Configure Knox Asset Intelligence

Connect to Sentinel

After you’ve configured Sentinel, you’re ready to configure your Knox Asset Intelligence console. From your Dashboard Settings, do the following:

1. Go to the Security tab, then enable Microsoft Sentinel Integration.

2. Enter your Sentinel deployment data in the appropriate fields.

   • Azure tenant ID = Directory ID in Entra ID applications.

   • Client ID = Application ID in Entra ID applications.

   • Client secret = Secret ID in Entra ID applications.

     If you set up Certificate authentication in your Entra ID app, click the Certificate-based authentication method and skip this field.

   • Sentinel URL (Data Collection Endpoint) = Log ingestion URL in Sentinel data connectors.

   • Sentinel Data Collections Rule (DCR) ID = Immutable ID in Sentinel data connectors.

3. Click TEST CONNECTION. If the information you entered matches the data in your Sentinel environment, then you’ll see a Connected status.

   

Configure Security log settings

After you’ve established a connection with Sentinel, you can choose which events get sent to your Security Operations Center. To do this:

1. (Optional) Select the device groups you want to send data for. If no groups are selected, then security events will be sent for all devices in the fleet.

2. Select your event types:

   • Essential Security Events include a list of signals curated by the Samsung Knox team that balances both device performance and log pressure in your Sentinel environment.

     

   • Advanced Configuration includes several additional advanced event types. You can choose to send only these additional events, or send all security event signals to your Sentinel environment. Note that selecting all events will increase your log sizes and Sentinel data consumption.

     

3. Click SAVE to confirm your security log settings.