Merge pull request Azure#12760 from Samsung/master

Samsung Knox Asset Intelligence -Update DCR & remove one analytics rule

Author: v-dvedak

Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxKeyguardDisabledFeatureSet.yaml

@@ -11,7 +11,6 @@
     "AnalyticalRuleBladeDescription": "This solution comes with the following analytic rule templates, based on critical mobile security event data captured from Samsung Knox devices. You can also customize these analytic rule templates based on your organization’s needs.",
     "Analytic Rules": [
       "Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxApplicationPrivilegeEscalationOrChange.yaml",
-      "Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxKeyguardDisabledFeatureSet.yaml",
       "Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxMobileDeviceBootCompromise.yaml",
       "Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPasswordLockout.yaml",
       "Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxPeripheralAccessDetectionWithCamera.yaml",
@@ -20,7 +19,7 @@
       "Solutions/Samsung Knox Asset Intelligence/Analytic Rules/SamsungKnoxSecurityLogFull.yaml"
     ],
     "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Samsung Knox Asset Intelligence",
-    "Version": "3.0.1",
+    "Version": "3.0.3",
     "Metadata": "SolutionMetadata.json",
     "TemplateSpec": true, 
     "Is1PConnector": false

Solutions/Samsung Knox Asset Intelligence/Data Connectors/azuredeploy_SamsungDataConnectorDefinition.json

@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Samsung_Knox_Asset_Intelligence.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Samsung%20Knox%20Asset%20Intelligence/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Knox Asset Intelligence for Microsoft Sentinel solution enables enterprise IT and SecOps (Security Operations) administrators to view and manage security threats to their Samsung Knox mobile devices. By integrating security events and logs from Knox Asset Intelligence with the Azure Monitor Log Ingestion API, the solution lets enterprise organizations easily view, identify and investigate security threats in near-real-time with Microsoft Sentinel.\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 8\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Samsung_Knox_Asset_Intelligence.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Samsung%20Knox%20Asset%20Intelligence/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Knox Asset Intelligence for Microsoft Sentinel solution enables enterprise IT and SecOps (Security Operations) administrators to view and manage security threats to their Samsung Knox mobile devices. By integrating security events and logs from Knox Asset Intelligence with the Azure Monitor Log Ingestion API, the solution lets enterprise organizations easily view, identify and investigate security threats in near-real-time with Microsoft Sentinel.\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 7\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -160,24 +160,10 @@
           {
             "name": "analytic2",
             "type": "Microsoft.Common.Section",
-            "label": "Samsung Knox - Keyguard Disabled Feature Set Events",
-            "elements": [
-              {
-                "name": "analytic2-text",
-                "type": "Microsoft.Common.TextBlock",
-                "options": {
-                  "text": "When an admin has set disabled keyguard features on a Knox device."
-                }
-              }
-            ]
-          },
-          {
-            "name": "analytic3",
-            "type": "Microsoft.Common.Section",
             "label": "Samsung Knox - Mobile Device Boot Compromise Events",
             "elements": [
               {
-                "name": "analytic3-text",
+                "name": "analytic2-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
                   "text": "When a Knox device boot binary is at risk of compromise."
@@ -186,12 +172,12 @@
             ]
           },
           {
-            "name": "analytic4",
+            "name": "analytic3",
             "type": "Microsoft.Common.Section",
             "label": "Samsung Knox - Password Lockout Events",
             "elements": [
               {
-                "name": "analytic4-text",
+                "name": "analytic3-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
                   "text": "When maximum password attempts have been reached, and the Knox device is locked out. This is based on a threshold set in the MDM device policy"
@@ -200,12 +186,12 @@
             ]
           },
           {
-            "name": "analytic5",
+            "name": "analytic4",
             "type": "Microsoft.Common.Section",
             "label": "Samsung Knox - Peripheral Access  Detection with Camera Events",
             "elements": [
               {
-                "name": "analytic5-text",
+                "name": "analytic4-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
                   "text": "When camera access has been detected on a Knox device, even though such access is disabled through an MDM device policy."
@@ -214,12 +200,12 @@
             ]
           },
           {
-            "name": "analytic6",
+            "name": "analytic5",
             "type": "Microsoft.Common.Section",
             "label": "Samsung Knox - Peripheral Access  Detection with Mic Events",
             "elements": [
               {
-                "name": "analytic6-text",
+                "name": "analytic5-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
                   "text": "When microphone access has been detected on a Knox device, even though such access is disabled through an MDM device policy."
@@ -228,12 +214,12 @@
             ]
           },
           {
-            "name": "analytic7",
+            "name": "analytic6",
             "type": "Microsoft.Common.Section",
             "label": "Samsung Knox - Suspicious URL Accessed Events",
             "elements": [
               {
-                "name": "analytic7-text",
+                "name": "analytic6-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
                   "text": "When a Knox device user clicks on URLs or links detected as suspicious (potentially phishing or malicious) with a high degree of confidence."
@@ -242,12 +228,12 @@
             ]
           },
           {
-            "name": "analytic8",
+            "name": "analytic7",
             "type": "Microsoft.Common.Section",
             "label": "Samsung Knox - Security Log Full Events",
             "elements": [
               {
-                "name": "analytic8-text",
+                "name": "analytic7-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
                   "text": "When the Knox Security Log is full on a device."