Samsung Knox - Application Privilege Escalation or Change Events

Back


Id	215e89ca-cdbc-4661-b8b2-7041f6ecc7fb
Rulename	Samsung Knox - Application Privilege Escalation or Change Events
Description	When a Knox mobile app has transitioned from an acceptable uid/esuid/fsuid to a different, non-App id.
Severity	High
Tactics	PrivilegeEscalation
Techniques	T1548
Required data connectors	SamsungDCDefinition
Kind	NRT
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxApplicationPrivilegeEscalationOrChange.yaml
Version	1.0.2
Arm template	215e89ca-cdbc-4661-b8b2-7041f6ecc7fb.json

KQL

Samsung_Knox_Process_CL 
| where Name == "PROCESS_PRIVILEGE_ESCALATION"
| where MitreTtp has "T1548"

YAML

status: Available
requiredDataConnectors:
- connectorId: SamsungDCDefinition
  dataTypes:
  - Samsung_Knox_Process_CL
suppressionDuration: PT5H
suppressionEnabled: false
kind: NRT
id: 215e89ca-cdbc-4661-b8b2-7041f6ecc7fb
name: Samsung Knox - Application Privilege Escalation or Change Events
relevantTechniques:
- T1548
tactics:
- PrivilegeEscalation
description: When a Knox mobile app has transitioned from an acceptable uid/esuid/fsuid to a different, non-App id.
eventGroupingSettings:
  aggregationKind: SingleAlert
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxApplicationPrivilegeEscalationOrChange.yaml
query: |
  Samsung_Knox_Process_CL 
  | where Name == "PROCESS_PRIVILEGE_ESCALATION"
  | where MitreTtp has "T1548"  
incidentConfiguration:
  groupingConfiguration:
    matchingMethod: AllEntities
    reopenClosedIncident: false
    enabled: false
    lookbackDuration: PT5H
  createIncident: true
severity: High
version: 1.0.2

ARM