Samsung Knox - Suspicious URL Accessed Events

Back


Id	18d4d4f3-6605-4fd2-968c-82c171409c1c
Rulename	Samsung Knox - Suspicious URL Accessed Events
Description	When a Knox device user clicks on URLs or links detected as suspicious (potentially phishing or malicious) with a high degree of confidence.
Severity	High
Tactics	InitialAccess
Techniques	T1566
Required data connectors	SamsungDCDefinition
Kind	NRT
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSuspiciousURLs.yaml
Version	1.0.2
Arm template	18d4d4f3-6605-4fd2-968c-82c171409c1c.json

KQL

Samsung_Knox_User_CL 
| where Name == "SUSPICIOUS_URL_ACCESSED" 
and ConfidenceScore > 0.9

YAML

version: 1.0.2
entityMappings:
- fieldMappings:
  - identifier: Url
    columnName: Url
  entityType: URL
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    enabled: false
    lookbackDuration: PT5H
    matchingMethod: AllEntities
  createIncident: true
requiredDataConnectors:
- connectorId: SamsungDCDefinition
  dataTypes:
  - Samsung_Knox_User_CL
suppressionDuration: PT5H
tactics:
- InitialAccess
severity: High
kind: NRT
name: Samsung Knox - Suspicious URL Accessed Events
eventGroupingSettings:
  aggregationKind: SingleAlert
status: Available
suppressionEnabled: false
id: 18d4d4f3-6605-4fd2-968c-82c171409c1c
query: |
  Samsung_Knox_User_CL 
  | where Name == "SUSPICIOUS_URL_ACCESSED" 
  and ConfidenceScore > 0.9  
relevantTechniques:
- T1566
description: |
    'When a Knox device user clicks on URLs or links detected as suspicious (potentially phishing or malicious) with a high degree of confidence.'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSuspiciousURLs.yaml

ARM