Samsung Knox Peripheral Access Detection with Mic

Back


Id	e4032fd2-4d05-4302-b7c0-f3f0380e2313
Rulename	Samsung Knox Peripheral Access Detection with Mic
Description	When Knox device microphone access has been detected through system policy when such access is disabled.
Severity	High
Required data connectors	SamsungDCDefinition
Kind	NRT
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithMic.yaml
Version	1.0.1
Arm template	e4032fd2-4d05-4302-b7c0-f3f0380e2313.json

KQL

Samsung_Knox_System_CL
| where Name == "PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_MIC"
and MitreTtp has "KNOX.2"

YAML

suppressionEnabled: false
status: Available
id: e4032fd2-4d05-4302-b7c0-f3f0380e2313
alertDetailsOverride:
  alertDynamicProperties: []
suppressionDuration: 5H
name: Samsung Knox Peripheral Access Detection with Mic
incidentConfiguration:
  groupingConfiguration:
    matchingMethod: AllEntities
    reopenClosedIncident: false
    lookbackDuration: 5H
    enabled: false
  createIncident: true
relevantTechniques: []
query: |
  Samsung_Knox_System_CL
  | where Name == "PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_MIC"
  and MitreTtp has "KNOX.2"  
severity: High
requiredDataConnectors:
- dataTypes:
  - Samsung_Knox_System_CL
  connectorId: SamsungDCDefinition
eventGroupingSettings:
  aggregationKind: SingleAlert
description: |
    'When Knox device microphone access has been detected through system policy when such access is disabled.'
properties:
  schema:
  - Name
  - MitreTtp
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithMic.yaml
version: 1.0.1
kind: NRT
tactics: []

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e4032fd2-4d05-4302-b7c0-f3f0380e2313')]",
      "kind": "NRT",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e4032fd2-4d05-4302-b7c0-f3f0380e2313')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDynamicProperties": []
        },
        "alertRuleTemplateName": "e4032fd2-4d05-4302-b7c0-f3f0380e2313",
        "customDetails": null,
        "description": "'When Knox device microphone access has been detected through system policy when such access is disabled.'\n",
        "displayName": "Samsung Knox Peripheral Access Detection with Mic",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithMic.yaml",
        "properties": {
          "schema": [
            "Name",
            "MitreTtp"
          ]
        },
        "query": "Samsung_Knox_System_CL\n| where Name == \"PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_MIC\"\nand MitreTtp has \"KNOX.2\"\n",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [],
        "techniques": [],
        "templateVersion": "1.0.1"
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}