diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxApplicationPrivilegeEscalationOrChange.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxApplicationPrivilegeEscalationOrChange.yaml index f751b6f2660..9dcc3bd99fe 100644 --- a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxApplicationPrivilegeEscalationOrChange.yaml +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxApplicationPrivilegeEscalationOrChange.yaml @@ -19,13 +19,13 @@ query: | | where Name == "PROCESS_PRIVILEGE_ESCALATION" | where MitreTtp has "T1548" suppressionEnabled: false -suppressionDuration: 5h +suppressionDuration: 5H incidentConfiguration: createIncident: true groupingConfiguration: enabled: false reopenClosedIncident: false - lookbackDuration: 5h + lookbackDuration: 5H matchingMethod: AllEntities eventGroupingSettings: aggregationKind: SingleAlert \ No newline at end of file diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxKeyguardDisabledFeatureSet.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxKeyguardDisabledFeatureSet.yaml index a9b7145c531..31537856fd5 100644 --- a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxKeyguardDisabledFeatureSet.yaml +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxKeyguardDisabledFeatureSet.yaml @@ -18,13 +18,13 @@ query: | | where Name == "TAG_KEYGUARD_DISABLED_FEATURES_SET" and MitreTtp has "T1461" suppressionEnabled: false -suppressionDuration: 5h +suppressionDuration: 5H incidentConfiguration: createIncident: true groupingConfiguration: enabled: false reopenClosedIncident: false - lookbackDuration: 5h + lookbackDuration: 5H matchingMethod: AllEntities eventGroupingSettings: aggregationKind: SingleAlert \ No newline at end of file diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxMobileDeviceBootCompromise.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxMobileDeviceBootCompromise.yaml index eedc0798921..025209b794d 100644 --- a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxMobileDeviceBootCompromise.yaml +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxMobileDeviceBootCompromise.yaml @@ -19,13 +19,13 @@ query: | | where Name == "BOOT_COMPROMISED_SOFTWARE_BINARY" and MitreTtp has "T1645" suppressionEnabled: false -suppressionDuration: 5h +suppressionDuration: 5H incidentConfiguration: createIncident: true groupingConfiguration: enabled: false reopenClosedIncident: false - lookbackDuration: 5h + lookbackDuration: 5H matchingMethod: AllEntities eventGroupingSettings: aggregationKind: SingleAlert \ No newline at end of file diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPasswordLockout.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPasswordLockout.yaml index b6cf11d8b1a..7d74c797326 100644 --- a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPasswordLockout.yaml +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPasswordLockout.yaml @@ -19,13 +19,13 @@ query: | | where Name == "PASSWORD_LOCKOUT" and MitreTtp has "T1110" suppressionEnabled: false -suppressionDuration: 5h +suppressionDuration: 5H incidentConfiguration: createIncident: true groupingConfiguration: enabled: false reopenClosedIncident: false - lookbackDuration: 5h + lookbackDuration: 5H matchingMethod: AllEntities eventGroupingSettings: aggregationKind: SingleAlert diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithCamera.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithCamera.yaml index 9b8c00649a8..017343ba9bb 100644 --- a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithCamera.yaml +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithCamera.yaml @@ -17,13 +17,13 @@ query: | | where Name == "PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_CAMERA" and MitreTtp has "KNOX.2" suppressionEnabled: false -suppressionDuration: 5h +suppressionDuration: 5H incidentConfiguration: createIncident: true groupingConfiguration: enabled: false reopenClosedIncident: false - lookbackDuration: 5h + lookbackDuration: 5H matchingMethod: AllEntities eventGroupingSettings: aggregationKind: SingleAlert diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithMic.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithMic.yaml index afa510d85c6..e028b431ab5 100644 --- a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithMic.yaml +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithMic.yaml @@ -19,13 +19,13 @@ query: | alertDetailsOverride: alertDynamicProperties: [] suppressionEnabled: false -suppressionDuration: 5h +suppressionDuration: 5H incidentConfiguration: createIncident: true groupingConfiguration: enabled: false reopenClosedIncident: false - lookbackDuration: 5h + lookbackDuration: 5H matchingMethod: AllEntities eventGroupingSettings: aggregationKind: SingleAlert diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSecurityLogFull.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSecurityLogFull.yaml index cd0f7f3835c..06a8eb92b55 100644 --- a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSecurityLogFull.yaml +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSecurityLogFull.yaml @@ -17,13 +17,13 @@ query: | | where Name == "LOG_IS_FULL" and MitreTtp has "KNOX.1" suppressionEnabled: false -suppressionDuration: 5h +suppressionDuration: 5H incidentConfiguration: createIncident: true groupingConfiguration: enabled: false reopenClosedIncident: false - lookbackDuration: 5h + lookbackDuration: 5H matchingMethod: AllEntities eventGroupingSettings: aggregationKind: SingleAlert diff --git a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSuspiciousURLs.yaml b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSuspiciousURLs.yaml index a8d19e14931..d573106ae99 100644 --- a/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSuspiciousURLs.yaml +++ b/Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSuspiciousURLs.yaml @@ -19,13 +19,13 @@ query: | | where Name == "SUSPICIOUS_URL_ACCESSED" and ConfidenceScore > 0.9 suppressionEnabled: false -suppressionDuration: 5h +suppressionDuration: 5H incidentConfiguration: createIncident: true groupingConfiguration: enabled: false reopenClosedIncident: false - lookbackDuration: 5h + lookbackDuration: 5H matchingMethod: AllEntities eventGroupingSettings: aggregationKind: SingleAlert diff --git a/Solutions/Samsung Knox Asset Intelligence/Package/3.0.0.zip b/Solutions/Samsung Knox Asset Intelligence/Package/3.0.0.zip index a4a75db35df..05384a986ba 100644 Binary files a/Solutions/Samsung Knox Asset Intelligence/Package/3.0.0.zip and b/Solutions/Samsung Knox Asset Intelligence/Package/3.0.0.zip differ diff --git a/Solutions/Samsung Knox Asset Intelligence/Package/mainTemplate.json b/Solutions/Samsung Knox Asset Intelligence/Package/mainTemplate.json index 53df6fb0cfd..5d22dafff13 100644 --- a/Solutions/Samsung Knox Asset Intelligence/Package/mainTemplate.json +++ b/Solutions/Samsung Knox Asset Intelligence/Package/mainTemplate.json @@ -42,7 +42,7 @@ "_email": "[variables('email')]", "_solutionName": "Samsung Knox Asset Intelligence", "_solutionVersion": "3.0.0", - "solutionId": "samsungelectronics1734042706970.samsung-knox-asset-intelligence-sentinel", + "solutionId": "samsungelectronics1734042706970.azure-sentinel-solution-samsung-knox-asset-intelligence", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "SamsungDCDefinition", "_uiConfigId1": "[variables('uiConfigId1')]", @@ -606,10 +606,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "SamsungDCDefinition", "dataTypes": [ "Samsung_Knox_Process_CL" - ], - "connectorId": "SamsungDCDefinition" + ] } ], "tactics": [ @@ -622,13 +622,13 @@ "aggregationKind": "SingleAlert" }, "incidentConfiguration": { - "createIncident": true, "groupingConfiguration": { - "reopenClosedIncident": false, "enabled": false, - "lookbackDuration": "5h", - "matchingMethod": "AllEntities" - } + "matchingMethod": "AllEntities", + "lookbackDuration": "5H", + "reopenClosedIncident": false + }, + "createIncident": true } } }, @@ -707,10 +707,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "SamsungDCDefinition", "dataTypes": [ "Samsung_Knox_Audit_CL" - ], - "connectorId": "SamsungDCDefinition" + ] } ], "tactics": [ @@ -723,13 +723,13 @@ "aggregationKind": "SingleAlert" }, "incidentConfiguration": { - "createIncident": true, "groupingConfiguration": { - "reopenClosedIncident": false, "enabled": false, - "lookbackDuration": "5h", - "matchingMethod": "AllEntities" - } + "matchingMethod": "AllEntities", + "lookbackDuration": "5H", + "reopenClosedIncident": false + }, + "createIncident": true } } }, @@ -808,10 +808,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "SamsungDCDefinition", "dataTypes": [ "Samsung_Knox_System_CL" - ], - "connectorId": "SamsungDCDefinition" + ] } ], "tactics": [ @@ -824,13 +824,13 @@ "aggregationKind": "SingleAlert" }, "incidentConfiguration": { - "createIncident": true, "groupingConfiguration": { - "reopenClosedIncident": false, "enabled": false, - "lookbackDuration": "5h", - "matchingMethod": "AllEntities" - } + "matchingMethod": "AllEntities", + "lookbackDuration": "5H", + "reopenClosedIncident": false + }, + "createIncident": true } } }, @@ -909,10 +909,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "SamsungDCDefinition", "dataTypes": [ "Samsung_Knox_User_CL" - ], - "connectorId": "SamsungDCDefinition" + ] } ], "tactics": [ @@ -925,13 +925,13 @@ "aggregationKind": "SingleAlert" }, "incidentConfiguration": { - "createIncident": true, "groupingConfiguration": { - "reopenClosedIncident": false, "enabled": false, - "lookbackDuration": "5h", - "matchingMethod": "AllEntities" - } + "matchingMethod": "AllEntities", + "lookbackDuration": "5H", + "reopenClosedIncident": false + }, + "createIncident": true } } }, @@ -1010,23 +1010,23 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "SamsungDCDefinition", "dataTypes": [ "Samsung_Knox_System_CL" - ], - "connectorId": "SamsungDCDefinition" + ] } ], "eventGroupingSettings": { "aggregationKind": "SingleAlert" }, "incidentConfiguration": { - "createIncident": true, "groupingConfiguration": { - "reopenClosedIncident": false, "enabled": false, - "lookbackDuration": "5h", - "matchingMethod": "AllEntities" - } + "matchingMethod": "AllEntities", + "lookbackDuration": "5H", + "reopenClosedIncident": false + }, + "createIncident": true } } }, @@ -1105,10 +1105,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "SamsungDCDefinition", "dataTypes": [ "Samsung_Knox_System_CL" - ], - "connectorId": "SamsungDCDefinition" + ] } ], "eventGroupingSettings": { @@ -1118,13 +1118,13 @@ "alertDynamicProperties": [] }, "incidentConfiguration": { - "createIncident": true, "groupingConfiguration": { - "reopenClosedIncident": false, "enabled": false, - "lookbackDuration": "5h", - "matchingMethod": "AllEntities" - } + "matchingMethod": "AllEntities", + "lookbackDuration": "5H", + "reopenClosedIncident": false + }, + "createIncident": true } } }, @@ -1203,10 +1203,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "SamsungDCDefinition", "dataTypes": [ "Samsung_Knox_User_CL" - ], - "connectorId": "SamsungDCDefinition" + ] } ], "tactics": [ @@ -1219,13 +1219,13 @@ "aggregationKind": "SingleAlert" }, "incidentConfiguration": { - "createIncident": true, "groupingConfiguration": { - "reopenClosedIncident": false, "enabled": false, - "lookbackDuration": "5h", - "matchingMethod": "AllEntities" - } + "matchingMethod": "AllEntities", + "lookbackDuration": "5H", + "reopenClosedIncident": false + }, + "createIncident": true } } }, diff --git a/Solutions/Samsung Knox Asset Intelligence/SolutionMetadata.json b/Solutions/Samsung Knox Asset Intelligence/SolutionMetadata.json index bfc7fcf7c4e..0ef51c049f5 100644 --- a/Solutions/Samsung Knox Asset Intelligence/SolutionMetadata.json +++ b/Solutions/Samsung Knox Asset Intelligence/SolutionMetadata.json @@ -1,6 +1,6 @@ { "publisherId": "samsungelectronics1734042706970", - "offerId": "samsung-knox-asset-intelligence-sentinel", + "offerId": "azure-sentinel-solution-samsung-knox-asset-intelligence", "firstPublishDate": "2025-01-15", "providers": ["Samsung"], "categories": {