Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Samsung Knox Peripheral Access Detection with Mic

Back
Ide4032fd2-4d05-4302-b7c0-f3f0380e2313
RulenameSamsung Knox Peripheral Access Detection with Mic
DescriptionWhen Knox device microphone access has been detected through system policy when such access is disabled.
SeverityHigh
Required data connectorsSamsungDCDefinition
KindNRT
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithMic.yaml
Version1.0.1
Arm templatee4032fd2-4d05-4302-b7c0-f3f0380e2313.json
Deploy To Azure
Samsung_Knox_System_CL
| where Name == "PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_MIC"
and MitreTtp has "KNOX.2"
suppressionEnabled: false
status: Available
id: e4032fd2-4d05-4302-b7c0-f3f0380e2313
alertDetailsOverride:
  alertDynamicProperties: []
suppressionDuration: 5H
name: Samsung Knox Peripheral Access Detection with Mic
incidentConfiguration:
  groupingConfiguration:
    matchingMethod: AllEntities
    reopenClosedIncident: false
    lookbackDuration: 5H
    enabled: false
  createIncident: true
relevantTechniques: []
query: |
  Samsung_Knox_System_CL
  | where Name == "PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_MIC"
  and MitreTtp has "KNOX.2"  
severity: High
requiredDataConnectors:
- dataTypes:
  - Samsung_Knox_System_CL
  connectorId: SamsungDCDefinition
eventGroupingSettings:
  aggregationKind: SingleAlert
description: |
    'When Knox device microphone access has been detected through system policy when such access is disabled.'
properties:
  schema:
  - Name
  - MitreTtp
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithMic.yaml
version: 1.0.1
kind: NRT
tactics: []
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e4032fd2-4d05-4302-b7c0-f3f0380e2313')]",
      "kind": "NRT",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e4032fd2-4d05-4302-b7c0-f3f0380e2313')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDynamicProperties": []
        },
        "alertRuleTemplateName": "e4032fd2-4d05-4302-b7c0-f3f0380e2313",
        "customDetails": null,
        "description": "'When Knox device microphone access has been detected through system policy when such access is disabled.'\n",
        "displayName": "Samsung Knox Peripheral Access Detection with Mic",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithMic.yaml",
        "properties": {
          "schema": [
            "Name",
            "MitreTtp"
          ]
        },
        "query": "Samsung_Knox_System_CL\n| where Name == \"PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_MIC\"\nand MitreTtp has \"KNOX.2\"\n",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [],
        "techniques": [],
        "templateVersion": "1.0.1"
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}