Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Knox Password Lockout

Back
Idfbff0a97-1972-4df8-a78c-254ccb9879ef
RulenameKnox Password Lockout
DescriptionWhen maximum password attempts have reached and the Knox device is locked out. This is based on the threshold set by the MDM policy.
SeverityHigh
TacticsCredentialAccess
TechniquesT1110
Required data connectorsSamsungDCDefinition
KindNRT
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPasswordLockout.yaml
Version1.0.0
Arm templatefbff0a97-1972-4df8-a78c-254ccb9879ef.json
Deploy To Azure
Samsung_Knox_User_CL 
| where Name == "PASSWORD_LOCKOUT"
and MitreTtp has "T1110"
description: |
    'When maximum password attempts have reached and the Knox device is locked out. This is based on the threshold set by the MDM policy.'
version: 1.0.0
suppressionDuration: 5H
severity: High
requiredDataConnectors:
- connectorId: SamsungDCDefinition
  dataTypes:
  - Samsung_Knox_User_CL
query: |
  Samsung_Knox_User_CL 
  | where Name == "PASSWORD_LOCKOUT"
  and MitreTtp has "T1110"  
status: Available
relevantTechniques:
- T1110
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPasswordLockout.yaml
incidentConfiguration:
  groupingConfiguration:
    lookbackDuration: 5H
    matchingMethod: AllEntities
    enabled: false
    reopenClosedIncident: false
  createIncident: true
id: fbff0a97-1972-4df8-a78c-254ccb9879ef
name: Knox Password Lockout
suppressionEnabled: false
kind: NRT
tactics:
- CredentialAccess
eventGroupingSettings:
  aggregationKind: SingleAlert
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fbff0a97-1972-4df8-a78c-254ccb9879ef')]",
      "kind": "NRT",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fbff0a97-1972-4df8-a78c-254ccb9879ef')]",
      "properties": {
        "alertRuleTemplateName": "fbff0a97-1972-4df8-a78c-254ccb9879ef",
        "customDetails": null,
        "description": "'When maximum password attempts have reached and the Knox device is locked out. This is based on the threshold set by the MDM policy.'\n",
        "displayName": "Knox Password Lockout",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPasswordLockout.yaml",
        "query": "Samsung_Knox_User_CL \n| where Name == \"PASSWORD_LOCKOUT\"\nand MitreTtp has \"T1110\"\n",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1110"
        ],
        "templateVersion": "1.0.0"
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}