Samsung Knox - Application Privilege Escalation or Change Events

Back


Id	215e89ca-cdbc-4661-b8b2-7041f6ecc7fb
Rulename	Samsung Knox - Application Privilege Escalation or Change Events
Description	When a Knox mobile app has transitioned from an acceptable uid/esuid/fsuid to a different, non-App id.
Severity	High
Tactics	PrivilegeEscalation
Techniques	T1548
Required data connectors	SamsungDCDefinition
Kind	NRT
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxApplicationPrivilegeEscalationOrChange.yaml
Version	1.0.2
Arm template	215e89ca-cdbc-4661-b8b2-7041f6ecc7fb.json

KQL

Samsung_Knox_Process_CL 
| where Name == "PROCESS_PRIVILEGE_ESCALATION"
| where MitreTtp has "T1548"

YAML

suppressionEnabled: false
description: When a Knox mobile app has transitioned from an acceptable uid/esuid/fsuid to a different, non-App id.
kind: NRT
tactics:
- PrivilegeEscalation
requiredDataConnectors:
- connectorId: SamsungDCDefinition
  dataTypes:
  - Samsung_Knox_Process_CL
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxApplicationPrivilegeEscalationOrChange.yaml
severity: High
name: Samsung Knox - Application Privilege Escalation or Change Events
suppressionDuration: PT5H
eventGroupingSettings:
  aggregationKind: SingleAlert
query: |
  Samsung_Knox_Process_CL 
  | where Name == "PROCESS_PRIVILEGE_ESCALATION"
  | where MitreTtp has "T1548"  
relevantTechniques:
- T1548
id: 215e89ca-cdbc-4661-b8b2-7041f6ecc7fb
status: Available
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    lookbackDuration: PT5H
    enabled: false
    matchingMethod: AllEntities
  createIncident: true
version: 1.0.2

ARM