Samsung Knox - Application Privilege Escalation or Change Events

Back


Id	215e89ca-cdbc-4661-b8b2-7041f6ecc7fb
Rulename	Samsung Knox - Application Privilege Escalation or Change Events
Description	When a Knox mobile app has transitioned from an acceptable uid/esuid/fsuid to a different, non-App id.
Severity	High
Tactics	PrivilegeEscalation
Techniques	T1548
Required data connectors	SamsungDCDefinition
Kind	NRT
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxApplicationPrivilegeEscalationOrChange.yaml
Version	1.0.2
Arm template	215e89ca-cdbc-4661-b8b2-7041f6ecc7fb.json

KQL

Samsung_Knox_Process_CL 
| where Name == "PROCESS_PRIVILEGE_ESCALATION"
| where MitreTtp has "T1548"

YAML

eventGroupingSettings:
  aggregationKind: SingleAlert
requiredDataConnectors:
- dataTypes:
  - Samsung_Knox_Process_CL
  connectorId: SamsungDCDefinition
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxApplicationPrivilegeEscalationOrChange.yaml
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: false
    reopenClosedIncident: false
    matchingMethod: AllEntities
    lookbackDuration: PT5H
relevantTechniques:
- T1548
status: Available
version: 1.0.2
severity: High
kind: NRT
id: 215e89ca-cdbc-4661-b8b2-7041f6ecc7fb
query: |
  Samsung_Knox_Process_CL 
  | where Name == "PROCESS_PRIVILEGE_ESCALATION"
  | where MitreTtp has "T1548"  
description: When a Knox mobile app has transitioned from an acceptable uid/esuid/fsuid to a different, non-App id.
suppressionEnabled: false
name: Samsung Knox - Application Privilege Escalation or Change Events
suppressionDuration: PT5H
tactics:
- PrivilegeEscalation

ARM