Skip to content

Commit

Permalink
Merge pull request #4 from Samsung/feature-fix-validations
Browse files Browse the repository at this point in the history 
fixing DataConnectorValidations & KqlValidations checks
  • Loading branch information
@sean-mcclelland
sean-mcclelland authored Dec 19, 2024
2 parents efe1e68 + fc521fb commit fec8111
Show file tree
Hide file tree
Showing 7 changed files with 83 additions and 52 deletions.
3 changes: 2 additions & 1 deletion ... Asset Intelligence/Analytic Rules/SamsungKnoxApplicationPrivilegeEscalationOrChange.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,8 @@ tactics:
- PrivilegeEscalation
relevantTechniques:
- T1548
query: Samsung_Knox_Process_CL | where Name == "PROCESS_PRIVILEGE_ESCALATION" and MitreTtp has "T1548"
query: |
Samsung_Knox_Process_CL | where Name == "PROCESS_PRIVILEGE_ESCALATION" and MitreTtp has "T1548"
suppressionEnabled: false
suppressionDuration: 5h
incidentConfiguration:
Expand Down
3 changes: 2 additions & 1 deletion ...Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxKeyguardDisabledFeatureSet.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,8 @@ tactics:
- InitialAccess
relevantTechniques:
- T1461
query: Samsung_Knox_Audit_CL | where Name == "TAG_KEYGUARD_DISABLED_FEATURES_SET" and MitreTtp has "T1461"
query: |
Samsung_Knox_Audit_CL | where Name == "TAG_KEYGUARD_DISABLED_FEATURES_SET" and MitreTtp has "T1461"
suppressionEnabled: false
suppressionDuration: 5h
incidentConfiguration:
Expand Down
3 changes: 2 additions & 1 deletion Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSecurityLogFull.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,8 @@ requiredDataConnectors:
- Samsung_Knox_Audit_CL
tactics: []
relevantTechniques: []
query: Samsung_Knox_Audit_CL| where Name == "LOG_IS_FULL" and MitreTtp has "KNOX.1"
query: |
Samsung_Knox_Audit_CL| where Name == "LOG_IS_FULL" and MitreTtp has "KNOX.1"
suppressionEnabled: false
suppressionDuration: 5h
incidentConfiguration:
Expand Down
3 changes: 2 additions & 1 deletion Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSuspiciousURLs.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,8 @@ tactics:
- InitialAccess
relevantTechniques:
- T1566
query: Samsung_Knox_User_CL | where Name == "SUSPICIOUS_URL_ACCESSED" and ConfidenceScore > 0.9
query: |
Samsung_Knox_User_CL | where Name == "SUSPICIOUS_URL_ACCESSED" and ConfidenceScore > 0.9
suppressionEnabled: false
suppressionDuration: 5h
incidentConfiguration:
Expand Down
11 changes: 10 additions & 1 deletion Solutions/Samsung Knox Asset Intelligence/Data Connectors/SamsungDCDefinition.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,14 +58,23 @@
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "Read and Write permissions on the Log Analytics Workspace are required to enable the Solution. You can either choose an existing Log Analytics workspace or create new. [See the documentation](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/quick-create-workspace?tabs=azure-portal) to learn more about Log Analytics workspace creation.",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
],
"customs": [
Expand Down
Binary file modified Solutions/Samsung Knox Asset Intelligence/Package/3.0.0.zip
View file
Binary file not shown.
112 changes: 65 additions & 47 deletions Solutions/Samsung Knox Asset Intelligence/Package/mainTemplate.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -195,14 +195,23 @@
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "Read and Write permissions on the Log Analytics Workspace are required to enable the Solution. You can either choose an existing Log Analytics workspace or create new. [See the documentation](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/quick-create-workspace?tabs=azure-portal) to learn more about Log Analytics workspace creation.",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
],
"customs": [
Expand Down Expand Up @@ -409,14 +418,23 @@
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "Read and Write permissions on the Log Analytics Workspace are required to enable the Solution. You can either choose an existing Log Analytics workspace or create new. [See the documentation](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/quick-create-workspace?tabs=azure-portal) to learn more about Log Analytics workspace creation.",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
],
"customs": [
Expand Down Expand Up @@ -581,17 +599,17 @@
"description": "When a Knox mobile app has transitioned from an acceptable uid/esuid/fsuid to a different, non-App id.",
"displayName": "Knox Application Privilege Escalation or Change",
"enabled": false,
"query": "Samsung_Knox_Process_CL | where Name == \"PROCESS_PRIVILEGE_ESCALATION\" and MitreTtp has \"T1548\"",
"query": "Samsung_Knox_Process_CL | where Name == \"PROCESS_PRIVILEGE_ESCALATION\" and MitreTtp has \"T1548\"\n",
"severity": "High",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "SamsungDCDefinition",
"dataTypes": [
"Samsung_Knox_Audit_CL"
],
"connectorId": "SamsungDCDefinition"
]
}
],
"tactics": [
Expand All @@ -604,13 +622,13 @@
"aggregationKind": "SingleAlert"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "5h",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false,
"lookbackDuration": "5h"
},
"createIncident": true
"enabled": false
}
}
}
},
Expand Down Expand Up @@ -682,17 +700,17 @@
"description": "Indicates that an admin has set disabled keyguard features on a Knox device.",
"displayName": "Knox Keyguard Disabled Feature Set",
"enabled": false,
"query": "Samsung_Knox_Audit_CL | where Name == \"TAG_KEYGUARD_DISABLED_FEATURES_SET\" and MitreTtp has \"T1461\"",
"query": "Samsung_Knox_Audit_CL | where Name == \"TAG_KEYGUARD_DISABLED_FEATURES_SET\" and MitreTtp has \"T1461\"\n",
"severity": "High",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "SamsungDCDefinition",
"dataTypes": [
"Samsung_Knox_Audit_CL"
],
"connectorId": "SamsungDCDefinition"
]
}
],
"tactics": [
Expand All @@ -705,13 +723,13 @@
"aggregationKind": "SingleAlert"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "5h",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false,
"lookbackDuration": "5h"
},
"createIncident": true
"enabled": false
}
}
}
},
Expand Down Expand Up @@ -790,10 +808,10 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "SamsungDCDefinition",
"dataTypes": [
"Samsung_Knox_System_CL"
],
"connectorId": "SamsungDCDefinition"
]
}
],
"tactics": [
Expand All @@ -806,13 +824,13 @@
"aggregationKind": "SingleAlert"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "5h",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false,
"lookbackDuration": "5h"
},
"createIncident": true
"enabled": false
}
}
}
},
Expand Down Expand Up @@ -891,10 +909,10 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "SamsungDCDefinition",
"dataTypes": [
"Samsung_Knox_User_CL"
],
"connectorId": "SamsungDCDefinition"
]
}
],
"tactics": [
Expand All @@ -907,13 +925,13 @@
"aggregationKind": "SingleAlert"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "5h",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false,
"lookbackDuration": "5h"
},
"createIncident": true
"enabled": false
}
}
}
},
Expand Down Expand Up @@ -992,23 +1010,23 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "SamsungDCDefinition",
"dataTypes": [
"Samsung_Knox_Audit_CL"
],
"connectorId": "SamsungDCDefinition"
]
}
],
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "5h",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false,
"lookbackDuration": "5h"
},
"createIncident": true
"enabled": false
}
}
}
},
Expand Down Expand Up @@ -1087,10 +1105,10 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "SamsungDCDefinition",
"dataTypes": [
"Samsung_Knox_Audit_CL"
],
"connectorId": "SamsungDCDefinition"
]
}
],
"eventGroupingSettings": {
Expand All @@ -1100,13 +1118,13 @@
"alertDynamicProperties": []
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "5h",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false,
"lookbackDuration": "5h"
},
"createIncident": true
"enabled": false
}
}
}
},
Expand Down Expand Up @@ -1178,17 +1196,17 @@
"description": "When a Knox device user clicks on URLs or links detected as suspicious (potentially phishing or malicious) with a high degree of confidence.",
"displayName": "Knox Suspicious URL Accessed Events",
"enabled": false,
"query": "Samsung_Knox_User_CL | where Name == \"SUSPICIOUS_URL_ACCESSED\" and ConfidenceScore > 0.9",
"query": "Samsung_Knox_User_CL | where Name == \"SUSPICIOUS_URL_ACCESSED\" and ConfidenceScore > 0.9\n",
"severity": "High",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "SamsungDCDefinition",
"dataTypes": [
"Samsung_Knox_User_CL"
],
"connectorId": "SamsungDCDefinition"
]
}
],
"tactics": [
Expand All @@ -1201,13 +1219,13 @@
"aggregationKind": "SingleAlert"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "5h",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false,
"lookbackDuration": "5h"
},
"createIncident": true
"enabled": false
}
}
}
},
Expand Down

0 comments on commit fec8111

Please sign in to comment.