Samsung Knox - Application Privilege Escalation or Change Events

Back


Id	215e89ca-cdbc-4661-b8b2-7041f6ecc7fb
Rulename	Samsung Knox - Application Privilege Escalation or Change Events
Description	When a Knox mobile app has transitioned from an acceptable uid/esuid/fsuid to a different, non-App id.
Severity	High
Tactics	PrivilegeEscalation
Techniques	T1548
Required data connectors	SamsungDCDefinition
Kind	NRT
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxApplicationPrivilegeEscalationOrChange.yaml
Version	1.0.2
Arm template	215e89ca-cdbc-4661-b8b2-7041f6ecc7fb.json

KQL

Samsung_Knox_Process_CL 
| where Name == "PROCESS_PRIVILEGE_ESCALATION"
| where MitreTtp has "T1548"

YAML

version: 1.0.2
id: 215e89ca-cdbc-4661-b8b2-7041f6ecc7fb
suppressionEnabled: false
severity: High
kind: NRT
suppressionDuration: PT5H
description: When a Knox mobile app has transitioned from an acceptable uid/esuid/fsuid to a different, non-App id.
requiredDataConnectors:
- connectorId: SamsungDCDefinition
  dataTypes:
  - Samsung_Knox_Process_CL
eventGroupingSettings:
  aggregationKind: SingleAlert
name: Samsung Knox - Application Privilege Escalation or Change Events
tactics:
- PrivilegeEscalation
relevantTechniques:
- T1548
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxApplicationPrivilegeEscalationOrChange.yaml
query: |
  Samsung_Knox_Process_CL 
  | where Name == "PROCESS_PRIVILEGE_ESCALATION"
  | where MitreTtp has "T1548"  
status: Available
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: PT5H
    enabled: false
    reopenClosedIncident: false
    matchingMethod: AllEntities

ARM