Samsung Knox - Peripheral Access Detection with Camera Events

Back


Id	cd526f4d-dbe9-4149-8a0a-9ec43c3abb16
Rulename	Samsung Knox - Peripheral Access Detection with Camera Events
Description	When camera access has been detected on a Knox device, even though such access is disabled through an MDM device policy.
Severity	High
Required data connectors	SamsungDCDefinition
Kind	NRT
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithCamera.yaml
Version	1.0.2
Arm template	cd526f4d-dbe9-4149-8a0a-9ec43c3abb16.json

KQL

Samsung_Knox_System_CL 
| where Name == "PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_CAMERA" 
and MitreTtp has "KNOX.2"

YAML

status: Available
version: 1.0.2
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithCamera.yaml
suppressionDuration: PT5H
relevantTechniques: []
name: Samsung Knox - Peripheral Access  Detection with Camera Events
requiredDataConnectors:
- connectorId: SamsungDCDefinition
  dataTypes:
  - Samsung_Knox_System_CL
query: |
  Samsung_Knox_System_CL 
  | where Name == "PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_CAMERA" 
  and MitreTtp has "KNOX.2"  
id: cd526f4d-dbe9-4149-8a0a-9ec43c3abb16
tactics: []
severity: High
description: When camera access has been detected on a Knox device, even though such access is disabled through an MDM device policy.
kind: NRT
incidentConfiguration:
  groupingConfiguration:
    lookbackDuration: PT5H
    enabled: false
    matchingMethod: AllEntities
    reopenClosedIncident: false
  createIncident: true
eventGroupingSettings:
  aggregationKind: SingleAlert
suppressionEnabled: false

ARM