Back to top
Home / Knox Asset Intelligence / Dashboard / Security / SOC enablement / Sentinel /

Testing guide

Last updated April 28th, 2025

After you’ve configured both your Microsoft Sentinel and Knox Asset Intelligence environments, you can perform a series of test to verify that that integration was successful. The following scenarios let you validate three of the most common security events in your Sentinel environment:

Scenario 1: Insider threat

  • Objective: Monitor for malicious events from privileged insiders to detect threats in near real-time.
  • Use case: SOC analyst can triage alerts associated with unauthorized use of device admin role.
  • Prerequisite: Enable the following Advanced security events in the Knox Asset Intelligence console:
    • TAG_PACKAGE_NAME_HAS_BEEN_ACTIVATED_AS_ADMIN
    • TAG_PACKAGE_NAME_HAS_BEEN_REMOVED_AS_ADMIN

Steps to generate events

  1. On the device, Launch Settings app
  2. Go to Security & Privacy > More Security Settings.
  3. Under Device Admin Apps, toggle on and off any pre-installed apps (for example, Find my device) to simulate the action as an admin.

Events detected

  • TAG_PACKAGE_NAME_HAS_BEEN_ACTIVATED_AS_ADMIN
  • TAG_PACKAGE_NAME_HAS_BEEN_REMOVED_AS_ADMIN

Expected behavior in Sentinel

The above device events will be available in Sentinel (after about 1-2 hours) in both the Workbook and Logs (detailed).

Scenario 2: Suspicious URL Detection

  • Objective: Detect if the user accessed any potentially malicious URLs on device.

  • Use case: SOC analyst can monitor suspicious URLs encountered on several devices indicating a potential threat (unsanctioned).

  • Prerequisite: Enable the following Advanced security events in the Knox Asset Intelligence console:

    • SUSPICIOUS_URL_ACCESSED

Steps to generate events

  1. On the device, open any text app, for example Messenger or WhatsApp.
  2. Enter test URL(s) and tap Send.
  3. Next, tap on the URL from the same window.

Events detected

  • SUSPICIOUS_URL_ACCESSED (user tap)

Expected behavior in Sentinel

The above device events will be available in Sentinel (after about 1-2 hours) in both the Workbook and Logs (detailed).

Scenario 3: Accessibility API Misuse

  • Objective: Determine malicious use of accessibility APIs to alert security teams of undetected and emerging threats.

  • Use case: SOC analyst can monitor if accessibility APIs are being invoked by unauthorized apps with malicious intent.

  • Prerequisite: Enable the following Essential and Advanced security events in the Knox Asset Intelligence console:

    • USER_INTERACTION_CONTROL_CAPABILITY
    • PREVENT_APP_REMOVAL_CAPABILITY

Steps to generate events

You’ll need to select apps that enable accessibility services and perform actions such as screen capture, text key input, global action back key, etc.

  1. On the device, open the Settings app, then go to Accessibility > Interaction and dexterity > Voice Access.
  2. Turn on the feature, then allow the permissions.
  3. Start Voice Access from Quick Settings (swipe down from top of the screen) and give commands: e.g., “Open Chrome”, “Go Home”, “Go back” etc.

Events detected

  • USER_INTERACTION_CONTROL_CAPABILITY
  • PREVENT_APP_REMOVAL_CAPABILITY

Expected behavior in Sentinel

The above device events will be available in Sentinel (after about 1-2 hours) in both the Workbook and Logs (detailed).

On this page

Is this page helpful?