Azure · jaspreet-saini · Jan 24, 2025 · Jan 24, 2025 · Jan 25, 2025 · Jan 29, 2025
@@ -1,6 +1,6 @@
 id: 215e89ca-cdbc-4661-b8b2-7041f6ecc7fb
-name: Knox Application Privilege Escalation or Change
-version: 1.0.0
+name: Samsung Knox Application Privilege Escalation or Change
+version: 1.0.1
 kind: NRT
 description: |
   When a Knox mobile app has transitioned from an acceptable uid/esuid/fsuid to a different, non-App id.

@@ -1,6 +1,6 @@
 id: fb4853c9-28c1-4dab-830c-e086cb975170
-name: Knox Keyguard Disabled Feature Set
-version: 1.0.0
+name: Samsung Knox Keyguard Disabled Feature Set
+version: 1.0.1
 kind: NRT
 description: Indicates that an admin has set disabled keyguard features on a Knox device.
 severity: High

@@ -1,6 +1,6 @@
 id: fae7e371-aee8-4d3f-8311-2255a45a30b3
-name: Knox Mobile Device Boot Compromise
-version: 1.0.0
+name: Samsung Knox Mobile Device Boot Compromise
+version: 1.0.1
 kind: NRT
 description: |
   'When Knox device boot binary is at risk of compromise.'

@@ -1,6 +1,6 @@
 id: fbff0a97-1972-4df8-a78c-254ccb9879ef
-name: Knox Password Lockout
-version: 1.0.0
+name: Samsung Knox Password Lockout
+version: 1.0.1
 kind: NRT
 description: |
   'When maximum password attempts have reached and the Knox device is locked out. This is based on the threshold set by the MDM policy.'

@@ -1,6 +1,6 @@
 id: cd526f4d-dbe9-4149-8a0a-9ec43c3abb16
-name: Knox Peripheral Access  Detection with Camera
-version: 1.0.0
+name: Samsung Knox Peripheral Access  Detection with Camera
+version: 1.0.1
 kind: NRT
 description: |
   'When Knox device camera access has been detected through system policy when such access is disabled.'

@@ -1,6 +1,6 @@
 id: e4032fd2-4d05-4302-b7c0-f3f0380e2313
-name: Knox Peripheral Access Detection with Mic
-version: 1.0.0
+name: Samsung Knox Peripheral Access Detection with Mic
+version: 1.0.1
 kind: NRT
 description: |
   'When Knox device microphone access has been detected through system policy when such access is disabled.'

@@ -1,6 +1,6 @@
 id: bf9be360-7f08-48b2-8e9d-ca240c48b404
-name: Knox Security Log Full
-version: 1.0.0
+name: Samsung Knox Security Log Full
+version: 1.0.1
 kind: NRT
 description: |
   'When Security Log is full on a Knox device.'

@@ -1,6 +1,6 @@
 id: 18d4d4f3-6605-4fd2-968c-82c171409c1c
-name: Knox Suspicious URL Accessed Events
-version: 1.0.0
+name: Samsung Knox Suspicious URL Accessed Events
+version: 1.0.1
 kind: NRT
 description: |
   'When a Knox device user clicks on URLs or links detected as suspicious (potentially phishing or malicious) with a high degree of confidence.'

@@ -78,6 +78,10 @@
             }
         ],
         "customs": [
+            {
+                "name": "Microsoft.Web/sites permissions",
+                "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)."
+            },
             {
                 "name": "Entra App",
                 "description": "An Entra Application needs to be registered and provisioned with 'Microsoft Sentinel Contributor'/ 'Microsoft Metrics Publisher' role to setup client secret-based authentication for data transfer. [See the documentation](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app?tabs=client-secret) to learn more about Entra App creation/registration and creating Client Secret credentials"
@@ -94,11 +98,30 @@
             "description": ">**Note**: : Since this Data Connector is designed to support Client Secret-based authentication to securely transfer data, the user must create the Client Secret as credentials during the Entra application creation and registration. Ensure you copy the Client Secret value as soon as it is generated.\n\n>**IMPORTANT**: Save the Tenant (Directory) ID, Client (Application) ID and Client Secret (Secret Value) values"
         },
         {
-            "title": "STEP 2 - Obtain Microsoft Sentinel Data collection Details",
-            "description": ">**Note**: Once you have installed Samsung Knox Asset Intelligence for Microsoft Sentinel Solution, a Data Collection Rule (DCR) associated with a Data Collection Endpoint (DCE), is auto-generated. To view this information, navigate to [Data Collection Rules](https://portal.azure.com/#browse/microsoft.insights%2Fdatacollectionrules?) and look for DCR with its Name starting with **'samsung-knox-dcr-....'** and click on the DCR to view associated details.\n\n>**IMPORTANT**: Save the values for Immutable ID (DCR) and Data Collection Endpoint"
+            "title": "",
+            "description": "**STEP 2 - To automate the deployment of this data connector, you can follow the instructions listed below to use the Azure Resource Manager (ARM) template.**\n\n>**IMPORTANT:** Before deploying the data connector, copy the below Workspace name associated with your Microsoft Sentinel (also your Log Analytics) instance.",
+            "instructions": [
+                {
+                    "parameters": {
+                        "fillWith": [
+                            "WorkspaceName"
+                        ],
+                        "label": "Workspace Name"
+                    },
+                    "type": "CopyableLabel"
+                }
+            ]
+        },
+        {
+            "title": "",
+            "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-SamsungDCDefinition-azuredeploy)\\n2. Provide the following fields: Log Analytics Workspace Name, Log Analytics Workspace Location, Log Analytics Workspace Subscription (ID) and Log Analytics Workspace Resource Group. \n\n>IMPORTANT: To enable end-to-end integration, additional information related to Microsoft Sentinel DCE and DCR are required for configuration in Samsung Knox Asset Intelligence portal (STEP 4).\n\nOnce the ARM template is deployed, navigate to Data Collection Rules https://portal.azure.com/#browse/microsoft.insights%2Fdatacollectionrules and save values associated with the Immutable ID (DCR) and Data Collection Endpoint (DCE)."
+        },
+        {
+            "title": "STEP 3 - Ensure the Entra Application created in STEP 1 has permissions to use the DCR created in order to send data to the DCE.",
+            "description": "Please refer to https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal#assign-permissions-to-the-dcr to assign permissions accordingly."
         },
         {
-            "title": "STEP 3 - Connect to Samsung Knox Asset Intelligence solution to configure Microsoft Sentinel to push select Knox Security Events as Alerts -",
+            "title": "STEP 4 - Connect to Samsung Knox Asset Intelligence solution to configure Microsoft Sentinel to push select Knox Security Events as Alerts -",
             "description": "1. Login to [Knox Asset Intelligence administration portal](https://central.samsungknox.com/kaiadmin/dai/home) and navigate to **Dashboard Settings**; this is available at the top-right corner of the Portal\n>  **Note**: Ensure the login user has access to 'Security' and 'Manage dashboard view and data collection' permissions\n\n2. Click on Security tab to view settings for Security Operations Integration and for Knox Security Logs.\n\n3. In the Security Operations Integration page, toggle on the **'Enable Microsoft Sentinel Integration'** and enter appropriate values in the required fields - \n\n a. For Tenant ID, Client ID and Client Secret, refer to the information saved from Step 1 while registering the Entra application \n\n b. For Microsoft Sentinel DCE and DCR, refer to the information saved from Step 2  \n\n4. Click on the **'Test Connection'** and ensure the connection is successful.\n\n5. Before you can Save, configure Knox Security Logs by selecting wither Essential or Advanced configuration **(default: Essential)**\n\n6. To complete the Microsoft Sentinel integration, click **'Save'**"
         }
     ],

@@ -16,10 +16,11 @@
       "Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPasswordLockout.yaml",
       "Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithCamera.yaml",
       "Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithMic.yaml",
-      "Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSuspiciousURLs.yaml"
+      "Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSuspiciousURLs.yaml",
+      "Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSecurityLogFull.yaml"
     ],
     "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Samsung Knox Asset Intelligence",
-    "Version": "3.0.0",
+    "Version": "3.0.1",
     "Metadata": "SolutionMetadata.json",
     "TemplateSpec": true, 
     "Is1PConnector": false

@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Samsung_Knox_Asset_Intelligence.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Samsung%20Knox%20Asset%20Intelligence/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Knox Asset Intelligence for Microsoft Sentinel solution enables enterprise IT and SecOps (Security Operations) administrators to view and manage security threats to their Samsung Knox mobile devices. By integrating security events and logs from Knox Asset Intelligence with the Azure Monitor Log Ingestion API, the solution lets enterprise organizations easily view, identify and investigate security threats in near-real-time with Microsoft Sentinel.\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 7\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Samsung_Knox_Asset_Intelligence.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Samsung%20Knox%20Asset%20Intelligence/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Knox Asset Intelligence for Microsoft Sentinel solution enables enterprise IT and SecOps (Security Operations) administrators to view and manage security threats to their Samsung Knox mobile devices. By integrating security events and logs from Knox Asset Intelligence with the Azure Monitor Log Ingestion API, the solution lets enterprise organizations easily view, identify and investigate security threats in near-real-time with Microsoft Sentinel.\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 8\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -146,7 +146,7 @@
           {
             "name": "analytic1",
             "type": "Microsoft.Common.Section",
-            "label": "Knox Application Privilege Escalation or Change",
+            "label": "Samsung Knox Application Privilege Escalation or Change",
             "elements": [
               {
                 "name": "analytic1-text",
@@ -160,7 +160,7 @@
           {
             "name": "analytic2",
             "type": "Microsoft.Common.Section",
-            "label": "Knox Keyguard Disabled Feature Set",
+            "label": "Samsung Knox Keyguard Disabled Feature Set",
             "elements": [
               {
                 "name": "analytic2-text",
@@ -174,7 +174,7 @@
           {
             "name": "analytic3",
             "type": "Microsoft.Common.Section",
-            "label": "Knox Mobile Device Boot Compromise",
+            "label": "Samsung Knox Mobile Device Boot Compromise",
             "elements": [
               {
                 "name": "analytic3-text",
@@ -188,7 +188,7 @@
           {
             "name": "analytic4",
             "type": "Microsoft.Common.Section",
-            "label": "Knox Password Lockout",
+            "label": "Samsung Knox Password Lockout",
             "elements": [
               {
                 "name": "analytic4-text",
@@ -202,7 +202,7 @@
           {
             "name": "analytic5",
             "type": "Microsoft.Common.Section",
-            "label": "Knox Peripheral Access  Detection with Camera",
+            "label": "Samsung Knox Peripheral Access  Detection with Camera",
             "elements": [
               {
                 "name": "analytic5-text",
@@ -216,7 +216,7 @@
           {
             "name": "analytic6",
             "type": "Microsoft.Common.Section",
-            "label": "Knox Peripheral Access Detection with Mic",
+            "label": "Samsung Knox Peripheral Access Detection with Mic",
             "elements": [
               {
                 "name": "analytic6-text",
@@ -230,7 +230,7 @@
           {
             "name": "analytic7",
             "type": "Microsoft.Common.Section",
-            "label": "Knox Suspicious URL Accessed Events",
+            "label": "Samsung Knox Suspicious URL Accessed Events",
             "elements": [
               {
                 "name": "analytic7-text",
@@ -240,6 +240,20 @@
                 }
               }
             ]
+          },
+          {
+            "name": "analytic8",
+            "type": "Microsoft.Common.Section",
+            "label": "Samsung Knox Security Log Full",
+            "elements": [
+              {
+                "name": "analytic8-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "When Security Log is full on a Knox device."
+                }
+              }
+            ]
           }
         ]
       }