Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Samsung Knox Peripheral Access Detection with Camera

Samsung Knox Peripheral Access Detection with Camera

Back
Idcd526f4d-dbe9-4149-8a0a-9ec43c3abb16
RulenameSamsung Knox Peripheral Access Detection with Camera
DescriptionWhen Knox device camera access has been detected through system policy when such access is disabled.
SeverityHigh
Required data connectorsSamsungDCDefinition
KindNRT
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithCamera.yaml
Version1.0.1
Arm templatecd526f4d-dbe9-4149-8a0a-9ec43c3abb16.json
Deploy To Azure
Samsung_Knox_System_CL 
| where Name == "PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_CAMERA" 
and MitreTtp has "KNOX.2"

suppressionDuration: 5H
suppressionEnabled: false
query: |
  Samsung_Knox_System_CL 
  | where Name == "PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_CAMERA" 
  and MitreTtp has "KNOX.2"  
eventGroupingSettings:
  aggregationKind: SingleAlert
id: cd526f4d-dbe9-4149-8a0a-9ec43c3abb16
name: Samsung Knox Peripheral Access  Detection with Camera
relevantTechniques: []
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    reopenClosedIncident: false
    lookbackDuration: 5H
    enabled: false
    matchingMethod: AllEntities
requiredDataConnectors:
- connectorId: SamsungDCDefinition
  dataTypes:
  - Samsung_Knox_System_CL
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithCamera.yaml
version: 1.0.1
tactics: []
kind: NRT
status: Available
description: |
    'When Knox device camera access has been detected through system policy when such access is disabled.'

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/cd526f4d-dbe9-4149-8a0a-9ec43c3abb16')]",
      "kind": "NRT",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/cd526f4d-dbe9-4149-8a0a-9ec43c3abb16')]",
      "properties": {
        "alertRuleTemplateName": "cd526f4d-dbe9-4149-8a0a-9ec43c3abb16",
        "customDetails": null,
        "description": "'When Knox device camera access has been detected through system policy when such access is disabled.'\n",
        "displayName": "Samsung Knox Peripheral Access  Detection with Camera",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithCamera.yaml",
        "query": "Samsung_Knox_System_CL \n| where Name == \"PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_CAMERA\" \nand MitreTtp has \"KNOX.2\"\n",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [],
        "techniques": [],
        "templateVersion": "1.0.1"
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}