\\\" in (selectedtables)), (application() | where \\\"Application\\\" in (selectedtables)),(process() | where \\\"Process\\\" in (selectedtables)),(user() | where \\\"User\\\" in (selectedtables)),(network() | where \\\"Network\\\" in (selectedtables)),(system() | where \\\"System\\\" in (selectedtables))\\n| where TimeGenerated >= {CustomTimeRange:start} and TimeGenerated <={CustomTimeRange:end} \\n| where Severity in (severityParam)\\n| summarize Count=count() by Name, bin(TimeGenerated,binsize)\\n\",\"size\":2,\"title\":\"Total events\",\"noDataMessage\":\"No security event data found for the selected time period, severity or type.  Please update the filters applied.\",\"timeBrushParameterName\":\"timebrush\",\"timeBrushExportOnlyWhenBrushed\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"60\",\"name\":\"query - 7\",\"styleSettings\":{\"margin\":\"0px\",\"padding\":\"0px\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\n\\nlet severityParam = dynamic([{selectedseverity}]);\\nlet audit = view(){\\n Samsung_Knox_Audit_CL\\n };\\nlet application= view(){\\n Samsung_Knox_Application_CL\\n };\\n let system= view(){\\n Samsung_Knox_System_CL\\n };\\n let process= view(){\\n Samsung_Knox_Process_CL\\n };\\n let user= view(){\\n Samsung_Knox_User_CL\\n };\\n let network= view(){\\n Samsung_Knox_Network_CL\\n };\\nlet selectedtables = dynamic([{selectedtype}]);\\nunion (audit() | where \\\"Audit\\\" in (selectedtables)), (application() | where \\\"Application\\\" in (selectedtables)),(process() | where \\\"Process\\\" in (selectedtables)),(user() | where \\\"User\\\" in (selectedtables)),(network() | where \\\"Network\\\" in (selectedtables)),(system() | where \\\"System\\\" in (selectedtables))\\n|where iff('{timebrush:label}'==\\\"12/12/2016 10:00 AM - 10:01 AM\\\" , TimeGenerated >= {CustomTimeRange:start} and TimeGenerated <={CustomTimeRange:end}, TimeGenerated >= {timebrush:start} and TimeGenerated <={timebrush:end})\\n|where Severity in (severityParam)\\n| summarize count() by Severity\\n| where Severity in ('high', 'med','low')\\n|order by case( Severity == 'high',3, Severity == 'med',2, Severity == 'low',1,0)\\n\",\"size\":4,\"title\":\"Events by severity\",\"noDataMessage\":\"No security event data found for the selected time period, severity or type.  Please update the filters applied.\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"severity\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"severity\",\"color\":\"redBright\"},{\"columnName\":\"severity\",\"color\":\"orange\"},{\"columnName\":\"severity\",\"color\":\"lightBlue\"}]}}},{\"columnMatch\":\"count_\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"severity\",\"color\":\"lightBlue\"},{\"columnName\":\"severity\",\"color\":\"lightBlue\"},{\"columnName\":\"severity\",\"color\":\"lightBlue\"}]}}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"high\",\"representation\":\"redBright\",\"text\":\"{0}\"},{\"operator\":\"==\",\"thresholdValue\":\"low\",\"representation\":\"yellow\",\"text\":\"{0}\"},{\"operator\":\"==\",\"thresholdValue\":\"med\",\"representation\":\"orange\",\"text\":\"{0}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}\"}]}},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"none\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"sortOrderField\":1}},\"customWidth\":\"100\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let severityParam = dynamic([{selectedseverity}]);\\nlet audit = view(){\\n Samsung_Knox_Audit_CL\\n };\\nlet application= view(){\\n Samsung_Knox_Application_CL\\n };\\n let system= view(){\\n Samsung_Knox_System_CL\\n };\\n let process= view(){\\n Samsung_Knox_Process_CL\\n };\\n let user= view(){\\n Samsung_Knox_User_CL\\n };\\n let network= view(){\\n Samsung_Knox_Network_CL\\n };\\nlet selectedtables = dynamic([{selectedtype}]);\\nunion (audit() | where \\\"Audit\\\" in (selectedtables)), (application() | where \\\"Application\\\" in (selectedtables)),(process() | where \\\"Process\\\" in (selectedtables)),(user() | where \\\"User\\\" in (selectedtables)),(network() | where \\\"Network\\\" in (selectedtables)),(system() | where \\\"System\\\" in (selectedtables))\\n|where iff('{timebrush:label}'==\\\"12/12/2016 10:00 AM - 10:01 AM\\\" , TimeGenerated >= {CustomTimeRange:start} and TimeGenerated <={CustomTimeRange:end}, TimeGenerated >= {timebrush:start} and TimeGenerated <={timebrush:end})\\n|where Severity in (severityParam)\\n| summarize count() by Type\\n| render piechart \",\"size\":3,\"title\":\"Events by type\",\"noDataMessage\":\"No security event data found for the selected time period, severity or type.  Please update the filters applied.\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Samsung_Knox_Application_CL\",\"label\":\"Application\"},{\"seriesName\":\"Samsung_Knox_Network_CL\",\"label\":\"Network\"},{\"seriesName\":\"Samsung_Knox_User_CL\",\"label\":\"User\"},{\"seriesName\":\"Samsung_Knox_Process_CL\",\"label\":\"Process\"},{\"seriesName\":\"Samsung_Knox_Audit_CL\",\"label\":\"Audit\"},{\"seriesName\":\"Samsung_Knox_System_CL\",\"label\":\"System\"}]}},\"name\":\"query - 11\"}]},\"name\":\"group - 9\"}]},\"customWidth\":\"40\",\"name\":\"group - 8\",\"styleSettings\":{\"margin\":\"0px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\nlet audit = view(){\\n Samsung_Knox_Audit_CL\\n };\\nlet application= view(){\\n Samsung_Knox_Application_CL\\n };\\n let system= view(){\\n Samsung_Knox_System_CL\\n };\\n let process= view(){\\n Samsung_Knox_Process_CL\\n };\\n let user= view(){\\n Samsung_Knox_User_CL\\n };\\n let network= view(){\\n Samsung_Knox_Network_CL\\n };\\nlet selectedtables = dynamic([{selectedtype}]);\\nlet severityParam = dynamic([{selectedseverity}]);\\nunion (audit() | where \\\"Audit\\\" in (selectedtables)), (application() | where \\\"Application\\\" in (selectedtables)),(process() | where \\\"Process\\\" in (selectedtables)),(user() | where \\\"User\\\" in (selectedtables)),(network() | where \\\"Network\\\" in (selectedtables)),(system() | where \\\"System\\\" in (selectedtables))\\n| where iff('{timebrush:label}'==\\\"12/12/2016 10:00 AM - 10:01 AM\\\" , TimeGenerated >= {CustomTimeRange:start} and TimeGenerated <={CustomTimeRange:end}, TimeGenerated >= {timebrush:start} and TimeGenerated <={timebrush:end})\\n| where Severity in (severityParam)\\n|project Time =TimeGenerated,\\nName,\\nSeverity,\\n[\\\"Device Model\\\"] = DeviceModel,\\nType = replace_string(replace_string(Type,\\\"Samsung_Knox_\\\",\\\"\\\"),\\\"_CL\\\",\\\"\\\"),\\nProfile,\\n[\\\"MITRE Technique ID(s)\\\"] = array_strcat(MitreTtp,\\\", \\\")\\n| sort by Time desc\\n\\n\\n\",\"size\":2,\"title\":\"Event list\",\"noDataMessage\":\"No security event data found for the selected time period, severity or type.  Please update the filters applied.\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"high\",\"representation\":\"dot-redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"med\",\"representation\":\"dot-orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"low\",\"representation\":\"dot-yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"LOW\",\"representation\":\"dot-yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"HIGH\",\"representation\":\"dot-redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"MED\",\"representation\":\"dot-orange\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":1000}},\"name\":\"query - 9\"}]},\"name\":\"group - 6\"}],\"fromTemplateId\":\"sentinel-SamsungKnoxAssetIntelligence\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", + "properties": { + "description": "@{workbookKey=SamsungKnoxAssetIntelligence.json; logoFileName=Samsung_Knox_Asset_Intelligence.svg; description=This Knox Asset Intelligence for Microsoft Sentinel solution installs a workbook that summarizes the mobile security events reported by Samsung Knox devices over a selected reporting period. You can use this workbook to quickly assess the threat type and severity, or identify patterns and anomalies in order to help prioritize incident responses or further investigations.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Samsung Knox Asset Intelligence; templateRelativePath=SamsungKnoxAssetIntelligence.json; subtitle=; provider=Samsung}.description", + "parentId": "[variables('workbookId1')]", + "contentId": "[variables('_workbookContentId1')]", + "kind": "Workbook", + "version": "[variables('workbookVersion1')]", + "source": { + "kind": "Solution", + "name": "Samsung Knox Asset Intelligence", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Samsung", + "email": "[variables('_email')]" + }, + "support": { + "name": "Samsung Electronics Co., Ltd.", + "email": "kai.sme@samsung.com", + "tier": "Partner", + "link": "https://www2.samsungknox.com/en/support" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "Samsung_Knox_Audit_CL", + "kind": "DataType" + }, + { + "contentId": "Samsung_Knox_Application_CL", + "kind": "DataType" + }, + { + "contentId": "Samsung_Knox_System_CL", + "kind": "DataType" + }, + { + "contentId": "Samsung_Knox_Process_CL", + "kind": "DataType" + }, + { + "contentId": "Samsung_Knox_User_CL", + "kind": "DataType" + }, + { + "contentId": "Samsung_Knox_Network_CL", + "kind": "DataType" + }, + { + "contentId": "SamsungKnoxAssetIntelligence", + "kind": "DataConnector" + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId1')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook1-name')]", + "contentProductId": "[variables('_workbookcontentProductId1')]", + "id": "[variables('_workbookcontentProductId1')]", + "version": "[variables('workbookVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SamsungKnoxApplicationPrivilegeEscalationOrChange_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "apiVersion": "2023-02-01-preview", + "kind": "NRT", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "When a Knox mobile app has transitioned from an acceptable uid/esuid/fsuid to a different, non-App id.", + "displayName": "Knox Application Privilege Escalation or Change", + "enabled": false, + "query": "Samsung_Knox_Process_CL | where Name == \"PROCESS_PRIVILEGE_ESCALATION\" and MitreTtp has \"T1548\"", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "Samsung_Knox_Audit_CL" + ], + "connectorId": "SamsungDCDefinition" + } + ], + "tactics": [ + "PrivilegeEscalation" + ], + "techniques": [ + "T1548" + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "incidentConfiguration": { + "groupingConfiguration": { + "lookbackDuration": "5h", + "enabled": false, + "reopenClosedIncident": false, + "matchingMethod": "AllEntities" + }, + "createIncident": true + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]", + "properties": { + "description": "Samsung Knox Asset Intelligence Analytics Rule 1", + "parentId": "[variables('analyticRuleObject1').analyticRuleId1]", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]", + "source": { + "kind": "Solution", + "name": "Samsung Knox Asset Intelligence", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Samsung", + "email": "[variables('_email')]" + }, + "support": { + "name": "Samsung Electronics Co., Ltd.", + "email": "kai.sme@samsung.com", + "tier": "Partner", + "link": "https://www2.samsungknox.com/en/support" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "contentKind": "AnalyticsRule", + "displayName": "Knox Application Privilege Escalation or Change", + "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SamsungKnoxKeyguardDisabledFeatureSet_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "apiVersion": "2023-02-01-preview", + "kind": "NRT", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Indicates that an admin has set disabled keyguard features on a Knox device.", + "displayName": "Knox Keyguard Disabled Feature Set", + "enabled": false, + "query": "Samsung_Knox_Audit_CL | where Name == \"TAG_KEYGUARD_DISABLED_FEATURES_SET\" and MitreTtp has \"T1461\"", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "Samsung_Knox_Audit_CL" + ], + "connectorId": "SamsungDCDefinition" + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1461" + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "incidentConfiguration": { + "groupingConfiguration": { + "lookbackDuration": "5h", + "enabled": false, + "reopenClosedIncident": false, + "matchingMethod": "AllEntities" + }, + "createIncident": true + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]", + "properties": { + "description": "Samsung Knox Asset Intelligence Analytics Rule 2", + "parentId": "[variables('analyticRuleObject2').analyticRuleId2]", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]", + "source": { + "kind": "Solution", + "name": "Samsung Knox Asset Intelligence", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Samsung", + "email": "[variables('_email')]" + }, + "support": { + "name": "Samsung Electronics Co., Ltd.", + "email": "kai.sme@samsung.com", + "tier": "Partner", + "link": "https://www2.samsungknox.com/en/support" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "contentKind": "AnalyticsRule", + "displayName": "Knox Keyguard Disabled Feature Set", + "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SamsungKnoxMobileDeviceBootCompromise_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "apiVersion": "2023-02-01-preview", + "kind": "NRT", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "When Knox device boot binary is at risk of compromise.", + "displayName": "Knox Mobile Device Boot Compromise", + "enabled": false, + "query": "Samsung_Knox_System_CL | where Name == \"BOOT_COMPROMISED_SOFTWARE_BINARY\" and MitreTtp has \"T1645\"\n", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "Samsung_Knox_System_CL" + ], + "connectorId": "SamsungDCDefinition" + } + ], + "tactics": [ + "Persistence" + ], + "techniques": [ + "T1645" + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "incidentConfiguration": { + "groupingConfiguration": { + "lookbackDuration": "5h", + "enabled": false, + "reopenClosedIncident": false, + "matchingMethod": "AllEntities" + }, + "createIncident": true + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]", + "properties": { + "description": "Samsung Knox Asset Intelligence Analytics Rule 3", + "parentId": "[variables('analyticRuleObject3').analyticRuleId3]", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]", + "source": { + "kind": "Solution", + "name": "Samsung Knox Asset Intelligence", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Samsung", + "email": "[variables('_email')]" + }, + "support": { + "name": "Samsung Electronics Co., Ltd.", + "email": "kai.sme@samsung.com", + "tier": "Partner", + "link": "https://www2.samsungknox.com/en/support" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "contentKind": "AnalyticsRule", + "displayName": "Knox Mobile Device Boot Compromise", + "contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", + "id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SamsungKnoxPasswordLockout_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "apiVersion": "2023-02-01-preview", + "kind": "NRT", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "When maximum password attempts have reached and the Knox device is locked out. This is based on the threshold set by the MDM policy.", + "displayName": "Knox Password Lockout", + "enabled": false, + "query": "Samsung_Knox_User_CL | where Name == \"PASSWORD_LOCKOUT\" and MitreTtp has \"T1110\"\n", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "Samsung_Knox_User_CL" + ], + "connectorId": "SamsungDCDefinition" + } + ], + "tactics": [ + "CredentialAccess" + ], + "techniques": [ + "T1110" + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "incidentConfiguration": { + "groupingConfiguration": { + "lookbackDuration": "5h", + "enabled": false, + "reopenClosedIncident": false, + "matchingMethod": "AllEntities" + }, + "createIncident": true + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]", + "properties": { + "description": "Samsung Knox Asset Intelligence Analytics Rule 4", + "parentId": "[variables('analyticRuleObject4').analyticRuleId4]", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]", + "source": { + "kind": "Solution", + "name": "Samsung Knox Asset Intelligence", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Samsung", + "email": "[variables('_email')]" + }, + "support": { + "name": "Samsung Electronics Co., Ltd.", + "email": "kai.sme@samsung.com", + "tier": "Partner", + "link": "https://www2.samsungknox.com/en/support" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "contentKind": "AnalyticsRule", + "displayName": "Knox Password Lockout", + "contentProductId": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", + "id": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject5').analyticRuleTemplateSpecName5]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SamsungKnoxPeripheralAccessDetectionWithCamera_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "apiVersion": "2023-02-01-preview", + "kind": "NRT", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "When Knox device camera access has been detected through system policy when such access is disabled.", + "displayName": "Knox Peripheral Access Detection with Camera", + "enabled": false, + "query": "Samsung_Knox_System_CL| where Name == \"PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_CAMERA\" and MitreTtp has \"KNOX.2\"\n", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "Samsung_Knox_Audit_CL" + ], + "connectorId": "SamsungDCDefinition" + } + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "incidentConfiguration": { + "groupingConfiguration": { + "lookbackDuration": "5h", + "enabled": false, + "reopenClosedIncident": false, + "matchingMethod": "AllEntities" + }, + "createIncident": true + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject5').analyticRuleId5,'/'))))]", + "properties": { + "description": "Samsung Knox Asset Intelligence Analytics Rule 5", + "parentId": "[variables('analyticRuleObject5').analyticRuleId5]", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]", + "source": { + "kind": "Solution", + "name": "Samsung Knox Asset Intelligence", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Samsung", + "email": "[variables('_email')]" + }, + "support": { + "name": "Samsung Electronics Co., Ltd.", + "email": "kai.sme@samsung.com", + "tier": "Partner", + "link": "https://www2.samsungknox.com/en/support" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "contentKind": "AnalyticsRule", + "displayName": "Knox Peripheral Access Detection with Camera", + "contentProductId": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", + "id": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject6').analyticRuleTemplateSpecName6]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SamsungKnoxPeripheralAccessDetectionWithMic_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "apiVersion": "2023-02-01-preview", + "kind": "NRT", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "When Knox device microphone access has been detected through system policy when such access is disabled.", + "displayName": "Knox Peripheral Access Detection with Mic", + "enabled": false, + "query": "Samsung_Knox_System_CL | where Name == \"PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_MIC\" and MitreTtp has \"KNOX.2\"\n", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "Samsung_Knox_Audit_CL" + ], + "connectorId": "SamsungDCDefinition" + } + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "alertDetailsOverride": { + "alertDynamicProperties": [] + }, + "incidentConfiguration": { + "groupingConfiguration": { + "lookbackDuration": "5h", + "enabled": false, + "reopenClosedIncident": false, + "matchingMethod": "AllEntities" + }, + "createIncident": true + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject6').analyticRuleId6,'/'))))]", + "properties": { + "description": "Samsung Knox Asset Intelligence Analytics Rule 6", + "parentId": "[variables('analyticRuleObject6').analyticRuleId6]", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]", + "source": { + "kind": "Solution", + "name": "Samsung Knox Asset Intelligence", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Samsung", + "email": "[variables('_email')]" + }, + "support": { + "name": "Samsung Electronics Co., Ltd.", + "email": "kai.sme@samsung.com", + "tier": "Partner", + "link": "https://www2.samsungknox.com/en/support" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "contentKind": "AnalyticsRule", + "displayName": "Knox Peripheral Access Detection with Mic", + "contentProductId": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", + "id": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject7').analyticRuleTemplateSpecName7]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SamsungKnoxSuspiciousURLs_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "apiVersion": "2023-02-01-preview", + "kind": "NRT", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "When a Knox device user clicks on URLs or links detected as suspicious (potentially phishing or malicious) with a high degree of confidence.", + "displayName": "Knox Suspicious URL Accessed Events", + "enabled": false, + "query": "Samsung_Knox_User_CL | where Name == \"SUSPICIOUS_URL_ACCESSED\" and ConfidenceScore > 0.9", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "Samsung_Knox_User_CL" + ], + "connectorId": "SamsungDCDefinition" + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1566" + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "incidentConfiguration": { + "groupingConfiguration": { + "lookbackDuration": "5h", + "enabled": false, + "reopenClosedIncident": false, + "matchingMethod": "AllEntities" + }, + "createIncident": true + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject7').analyticRuleId7,'/'))))]", + "properties": { + "description": "Samsung Knox Asset Intelligence Analytics Rule 7", + "parentId": "[variables('analyticRuleObject7').analyticRuleId7]", + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]", + "source": { + "kind": "Solution", + "name": "Samsung Knox Asset Intelligence", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Samsung", + "email": "[variables('_email')]" + }, + "support": { + "name": "Samsung Electronics Co., Ltd.", + "email": "kai.sme@samsung.com", + "tier": "Partner", + "link": "https://www2.samsungknox.com/en/support" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "contentKind": "AnalyticsRule", + "displayName": "Knox Suspicious URL Accessed Events", + "contentProductId": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", + "id": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", + "location": "[parameters('workspace-location')]", + "properties": { + "version": "3.0.0", + "kind": "Solution", + "contentSchemaVersion": "3.0.0", + "displayName": "Samsung Knox Asset Intelligence", + "publisherDisplayName": "Samsung Electronics Co., Ltd.", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Knox Asset Intelligence for Microsoft Sentinel solution enables enterprise IT and SecOps (Security Operations) administrators to view and manage security threats to their Samsung Knox mobile devices. By integrating security events and logs from Knox Asset Intelligence with the Azure Monitor Log Ingestion API, the solution lets enterprise organizations easily view, identify and investigate security threats in near-real-time with Microsoft Sentinel.

\n

Data Connectors: 1, Workbooks: 1, Analytic Rules: 7

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", + "contentId": "[variables('_solutionId')]", + "parentId": "[variables('_solutionId')]", + "source": { + "kind": "Solution", + "name": "Samsung Knox Asset Intelligence", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Samsung", + "email": "[variables('_email')]" + }, + "support": { + "name": "Samsung Electronics Co., Ltd.", + "email": "kai.sme@samsung.com", + "tier": "Partner", + "link": "https://www2.samsungknox.com/en/support" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId1')]", + "version": "[variables('dataConnectorVersion1')]" + }, + { + "kind": "Workbook", + "contentId": "[variables('_workbookContentId1')]", + "version": "[variables('workbookVersion1')]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" + } + ] + }, + "firstPublishDate": "2025-01-15", + "providers": [ + "Samsung" + ], + "categories": { + "domains": [ + "Security - Threat Protection" + ] + } + }, + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" + } + ], + "outputs": {} +} diff --git a/Solutions/Samsung Knox Asset Intelligence/Package/testParameters.json b/Solutions/Samsung Knox Asset Intelligence/Package/testParameters.json new file mode 100644 index 00000000000..67217bc6312 --- /dev/null +++ b/Solutions/Samsung Knox Asset Intelligence/Package/testParameters.json @@ -0,0 +1,32 @@ +{ + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "workbook1-name": { + "type": "string", + "defaultValue": "Samsung Knox Asset Intelligence", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + } +} diff --git a/Solutions/Samsung Knox Asset Intelligence/ReleaseNotes.md b/Solutions/Samsung Knox Asset Intelligence/ReleaseNotes.md new file mode 100644 index 00000000000..b4eb363adc1 --- /dev/null +++ b/Solutions/Samsung Knox Asset Intelligence/ReleaseNotes.md @@ -0,0 +1,3 @@ +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|--------------------------------------------------------| + diff --git a/Solutions/Samsung Knox Asset Intelligence/SolutionMetadata.json b/Solutions/Samsung Knox Asset Intelligence/SolutionMetadata.json new file mode 100644 index 00000000000..bfc7fcf7c4e --- /dev/null +++ b/Solutions/Samsung Knox Asset Intelligence/SolutionMetadata.json @@ -0,0 +1,16 @@ +{ + "publisherId": "samsungelectronics1734042706970", + "offerId": "samsung-knox-asset-intelligence-sentinel", + "firstPublishDate": "2025-01-15", + "providers": ["Samsung"], + "categories": { + "domains" : ["Security - Threat Protection"], + "verticals": [] + }, + "support": { + "name": "Samsung Electronics Co., Ltd.", + "email": "kai.sme@samsung.com", + "tier": "Partner", + "link": "https://www2.samsungknox.com/en/support" + } +} \ No newline at end of file diff --git a/Solutions/Samsung Knox Asset Intelligence/Workbooks/SamsungKnoxAssetIntelligence.json b/Solutions/Samsung Knox Asset Intelligence/Workbooks/SamsungKnoxAssetIntelligence.json new file mode 100644 index 00000000000..7c9b5827565 --- /dev/null +++ b/Solutions/Samsung Knox Asset Intelligence/Workbooks/SamsungKnoxAssetIntelligence.json @@ -0,0 +1,396 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "5b5bf4e9-62b8-4ef2-aeb3-ecd249fb6187", + "version": "KqlParameterItem/1.0", + "name": "CustomTimeRange", + "label": "TimeRange", + "type": 4, + "isRequired": true, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 3600000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 2592000000 + } + ], + "allowCustom": true + }, + "timeContext": { + "durationMs": 86400000 + }, + "value": { + "durationMs": 604800000 + } + }, + { + "id": "6b4373f0-7c1a-47d8-baed-bc5d0cd7233e", + "version": "KqlParameterItem/1.0", + "name": "timebrush", + "label": "Time Filter", + "type": 4, + "isRequired": true, + "isHiddenWhenLocked": true, + "typeSettings": { + "selectableValues": [], + "allowCustom": true + }, + "timeContext": { + "durationMs": 86400000 + }, + "value": { + "durationMs": 60000, + "endTime": "2016-12-12T18:01:00.000Z" + } + }, + { + "id": "a40ffccc-08a0-4e15-9bf2-3ed99658d4d8", + "version": "KqlParameterItem/1.0", + "name": "selectedseverity", + "label": "Severity", + "type": 2, + "description": "Filter on Security Events by Severity", + "isRequired": true, + "isGlobal": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "showDefault": false + }, + "jsonData": "[\"high\", \"med\",\"low\"]", + "value": [ + "value::all" + ] + }, + { + "id": "e2572416-ae1f-42db-8c31-8d0d4c4315d4", + "version": "KqlParameterItem/1.0", + "name": "selectedtype", + "label": "Type", + "type": 2, + "description": "Filter on Security Events by Type", + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "showDefault": false + }, + "jsonData": "[\"Audit\",\"Application\", \"Process\", \"User\", \"Network\", \"System\"]", + "defaultValue": "value::all" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 2" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let audit = view(){\n Samsung_Knox_Audit_CL\n };\nlet application= view(){\n Samsung_Knox_Application_CL\n };\n let system= view(){\n Samsung_Knox_System_CL\n };\n let process= view(){\n Samsung_Knox_Process_CL\n };\n let user= view(){\n Samsung_Knox_User_CL\n };\n let network= view(){\n Samsung_Knox_Network_CL\n };\nlet selectedtables = dynamic([{selectedtype}]);\nlet severityParam = dynamic([{selectedseverity}]);\nlet maxdatapoints = 10000;\nlet starttime = {CustomTimeRange:start};\nlet endtime = {CustomTimeRange:end};\nlet day = datetime_diff('day',endtime,starttime);\nlet initialbinsize = case(day >=30, 1d, day >=7, 1d, day >=1,1h,5m);\nlet datapoints = (binsize : timespan){\nunion (audit() | where \"Audit\" in (selectedtables)), (application() | where \"Application\" in (selectedtables)),(process() | where \"Process\" in (selectedtables)),(user() | where \"User\" in (selectedtables)),(network() | where \"Network\" in (selectedtables)),(system() | where \"System\" in (selectedtables))\n| where TimeGenerated >= {CustomTimeRange:start} and TimeGenerated <={CustomTimeRange:end} \n| where Severity in (severityParam)\n| summarize Count=count() by Name, bin(TimeGenerated,binsize)};\n\nlet totalpoints = datapoints(initialbinsize) |summarize totalrows = count();\nlet inttotalpoints = toint(toscalar(totalpoints));\nlet binsizefactor = inttotalpoints/maxdatapoints +1;\nlet binsize = binsizefactor * initialbinsize;\n\nunion (audit() | where \"Audit\" in (selectedtables)), (application() | where \"Application\" in (selectedtables)),(process() | where \"Process\" in (selectedtables)),(user() | where \"User\" in (selectedtables)),(network() | where \"Network\" in (selectedtables)),(system() | where \"System\" in (selectedtables))\n| where TimeGenerated >= {CustomTimeRange:start} and TimeGenerated <={CustomTimeRange:end} \n| where Severity in (severityParam)\n| summarize Count=count() by Name, bin(TimeGenerated,binsize)\n", + "size": 2, + "title": "Total events", + "noDataMessage": "No security event data found for the selected time period, severity or type.  Please update the filters applied.", + "timeBrushParameterName": "timebrush", + "timeBrushExportOnlyWhenBrushed": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart" + }, + "customWidth": "60", + "name": "query - 7", + "styleSettings": { + "margin": "0px", + "padding": "0px" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "\n\nlet severityParam = dynamic([{selectedseverity}]);\nlet audit = view(){\n Samsung_Knox_Audit_CL\n };\nlet application= view(){\n Samsung_Knox_Application_CL\n };\n let system= view(){\n Samsung_Knox_System_CL\n };\n let process= view(){\n Samsung_Knox_Process_CL\n };\n let user= view(){\n Samsung_Knox_User_CL\n };\n let network= view(){\n Samsung_Knox_Network_CL\n };\nlet selectedtables = dynamic([{selectedtype}]);\nunion (audit() | where \"Audit\" in (selectedtables)), (application() | where \"Application\" in (selectedtables)),(process() | where \"Process\" in (selectedtables)),(user() | where \"User\" in (selectedtables)),(network() | where \"Network\" in (selectedtables)),(system() | where \"System\" in (selectedtables))\n|where iff('{timebrush:label}'==\"12/12/2016 10:00 AM - 10:01 AM\" , TimeGenerated >= {CustomTimeRange:start} and TimeGenerated <={CustomTimeRange:end}, TimeGenerated >= {timebrush:start} and TimeGenerated <={timebrush:end})\n|where Severity in (severityParam)\n| summarize count() by Severity\n| where Severity in ('high', 'med','low')\n|order by case( Severity == 'high',3, Severity == 'med',2, Severity == 'low',1,0)\n", + "size": 4, + "title": "Events by severity", + "noDataMessage": "No security event data found for the selected time period, severity or type.  Please update the filters applied.", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "gridSettings": { + "formatters": [ + { + "columnMatch": "severity", + "formatter": 22, + "formatOptions": { + "compositeBarSettings": { + "labelText": "", + "columnSettings": [ + { + "columnName": "severity", + "color": "redBright" + }, + { + "columnName": "severity", + "color": "orange" + }, + { + "columnName": "severity", + "color": "lightBlue" + } + ] + } + } + }, + { + "columnMatch": "count_", + "formatter": 22, + "formatOptions": { + "compositeBarSettings": { + "labelText": "", + "columnSettings": [ + { + "columnName": "severity", + "color": "lightBlue" + }, + { + "columnName": "severity", + "color": "lightBlue" + }, + { + "columnName": "severity", + "color": "lightBlue" + } + ] + } + } + } + ] + }, + "tileSettings": { + "titleContent": { + "columnMatch": "Severity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "high", + "representation": "redBright", + "text": "{0}" + }, + { + "operator": "==", + "thresholdValue": "low", + "representation": "yellow", + "text": "{0}" + }, + { + "operator": "==", + "thresholdValue": "med", + "representation": "orange", + "text": "{0}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}" + } + ] + } + }, + "leftContent": { + "columnMatch": "count_", + "formatter": 12, + "formatOptions": { + "palette": "none" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "showBorder": true, + "sortOrderField": 1 + } + }, + "customWidth": "100", + "name": "query - 10" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let severityParam = dynamic([{selectedseverity}]);\nlet audit = view(){\n Samsung_Knox_Audit_CL\n };\nlet application= view(){\n Samsung_Knox_Application_CL\n };\n let system= view(){\n Samsung_Knox_System_CL\n };\n let process= view(){\n Samsung_Knox_Process_CL\n };\n let user= view(){\n Samsung_Knox_User_CL\n };\n let network= view(){\n Samsung_Knox_Network_CL\n };\nlet selectedtables = dynamic([{selectedtype}]);\nunion (audit() | where \"Audit\" in (selectedtables)), (application() | where \"Application\" in (selectedtables)),(process() | where \"Process\" in (selectedtables)),(user() | where \"User\" in (selectedtables)),(network() | where \"Network\" in (selectedtables)),(system() | where \"System\" in (selectedtables))\n|where iff('{timebrush:label}'==\"12/12/2016 10:00 AM - 10:01 AM\" , TimeGenerated >= {CustomTimeRange:start} and TimeGenerated <={CustomTimeRange:end}, TimeGenerated >= {timebrush:start} and TimeGenerated <={timebrush:end})\n|where Severity in (severityParam)\n| summarize count() by Type\n| render piechart ", + "size": 3, + "title": "Events by type", + "noDataMessage": "No security event data found for the selected time period, severity or type.  Please update the filters applied.", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "chartSettings": { + "seriesLabelSettings": [ + { + "seriesName": "Samsung_Knox_Application_CL", + "label": "Application" + }, + { + "seriesName": "Samsung_Knox_Network_CL", + "label": "Network" + }, + { + "seriesName": "Samsung_Knox_User_CL", + "label": "User" + }, + { + "seriesName": "Samsung_Knox_Process_CL", + "label": "Process" + }, + { + "seriesName": "Samsung_Knox_Audit_CL", + "label": "Audit" + }, + { + "seriesName": "Samsung_Knox_System_CL", + "label": "System" + } + ] + } + }, + "name": "query - 11" + } + ] + }, + "name": "group - 9" + } + ] + }, + "customWidth": "40", + "name": "group - 8", + "styleSettings": { + "margin": "0px" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "\nlet audit = view(){\n Samsung_Knox_Audit_CL\n };\nlet application= view(){\n Samsung_Knox_Application_CL\n };\n let system= view(){\n Samsung_Knox_System_CL\n };\n let process= view(){\n Samsung_Knox_Process_CL\n };\n let user= view(){\n Samsung_Knox_User_CL\n };\n let network= view(){\n Samsung_Knox_Network_CL\n };\nlet selectedtables = dynamic([{selectedtype}]);\nlet severityParam = dynamic([{selectedseverity}]);\nunion (audit() | where \"Audit\" in (selectedtables)), (application() | where \"Application\" in (selectedtables)),(process() | where \"Process\" in (selectedtables)),(user() | where \"User\" in (selectedtables)),(network() | where \"Network\" in (selectedtables)),(system() | where \"System\" in (selectedtables))\n| where iff('{timebrush:label}'==\"12/12/2016 10:00 AM - 10:01 AM\" , TimeGenerated >= {CustomTimeRange:start} and TimeGenerated <={CustomTimeRange:end}, TimeGenerated >= {timebrush:start} and TimeGenerated <={timebrush:end})\n| where Severity in (severityParam)\n|project Time =TimeGenerated,\nName,\nSeverity,\n[\"Device Model\"] = DeviceModel,\nType = replace_string(replace_string(Type,\"Samsung_Knox_\",\"\"),\"_CL\",\"\"),\nProfile,\n[\"MITRE Technique ID(s)\"] = array_strcat(MitreTtp,\", \")\n| sort by Time desc\n\n\n", + "size": 2, + "title": "Event list", + "noDataMessage": "No security event data found for the selected time period, severity or type.  Please update the filters applied.", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Severity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "high", + "representation": "dot-redBright", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "med", + "representation": "dot-orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "low", + "representation": "dot-yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "LOW", + "representation": "dot-yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "HIGH", + "representation": "dot-redBright", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "MED", + "representation": "dot-orange", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + } + } + ], + "rowLimit": 1000 + } + }, + "name": "query - 9" + } + ] + }, + "name": "group - 6" + } + ], + "fromTemplateId": "sentinel-SamsungKnoxAssetIntelligence", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" +} \ No newline at end of file