Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Samsung Knox Password Lockout

Back
Idfbff0a97-1972-4df8-a78c-254ccb9879ef
RulenameSamsung Knox Password Lockout
DescriptionWhen maximum password attempts have reached and the Knox device is locked out. This is based on the threshold set by the MDM policy.
SeverityHigh
TacticsCredentialAccess
TechniquesT1110
Required data connectorsSamsungDCDefinition
KindNRT
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPasswordLockout.yaml
Version1.0.1
Arm templatefbff0a97-1972-4df8-a78c-254ccb9879ef.json
Deploy To Azure
Samsung_Knox_User_CL 
| where Name == "PASSWORD_LOCKOUT"
and MitreTtp has "T1110"
eventGroupingSettings:
  aggregationKind: SingleAlert
status: Available
id: fbff0a97-1972-4df8-a78c-254ccb9879ef
query: |
  Samsung_Knox_User_CL 
  | where Name == "PASSWORD_LOCKOUT"
  and MitreTtp has "T1110"  
suppressionDuration: 5H
name: Samsung Knox Password Lockout
incidentConfiguration:
  groupingConfiguration:
    matchingMethod: AllEntities
    reopenClosedIncident: false
    lookbackDuration: 5H
    enabled: false
  createIncident: true
suppressionEnabled: false
severity: High
relevantTechniques:
- T1110
requiredDataConnectors:
- dataTypes:
  - Samsung_Knox_User_CL
  connectorId: SamsungDCDefinition
description: |
    'When maximum password attempts have reached and the Knox device is locked out. This is based on the threshold set by the MDM policy.'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPasswordLockout.yaml
version: 1.0.1
kind: NRT
tactics:
- CredentialAccess
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fbff0a97-1972-4df8-a78c-254ccb9879ef')]",
      "kind": "NRT",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fbff0a97-1972-4df8-a78c-254ccb9879ef')]",
      "properties": {
        "alertRuleTemplateName": "fbff0a97-1972-4df8-a78c-254ccb9879ef",
        "customDetails": null,
        "description": "'When maximum password attempts have reached and the Knox device is locked out. This is based on the threshold set by the MDM policy.'\n",
        "displayName": "Samsung Knox Password Lockout",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPasswordLockout.yaml",
        "query": "Samsung_Knox_User_CL \n| where Name == \"PASSWORD_LOCKOUT\"\nand MitreTtp has \"T1110\"\n",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1110"
        ],
        "templateVersion": "1.0.1"
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}