Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Knox Password Lockout

Knox Password Lockout

Back
Idfbff0a97-1972-4df8-a78c-254ccb9879ef
RulenameKnox Password Lockout
DescriptionWhen maximum password attempts have reached and the Knox device is locked out. This is based on the threshold set by the MDM policy.
SeverityHigh
TacticsCredentialAccess
TechniquesT1110
Required data connectorsSamsungDCDefinition
KindNRT
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPasswordLockout.yaml
Version1.0.0
Arm templatefbff0a97-1972-4df8-a78c-254ccb9879ef.json
Deploy To Azure
Samsung_Knox_User_CL 
| where Name == "PASSWORD_LOCKOUT"
and MitreTtp has "T1110"

status: Available
name: Knox Password Lockout
suppressionEnabled: false
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPasswordLockout.yaml
incidentConfiguration:
  groupingConfiguration:
    matchingMethod: AllEntities
    enabled: false
    reopenClosedIncident: false
    lookbackDuration: 5H
  createIncident: true
severity: High
eventGroupingSettings:
  aggregationKind: SingleAlert
kind: NRT
tactics:
- CredentialAccess
relevantTechniques:
- T1110
requiredDataConnectors:
- dataTypes:
  - Samsung_Knox_User_CL
  connectorId: SamsungDCDefinition
suppressionDuration: 5H
description: |
    'When maximum password attempts have reached and the Knox device is locked out. This is based on the threshold set by the MDM policy.'
query: |
  Samsung_Knox_User_CL 
  | where Name == "PASSWORD_LOCKOUT"
  and MitreTtp has "T1110"  
id: fbff0a97-1972-4df8-a78c-254ccb9879ef
version: 1.0.0

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fbff0a97-1972-4df8-a78c-254ccb9879ef')]",
      "kind": "NRT",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fbff0a97-1972-4df8-a78c-254ccb9879ef')]",
      "properties": {
        "alertRuleTemplateName": "fbff0a97-1972-4df8-a78c-254ccb9879ef",
        "customDetails": null,
        "description": "'When maximum password attempts have reached and the Knox device is locked out. This is based on the threshold set by the MDM policy.'\n",
        "displayName": "Knox Password Lockout",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPasswordLockout.yaml",
        "query": "Samsung_Knox_User_CL \n| where Name == \"PASSWORD_LOCKOUT\"\nand MitreTtp has \"T1110\"\n",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1110"
        ],
        "templateVersion": "1.0.0"
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}