Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Samsung Knox - Mobile Device Boot Compromise Events

Samsung Knox - Mobile Device Boot Compromise Events

Back
Idfae7e371-aee8-4d3f-8311-2255a45a30b3
RulenameSamsung Knox - Mobile Device Boot Compromise Events
DescriptionWhen a Knox device boot binary is at risk of compromise.
SeverityHigh
TacticsPersistence
TechniquesT1645
Required data connectorsSamsungDCDefinition
KindNRT
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxMobileDeviceBootCompromise.yaml
Version1.0.2
Arm templatefae7e371-aee8-4d3f-8311-2255a45a30b3.json
Deploy To Azure
Samsung_Knox_System_CL 
| where Name == "BOOT_COMPROMISED_SOFTWARE_BINARY"
and MitreTtp has "T1645"

status: Available
requiredDataConnectors:
- connectorId: SamsungDCDefinition
  dataTypes:
  - Samsung_Knox_System_CL
description: When a Knox device boot binary is at risk of compromise.
eventGroupingSettings:
  aggregationKind: SingleAlert
relevantTechniques:
- T1645
suppressionEnabled: false
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: AllEntities
    reopenClosedIncident: false
    lookbackDuration: PT5H
    enabled: false
name: Samsung Knox - Mobile Device Boot Compromise Events
kind: NRT
tactics:
- Persistence
suppressionDuration: PT5H
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxMobileDeviceBootCompromise.yaml
query: |
  Samsung_Knox_System_CL 
  | where Name == "BOOT_COMPROMISED_SOFTWARE_BINARY"
  and MitreTtp has "T1645"  
severity: High
version: 1.0.2
id: fae7e371-aee8-4d3f-8311-2255a45a30b3