Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Knox Password Lockout

Knox Password Lockout

Back
Idfbff0a97-1972-4df8-a78c-254ccb9879ef
RulenameKnox Password Lockout
DescriptionWhen maximum password attempts have reached and the Knox device is locked out. This is based on the threshold set by the MDM policy.
SeverityHigh
TacticsCredentialAccess
TechniquesT1110
Required data connectorsSamsungDCDefinition
KindNRT
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPasswordLockout.yaml
Version1.0.0
Arm templatefbff0a97-1972-4df8-a78c-254ccb9879ef.json
Deploy To Azure
Samsung_Knox_User_CL 
| where Name == "PASSWORD_LOCKOUT"
and MitreTtp has "T1110"

status: Available
id: fbff0a97-1972-4df8-a78c-254ccb9879ef
tactics:
- CredentialAccess
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPasswordLockout.yaml
eventGroupingSettings:
  aggregationKind: SingleAlert
name: Knox Password Lockout
query: |
  Samsung_Knox_User_CL 
  | where Name == "PASSWORD_LOCKOUT"
  and MitreTtp has "T1110"  
severity: High
kind: NRT
suppressionDuration: 5H
relevantTechniques:
- T1110
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: 5H
    reopenClosedIncident: false
    enabled: false
    matchingMethod: AllEntities
requiredDataConnectors:
- connectorId: SamsungDCDefinition
  dataTypes:
  - Samsung_Knox_User_CL
description: |
    'When maximum password attempts have reached and the Knox device is locked out. This is based on the threshold set by the MDM policy.'
suppressionEnabled: false
version: 1.0.0

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fbff0a97-1972-4df8-a78c-254ccb9879ef')]",
      "kind": "NRT",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fbff0a97-1972-4df8-a78c-254ccb9879ef')]",
      "properties": {
        "alertRuleTemplateName": "fbff0a97-1972-4df8-a78c-254ccb9879ef",
        "customDetails": null,
        "description": "'When maximum password attempts have reached and the Knox device is locked out. This is based on the threshold set by the MDM policy.'\n",
        "displayName": "Knox Password Lockout",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPasswordLockout.yaml",
        "query": "Samsung_Knox_User_CL \n| where Name == \"PASSWORD_LOCKOUT\"\nand MitreTtp has \"T1110\"\n",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1110"
        ],
        "templateVersion": "1.0.0"
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}