Unauthorized remote access to the network Microsoft Defender for IoT
| Id | 1ff4fa3d-150b-4c87-b733-26c289af0d49 |
| Rulename | Unauthorized remote access to the network (Microsoft Defender for IoT) |
| Description | This alert leverages Defender for IoT to detect unauthorized remote access to network devices, if another device on the network is compromised, target devices can be accessed remotely, increasing the attack surface. |
| Severity | Medium |
| Tactics | InitialAccess |
| Techniques | T0886 |
| Required data connectors | IoT |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTUnauthorizedRemoteAccess.yaml |
| Version | 1.0.3 |
| Arm template | 1ff4fa3d-150b-4c87-b733-26c289af0d49.json |
SecurityAlert
| where ProviderName == "IoTSecurity"
| where AlertName == "Unauthorized SSH Access"
| extend ExtendedProperties = parse_json(ExtendedProperties)
| where tostring(ExtendedProperties.isNew) == "True"
| extend DeviceId = tostring(ExtendedProperties.DeviceId),
SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress),
DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress),
RemediationSteps = tostring(parse_json(RemediationSteps)[0]),
Protocol = tostring(ExtendedProperties.Protocol),
AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
| project
TimeGenerated,
DeviceId,
ProductName,
ProductComponentName,
AlertSeverity,
AlertName,
Description,
Protocol,
SourceDeviceAddress,
DestDeviceAddress,
RemediationSteps,
Tactics,
Entities,
VendorOriginalId,
AlertLink,
AlertManagementUri,
Techniques
queryFrequency: 1h
eventGroupingSettings:
aggregationKind: AlertPerResult
requiredDataConnectors:
- connectorId: IoT
dataTypes:
- SecurityAlert (ASC for IoT)
alertDetailsOverride:
alertDynamicProperties:
- value: ProductName
alertProperty: ProductName
- value: RemediationSteps
alertProperty: RemediationSteps
- value: Techniques
alertProperty: Techniques
- value: ProductComponentName
alertProperty: ProductComponentName
- value: AlertLink
alertProperty: AlertLink
alertSeverityColumnName: AlertSeverity
alertDescriptionFormat: (MDIoT) {{Description}}
alertDisplayNameFormat: (MDIoT) {{AlertName}}
alertTacticsColumnName: Tactics
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTUnauthorizedRemoteAccess.yaml
query: |
SecurityAlert
| where ProviderName == "IoTSecurity"
| where AlertName == "Unauthorized SSH Access"
| extend ExtendedProperties = parse_json(ExtendedProperties)
| where tostring(ExtendedProperties.isNew) == "True"
| extend DeviceId = tostring(ExtendedProperties.DeviceId),
SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress),
DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress),
RemediationSteps = tostring(parse_json(RemediationSteps)[0]),
Protocol = tostring(ExtendedProperties.Protocol),
AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
| project
TimeGenerated,
DeviceId,
ProductName,
ProductComponentName,
AlertSeverity,
AlertName,
Description,
Protocol,
SourceDeviceAddress,
DestDeviceAddress,
RemediationSteps,
Tactics,
Entities,
VendorOriginalId,
AlertLink,
AlertManagementUri,
Techniques
entityMappings:
relevantTechniques:
- T0886
name: Unauthorized remote access to the network (Microsoft Defender for IoT)
description: |
'This alert leverages Defender for IoT to detect unauthorized remote access to network devices, if another device on the network is compromised, target devices can be accessed remotely, increasing the attack surface.'
severity: Medium
queryPeriod: 1h
sentinelEntitiesMappings:
- columnName: Entities
triggerOperator: gt
customDetails:
VendorOriginalId: VendorOriginalId
Protocol: Protocol
AlertManagementUri: AlertManagementUri
Sensor: DeviceId
kind: Scheduled
status: Available
tactics:
- InitialAccess
id: 1ff4fa3d-150b-4c87-b733-26c289af0d49
version: 1.0.3
triggerThreshold: 0
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1ff4fa3d-150b-4c87-b733-26c289af0d49')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1ff4fa3d-150b-4c87-b733-26c289af0d49')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "(MDIoT) {{Description}}",
"alertDisplayNameFormat": "(MDIoT) {{AlertName}}",
"alertDynamicProperties": [
{
"alertProperty": "ProductName",
"value": "ProductName"
},
{
"alertProperty": "RemediationSteps",
"value": "RemediationSteps"
},
{
"alertProperty": "Techniques",
"value": "Techniques"
},
{
"alertProperty": "ProductComponentName",
"value": "ProductComponentName"
},
{
"alertProperty": "AlertLink",
"value": "AlertLink"
}
],
"alertSeverityColumnName": "AlertSeverity",
"alertTacticsColumnName": "Tactics"
},
"alertRuleTemplateName": "1ff4fa3d-150b-4c87-b733-26c289af0d49",
"customDetails": {
"AlertManagementUri": "AlertManagementUri",
"Protocol": "Protocol",
"Sensor": "DeviceId",
"VendorOriginalId": "VendorOriginalId"
},
"description": "'This alert leverages Defender for IoT to detect unauthorized remote access to network devices, if another device on the network is compromised, target devices can be accessed remotely, increasing the attack surface.'\n",
"displayName": "Unauthorized remote access to the network (Microsoft Defender for IoT)",
"enabled": true,
"entityMappings": null,
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTUnauthorizedRemoteAccess.yaml",
"query": "SecurityAlert\n| where ProviderName == \"IoTSecurity\"\n| where AlertName == \"Unauthorized SSH Access\"\n| extend ExtendedProperties = parse_json(ExtendedProperties)\n| where tostring(ExtendedProperties.isNew) == \"True\"\n| extend DeviceId = tostring(ExtendedProperties.DeviceId), \n SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress), \n DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress), \n RemediationSteps = tostring(parse_json(RemediationSteps)[0]), \n Protocol = tostring(ExtendedProperties.Protocol), \n AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)\n| project\n TimeGenerated,\n DeviceId,\n ProductName,\n ProductComponentName,\n AlertSeverity,\n AlertName,\n Description,\n Protocol,\n SourceDeviceAddress,\n DestDeviceAddress,\n RemediationSteps,\n Tactics,\n Entities,\n VendorOriginalId,\n AlertLink,\n AlertManagementUri,\n Techniques\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"sentinelEntitiesMappings": [
{
"columnName": "Entities"
}
],
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"InitialAccess"
],
"techniques": null,
"templateVersion": "1.0.3",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}