Samsung Knox - Peripheral Access Detection with Mic Events

Back


Id	e4032fd2-4d05-4302-b7c0-f3f0380e2313
Rulename	Samsung Knox - Peripheral Access Detection with Mic Events
Description	When microphone access has been detected on a Knox device, even though such access is disabled through an MDM device policy.
Severity	High
Required data connectors	SamsungDCDefinition
Kind	NRT
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithMic.yaml
Version	1.0.2
Arm template	e4032fd2-4d05-4302-b7c0-f3f0380e2313.json

KQL

Samsung_Knox_System_CL
| where Name == "PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_MIC"
and MitreTtp has "KNOX.2"

YAML

relevantTechniques: []
version: 1.0.2
severity: High
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: PT5H
    reopenClosedIncident: false
    matchingMethod: AllEntities
    enabled: false
name: Samsung Knox - Peripheral Access  Detection with Mic Events
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithMic.yaml
suppressionDuration: PT5H
tactics: []
query: |
  Samsung_Knox_System_CL
  | where Name == "PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_MIC"
  and MitreTtp has "KNOX.2"  
requiredDataConnectors:
- connectorId: SamsungDCDefinition
  dataTypes:
  - Samsung_Knox_System_CL
suppressionEnabled: false
properties:
  schema:
  - Name
  - MitreTtp
id: e4032fd2-4d05-4302-b7c0-f3f0380e2313
eventGroupingSettings:
  aggregationKind: SingleAlert
description: When microphone access has been detected on a Knox device, even though such access is disabled through an MDM device policy.
alertDetailsOverride:
  alertDynamicProperties: []
status: Available
kind: NRT

ARM