Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Samsung Knox Peripheral Access Detection with Camera

Samsung Knox Peripheral Access Detection with Camera

Back
Idcd526f4d-dbe9-4149-8a0a-9ec43c3abb16
RulenameSamsung Knox Peripheral Access Detection with Camera
DescriptionWhen Knox device camera access has been detected through system policy when such access is disabled.
SeverityHigh
Required data connectorsSamsungDCDefinition
KindNRT
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithCamera.yaml
Version1.0.1
Arm templatecd526f4d-dbe9-4149-8a0a-9ec43c3abb16.json
Deploy To Azure
Samsung_Knox_System_CL 
| where Name == "PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_CAMERA" 
and MitreTtp has "KNOX.2"

eventGroupingSettings:
  aggregationKind: SingleAlert
status: Available
id: cd526f4d-dbe9-4149-8a0a-9ec43c3abb16
query: |
  Samsung_Knox_System_CL 
  | where Name == "PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_CAMERA" 
  and MitreTtp has "KNOX.2"  
suppressionDuration: 5H
name: Samsung Knox Peripheral Access  Detection with Camera
incidentConfiguration:
  groupingConfiguration:
    matchingMethod: AllEntities
    reopenClosedIncident: false
    lookbackDuration: 5H
    enabled: false
  createIncident: true
suppressionEnabled: false
severity: High
relevantTechniques: []
requiredDataConnectors:
- dataTypes:
  - Samsung_Knox_System_CL
  connectorId: SamsungDCDefinition
description: |
    'When Knox device camera access has been detected through system policy when such access is disabled.'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithCamera.yaml
version: 1.0.1
kind: NRT
tactics: []

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/cd526f4d-dbe9-4149-8a0a-9ec43c3abb16')]",
      "kind": "NRT",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/cd526f4d-dbe9-4149-8a0a-9ec43c3abb16')]",
      "properties": {
        "alertRuleTemplateName": "cd526f4d-dbe9-4149-8a0a-9ec43c3abb16",
        "customDetails": null,
        "description": "'When Knox device camera access has been detected through system policy when such access is disabled.'\n",
        "displayName": "Samsung Knox Peripheral Access  Detection with Camera",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithCamera.yaml",
        "query": "Samsung_Knox_System_CL \n| where Name == \"PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_CAMERA\" \nand MitreTtp has \"KNOX.2\"\n",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [],
        "techniques": [],
        "templateVersion": "1.0.1"
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}