Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Samsung Knox - Security Log Full Events

Samsung Knox - Security Log Full Events

Back
Idbf9be360-7f08-48b2-8e9d-ca240c48b404
RulenameSamsung Knox - Security Log Full Events
DescriptionWhen the Knox Security Log is full on a device.
SeverityHigh
Required data connectorsSamsungDCDefinition
KindNRT
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSecurityLogFull.yaml
Version1.0.2
Arm templatebf9be360-7f08-48b2-8e9d-ca240c48b404.json
Deploy To Azure
Samsung_Knox_Audit_CL
| where Name == "LOG_IS_FULL" 
and MitreTtp has "KNOX.1"

suppressionEnabled: false
description: When the Knox Security Log is full on a device.
kind: NRT
tactics: []
requiredDataConnectors:
- connectorId: SamsungDCDefinition
  dataTypes:
  - Samsung_Knox_Audit_CL
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSecurityLogFull.yaml
severity: High
name: Samsung Knox - Security Log Full Events
suppressionDuration: PT5H
eventGroupingSettings:
  aggregationKind: SingleAlert
query: |
  Samsung_Knox_Audit_CL
  | where Name == "LOG_IS_FULL" 
  and MitreTtp has "KNOX.1"  
relevantTechniques: []
id: bf9be360-7f08-48b2-8e9d-ca240c48b404
status: Available
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    lookbackDuration: PT5H
    enabled: false
    matchingMethod: AllEntities
  createIncident: true
version: 1.0.2