Unauthorized remote access to the network Microsoft Defender for IoT

SecurityAlert
| where ProviderName == "IoTSecurity"
| where AlertName == "Unauthorized SSH Access"
| extend ExtendedProperties = parse_json(ExtendedProperties)
| where tostring(ExtendedProperties.isNew) == "True"
| extend DeviceId = tostring(ExtendedProperties.DeviceId), 
         SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress), 
         DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress), 
         RemediationSteps = tostring(parse_json(RemediationSteps)[0]), 
         Protocol = tostring(ExtendedProperties.Protocol), 
         AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
| project
  TimeGenerated,
  DeviceId,
  ProductName,
  ProductComponentName,
  AlertSeverity,
  AlertName,
  Description,
  Protocol,
  SourceDeviceAddress,
  DestDeviceAddress,
  RemediationSteps,
  Tactics,
  Entities,
  VendorOriginalId,
  AlertLink,
  AlertManagementUri,
  Techniques

description: |
    'This alert leverages Defender for IoT to detect unauthorized remote access to network devices, if another device on the network is compromised, target devices can be accessed remotely, increasing the attack surface.'
version: 1.0.3
triggerThreshold: 0
tactics:
- InitialAccess
alertDetailsOverride:
  alertDisplayNameFormat: (MDIoT) {{AlertName}}
  alertTacticsColumnName: Tactics
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: RemediationSteps
    value: RemediationSteps
  - alertProperty: Techniques
    value: Techniques
  - alertProperty: ProductComponentName
    value: ProductComponentName
  - alertProperty: AlertLink
    value: AlertLink
  alertSeverityColumnName: AlertSeverity
  alertDescriptionFormat: (MDIoT) {{Description}}
queryPeriod: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTUnauthorizedRemoteAccess.yaml
triggerOperator: gt
status: Available
sentinelEntitiesMappings:
- columnName: Entities
eventGroupingSettings:
  aggregationKind: AlertPerResult
id: 1ff4fa3d-150b-4c87-b733-26c289af0d49
name: Unauthorized remote access to the network (Microsoft Defender for IoT)
queryFrequency: 1h
severity: Medium
customDetails:
  VendorOriginalId: VendorOriginalId
  Protocol: Protocol
  AlertManagementUri: AlertManagementUri
  Sensor: DeviceId
kind: Scheduled
entityMappings: 
relevantTechniques:
- T0886
query: |
  SecurityAlert
  | where ProviderName == "IoTSecurity"
  | where AlertName == "Unauthorized SSH Access"
  | extend ExtendedProperties = parse_json(ExtendedProperties)
  | where tostring(ExtendedProperties.isNew) == "True"
  | extend DeviceId = tostring(ExtendedProperties.DeviceId), 
           SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress), 
           DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress), 
           RemediationSteps = tostring(parse_json(RemediationSteps)[0]), 
           Protocol = tostring(ExtendedProperties.Protocol), 
           AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
  | project
    TimeGenerated,
    DeviceId,
    ProductName,
    ProductComponentName,
    AlertSeverity,
    AlertName,
    Description,
    Protocol,
    SourceDeviceAddress,
    DestDeviceAddress,
    RemediationSteps,
    Tactics,
    Entities,
    VendorOriginalId,
    AlertLink,
    AlertManagementUri,
    Techniques  
requiredDataConnectors:
- dataTypes:
  - SecurityAlert (ASC for IoT)
  connectorId: IoT