Samsung Knox Asset Intelligence
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
| Attribute | Value |
|---|---|
| Connector ID | SamsungDCDefinition |
| Publisher | Samsung |
| Used in Solutions | Samsung Knox Asset Intelligence |
| Collection Method | REST Pull API |
| Connector Definition Files | Template_Samsung.json |
| Ingestion API | HTTP Data Collector API — Connector definition requires workspace key (SharedKey pattern) |
Samsung Knox Asset Intelligence Data Connector lets you centralize your mobile security events and logs in order to view customized insights using the Workbook template, and identify incidents based on Analytics Rules templates.
Tables Ingested
This connector ingests data into the following tables:
| Table | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|
Samsung_Knox_Application_CL |
? | ✓ | ? |
Samsung_Knox_Audit_CL |
? | ✓ | ? |
Samsung_Knox_Network_CL |
? | ✓ | ? |
Samsung_Knox_Process_CL |
? | ✓ | ? |
Samsung_Knox_System_CL |
? | ✓ | ? |
Samsung_Knox_User_CL |
? | ✓ | ? |
💡 Tip: Tables with Ingestion API support allow data ingestion via the Azure Monitor Data Collector API, which also enables custom transformations during ingestion.
Permissions
Resource Provider Permissions: - Workspace (Workspace): read and write permissions are required. - Keys (Workspace): read permissions to shared keys for the workspace are required. See the documentation to learn more about workspace keys.
Custom Permissions: - Entra app: An Entra app needs to be registered and provisioned with ‘Microsoft Metrics Publisher’ role and configured with either Certificate or Client Secret as credentials for secure data transfer. See the Log ingestion tutorial to learn more about Entra App creation, registration and credential configuration.
Setup Instructions
⚠️ Note: These instructions were automatically generated from the connector's user interface definition file using AI and may not be fully accurate. Please verify all configuration steps in the Microsoft Sentinel portal.
This Data Connector uses the Microsoft Log Ingestion API to push security events into Microsoft Sentinel from Samsung Knox Asset Intelligence (KAI) solution.
2. STEP 1 - Create and register an Entra Application
Note: This Data Connector can support either Certificate-based or Client Secret-based authentication. For Certificate-based authentication, you can download the Samsung CA-signed certificate (public key) from KAI documentation portal. For Client Secret-based authentication, you can create the secret during the Entra application registration. Ensure you copy the Client Secret value as soon as it is generated.
IMPORTANT: Save the values for Tenant (Directory) ID and Client (Application) ID. If Client Secret-based authentication is enabled, save Client Secret (Secret Value) associated with the Entra app.
3. STEP 2 - Automate deployment of this Data Connector using the below Azure Resource Manager (ARM) template
IMPORTANT: Before deploying the Data Connector, copy the below Workspace name associated with your Microsoft Sentinel (also your Log Analytics) instance. - Workspace Name:
WorkspaceNameNote: The value above is dynamically provided when these instructions are presented within Microsoft Sentinel.
-
Click the button below to install Samsung Knox Intelligence Solution.
\n2. Provide the following required fields: Log Analytics Workspace Name, Log Analytics Workspace Location, Log Analytics Workspace Subscription (ID) and Log Analytics Workspace Resource Group.
5. STEP 3 - Obtain Microsoft Sentinel Data Collection details
Once the ARM template is deployed, navigate to Data Collection Rules https://portal.azure.com/#browse/microsoft.insights%2Fdatacollectionrules? and save values associated with the Immutable ID (DCR) and Data Collection Endpoint (DCE).
IMPORTANT: To enable end-to-end integration, information related to Microsoft Sentinel DCE and DCR are required for configuration in Samsung Knox Asset Intelligence portal (STEP 4).
Ensure the Entra Application created in STEP 1 has permissions to use the DCR created in order to send data to the DCE. Please refer to https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal#assign-permissions-to-the-dcr to assign permissions accordingly.
6. STEP 4 - Connect to Samsung Knox Asset Intelligence solution to configure Microsoft Sentinel to push select Knox Security Events as Alerts
-
Login to Knox Asset Intelligence administration portal and navigate to Dashboard Settings; this is available at the top-right corner of the Portal.
Note: Ensure the login user has access to 'Security' and 'Manage dashboard view and data collection' permissions.
-
Click on Security tab to view settings for Microsoft Sentinel Integration and Knox Security Logs.
-
In the Security Operations Integration page, toggle on 'Enable Microsoft Sentinel Integration' and enter appropriate values in the required fields.
a. Based on the authentication method used, refer to information saved from STEP 1 while registering the Entra application.
b. For Microsoft Sentinel DCE and DCR, refer to the information saved from STEP 3.
-
Click on 'Test Connection' and ensure the connection is successful.
-
Before you can Save, configure Knox Security Logs by selecting either Essential or Advanced configuration (default: Essential).
-
To complete the Microsoft Sentinel integration, click 'Save'.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊