diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxApplicationPrivilegeEscalationOrChange.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxApplicationPrivilegeEscalationOrChange.yaml index 30c60868f83..0b659f86ef4 100644 --- a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxApplicationPrivilegeEscalationOrChange.yaml +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxApplicationPrivilegeEscalationOrChange.yaml @@ -13,7 +13,8 @@ tactics: - PrivilegeEscalation relevantTechniques: - T1548 -query: Samsung_Knox_Process_CL | where Name == "PROCESS_PRIVILEGE_ESCALATION" and MitreTtp has "T1548" +query: | + Samsung_Knox_Process_CL | where Name == "PROCESS_PRIVILEGE_ESCALATION" and MitreTtp has "T1548" suppressionEnabled: false suppressionDuration: 5h incidentConfiguration: diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxKeyguardDisabledFeatureSet.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxKeyguardDisabledFeatureSet.yaml index 5c01b73cd58..7eaf5422bcc 100644 --- a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxKeyguardDisabledFeatureSet.yaml +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxKeyguardDisabledFeatureSet.yaml @@ -13,7 +13,8 @@ tactics: - InitialAccess relevantTechniques: - T1461 -query: Samsung_Knox_Audit_CL | where Name == "TAG_KEYGUARD_DISABLED_FEATURES_SET" and MitreTtp has "T1461" +query: | + Samsung_Knox_Audit_CL | where Name == "TAG_KEYGUARD_DISABLED_FEATURES_SET" and MitreTtp has "T1461" suppressionEnabled: false suppressionDuration: 5h incidentConfiguration: diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSecurityLogFull.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSecurityLogFull.yaml index 073729ce334..3edba390cf9 100644 --- a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSecurityLogFull.yaml +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSecurityLogFull.yaml @@ -11,7 +11,8 @@ requiredDataConnectors: - Samsung_Knox_Audit_CL tactics: [] relevantTechniques: [] -query: Samsung_Knox_Audit_CL| where Name == "LOG_IS_FULL" and MitreTtp has "KNOX.1" +query: | + Samsung_Knox_Audit_CL| where Name == "LOG_IS_FULL" and MitreTtp has "KNOX.1" suppressionEnabled: false suppressionDuration: 5h incidentConfiguration: diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSuspiciousURLs.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSuspiciousURLs.yaml index 3d598c065c9..de17f6d1d68 100644 --- a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSuspiciousURLs.yaml +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSuspiciousURLs.yaml @@ -13,7 +13,8 @@ tactics: - InitialAccess relevantTechniques: - T1566 -query: Samsung_Knox_User_CL | where Name == "SUSPICIOUS_URL_ACCESSED" and ConfidenceScore > 0.9 +query: | + Samsung_Knox_User_CL | where Name == "SUSPICIOUS_URL_ACCESSED" and ConfidenceScore > 0.9 suppressionEnabled: false suppressionDuration: 5h incidentConfiguration: diff --git a/Solutions/Samsung Knox Asset Intelligence/Data Connectors/SamsungDCDefinition.json b/Solutions/Samsung Knox Asset Intelligence/Data Connectors/SamsungDCDefinition.json index b606cc97116..3b619f8120d 100644 --- a/Solutions/Samsung Knox Asset Intelligence/Data Connectors/SamsungDCDefinition.json +++ b/Solutions/Samsung Knox Asset Intelligence/Data Connectors/SamsungDCDefinition.json @@ -58,7 +58,7 @@ "resourceProvider": [ { "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "Read and Write permissions on the Log Analytics Workspace are required to enable the Solution. You can either choose an existing Log Analytics workspace or create new. [See the documentation](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/quick-create-workspace?tabs=azure-portal) to learn more about Log Analytics workspace creation.", + "permissionsDisplayText": "read and write permissions are required.", "providerDisplayName": "Workspace", "scope": "Workspace", "requiredPermissions": { @@ -66,6 +66,15 @@ "read": true, "delete": true } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } } ], "customs": [ diff --git a/Solutions/Samsung Knox Asset Intelligence/Package/3.0.0.zip b/Solutions/Samsung Knox Asset Intelligence/Package/3.0.0.zip index 46df9437cb9..684d8d99c6b 100644 Binary files a/Solutions/Samsung Knox Asset Intelligence/Package/3.0.0.zip and b/Solutions/Samsung Knox Asset Intelligence/Package/3.0.0.zip differ diff --git a/Solutions/Samsung Knox Asset Intelligence/Package/mainTemplate.json b/Solutions/Samsung Knox Asset Intelligence/Package/mainTemplate.json index 12d847e89aa..bc775f69ccf 100644 --- a/Solutions/Samsung Knox Asset Intelligence/Package/mainTemplate.json +++ b/Solutions/Samsung Knox Asset Intelligence/Package/mainTemplate.json @@ -195,7 +195,7 @@ "resourceProvider": [ { "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "Read and Write permissions on the Log Analytics Workspace are required to enable the Solution. You can either choose an existing Log Analytics workspace or create new. [See the documentation](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/quick-create-workspace?tabs=azure-portal) to learn more about Log Analytics workspace creation.", + "permissionsDisplayText": "read and write permissions are required.", "providerDisplayName": "Workspace", "scope": "Workspace", "requiredPermissions": { @@ -203,6 +203,15 @@ "read": true, "delete": true } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } } ], "customs": [ @@ -409,7 +418,7 @@ "resourceProvider": [ { "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "Read and Write permissions on the Log Analytics Workspace are required to enable the Solution. You can either choose an existing Log Analytics workspace or create new. [See the documentation](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/quick-create-workspace?tabs=azure-portal) to learn more about Log Analytics workspace creation.", + "permissionsDisplayText": "read and write permissions are required.", "providerDisplayName": "Workspace", "scope": "Workspace", "requiredPermissions": { @@ -417,6 +426,15 @@ "read": true, "delete": true } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } } ], "customs": [ @@ -581,17 +599,17 @@ "description": "When a Knox mobile app has transitioned from an acceptable uid/esuid/fsuid to a different, non-App id.", "displayName": "Knox Application Privilege Escalation or Change", "enabled": false, - "query": "Samsung_Knox_Process_CL | where Name == \"PROCESS_PRIVILEGE_ESCALATION\" and MitreTtp has \"T1548\"", + "query": "Samsung_Knox_Process_CL | where Name == \"PROCESS_PRIVILEGE_ESCALATION\" and MitreTtp has \"T1548\"\n", "severity": "High", "suppressionDuration": "PT1H", "suppressionEnabled": false, "status": "Available", "requiredDataConnectors": [ { + "connectorId": "SamsungDCDefinition", "dataTypes": [ "Samsung_Knox_Audit_CL" - ], - "connectorId": "SamsungDCDefinition" + ] } ], "tactics": [ @@ -604,13 +622,13 @@ "aggregationKind": "SingleAlert" }, "incidentConfiguration": { + "createIncident": true, "groupingConfiguration": { - "enabled": false, + "lookbackDuration": "5h", "matchingMethod": "AllEntities", "reopenClosedIncident": false, - "lookbackDuration": "5h" - }, - "createIncident": true + "enabled": false + } } } }, @@ -682,17 +700,17 @@ "description": "Indicates that an admin has set disabled keyguard features on a Knox device.", "displayName": "Knox Keyguard Disabled Feature Set", "enabled": false, - "query": "Samsung_Knox_Audit_CL | where Name == \"TAG_KEYGUARD_DISABLED_FEATURES_SET\" and MitreTtp has \"T1461\"", + "query": "Samsung_Knox_Audit_CL | where Name == \"TAG_KEYGUARD_DISABLED_FEATURES_SET\" and MitreTtp has \"T1461\"\n", "severity": "High", "suppressionDuration": "PT1H", "suppressionEnabled": false, "status": "Available", "requiredDataConnectors": [ { + "connectorId": "SamsungDCDefinition", "dataTypes": [ "Samsung_Knox_Audit_CL" - ], - "connectorId": "SamsungDCDefinition" + ] } ], "tactics": [ @@ -705,13 +723,13 @@ "aggregationKind": "SingleAlert" }, "incidentConfiguration": { + "createIncident": true, "groupingConfiguration": { - "enabled": false, + "lookbackDuration": "5h", "matchingMethod": "AllEntities", "reopenClosedIncident": false, - "lookbackDuration": "5h" - }, - "createIncident": true + "enabled": false + } } } }, @@ -790,10 +808,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "SamsungDCDefinition", "dataTypes": [ "Samsung_Knox_System_CL" - ], - "connectorId": "SamsungDCDefinition" + ] } ], "tactics": [ @@ -806,13 +824,13 @@ "aggregationKind": "SingleAlert" }, "incidentConfiguration": { + "createIncident": true, "groupingConfiguration": { - "enabled": false, + "lookbackDuration": "5h", "matchingMethod": "AllEntities", "reopenClosedIncident": false, - "lookbackDuration": "5h" - }, - "createIncident": true + "enabled": false + } } } }, @@ -891,10 +909,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "SamsungDCDefinition", "dataTypes": [ "Samsung_Knox_User_CL" - ], - "connectorId": "SamsungDCDefinition" + ] } ], "tactics": [ @@ -907,13 +925,13 @@ "aggregationKind": "SingleAlert" }, "incidentConfiguration": { + "createIncident": true, "groupingConfiguration": { - "enabled": false, + "lookbackDuration": "5h", "matchingMethod": "AllEntities", "reopenClosedIncident": false, - "lookbackDuration": "5h" - }, - "createIncident": true + "enabled": false + } } } }, @@ -992,23 +1010,23 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "SamsungDCDefinition", "dataTypes": [ "Samsung_Knox_Audit_CL" - ], - "connectorId": "SamsungDCDefinition" + ] } ], "eventGroupingSettings": { "aggregationKind": "SingleAlert" }, "incidentConfiguration": { + "createIncident": true, "groupingConfiguration": { - "enabled": false, + "lookbackDuration": "5h", "matchingMethod": "AllEntities", "reopenClosedIncident": false, - "lookbackDuration": "5h" - }, - "createIncident": true + "enabled": false + } } } }, @@ -1087,10 +1105,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "SamsungDCDefinition", "dataTypes": [ "Samsung_Knox_Audit_CL" - ], - "connectorId": "SamsungDCDefinition" + ] } ], "eventGroupingSettings": { @@ -1100,13 +1118,13 @@ "alertDynamicProperties": [] }, "incidentConfiguration": { + "createIncident": true, "groupingConfiguration": { - "enabled": false, + "lookbackDuration": "5h", "matchingMethod": "AllEntities", "reopenClosedIncident": false, - "lookbackDuration": "5h" - }, - "createIncident": true + "enabled": false + } } } }, @@ -1178,17 +1196,17 @@ "description": "When a Knox device user clicks on URLs or links detected as suspicious (potentially phishing or malicious) with a high degree of confidence.", "displayName": "Knox Suspicious URL Accessed Events", "enabled": false, - "query": "Samsung_Knox_User_CL | where Name == \"SUSPICIOUS_URL_ACCESSED\" and ConfidenceScore > 0.9", + "query": "Samsung_Knox_User_CL | where Name == \"SUSPICIOUS_URL_ACCESSED\" and ConfidenceScore > 0.9\n", "severity": "High", "suppressionDuration": "PT1H", "suppressionEnabled": false, "status": "Available", "requiredDataConnectors": [ { + "connectorId": "SamsungDCDefinition", "dataTypes": [ "Samsung_Knox_User_CL" - ], - "connectorId": "SamsungDCDefinition" + ] } ], "tactics": [ @@ -1201,13 +1219,13 @@ "aggregationKind": "SingleAlert" }, "incidentConfiguration": { + "createIncident": true, "groupingConfiguration": { - "enabled": false, + "lookbackDuration": "5h", "matchingMethod": "AllEntities", "reopenClosedIncident": false, - "lookbackDuration": "5h" - }, - "createIncident": true + "enabled": false + } } } },