Unauthorized remote access to the network Microsoft Defender for IoT

SecurityAlert
| where ProviderName == "IoTSecurity"
| where AlertName == "Unauthorized SSH Access"
| extend ExtendedProperties = parse_json(ExtendedProperties)
| where tostring(ExtendedProperties.isNew) == "True"
| extend DeviceId = tostring(ExtendedProperties.DeviceId), 
         SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress), 
         DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress), 
         RemediationSteps = tostring(parse_json(RemediationSteps)[0]), 
         Protocol = tostring(ExtendedProperties.Protocol), 
         AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
| project
  TimeGenerated,
  DeviceId,
  ProductName,
  ProductComponentName,
  AlertSeverity,
  AlertName,
  Description,
  Protocol,
  SourceDeviceAddress,
  DestDeviceAddress,
  RemediationSteps,
  Tactics,
  Entities,
  VendorOriginalId,
  AlertLink,
  AlertManagementUri,
  Techniques

description: |
    'This alert leverages Defender for IoT to detect unauthorized remote access to network devices, if another device on the network is compromised, target devices can be accessed remotely, increasing the attack surface.'
kind: Scheduled
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryFrequency: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTUnauthorizedRemoteAccess.yaml
alertDetailsOverride:
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: RemediationSteps
    value: RemediationSteps
  - alertProperty: Techniques
    value: Techniques
  - alertProperty: ProductComponentName
    value: ProductComponentName
  - alertProperty: AlertLink
    value: AlertLink
  alertDescriptionFormat: (MDIoT) {{Description}}
  alertDisplayNameFormat: (MDIoT) {{AlertName}}
  alertSeverityColumnName: AlertSeverity
  alertTacticsColumnName: Tactics
status: Available
triggerOperator: gt
severity: Medium
relevantTechniques:
- T0886
triggerThreshold: 0
name: Unauthorized remote access to the network (Microsoft Defender for IoT)
customDetails:
  Sensor: DeviceId
  AlertManagementUri: AlertManagementUri
  Protocol: Protocol
  VendorOriginalId: VendorOriginalId
entityMappings: 
requiredDataConnectors:
- connectorId: IoT
  dataTypes:
  - SecurityAlert (ASC for IoT)
id: 1ff4fa3d-150b-4c87-b733-26c289af0d49
queryPeriod: 1h
tactics:
- InitialAccess
sentinelEntitiesMappings:
- columnName: Entities
version: 1.0.3
query: |
  SecurityAlert
  | where ProviderName == "IoTSecurity"
  | where AlertName == "Unauthorized SSH Access"
  | extend ExtendedProperties = parse_json(ExtendedProperties)
  | where tostring(ExtendedProperties.isNew) == "True"
  | extend DeviceId = tostring(ExtendedProperties.DeviceId), 
           SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress), 
           DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress), 
           RemediationSteps = tostring(parse_json(RemediationSteps)[0]), 
           Protocol = tostring(ExtendedProperties.Protocol), 
           AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
  | project
    TimeGenerated,
    DeviceId,
    ProductName,
    ProductComponentName,
    AlertSeverity,
    AlertName,
    Description,
    Protocol,
    SourceDeviceAddress,
    DestDeviceAddress,
    RemediationSteps,
    Tactics,
    Entities,
    VendorOriginalId,
    AlertLink,
    AlertManagementUri,
    Techniques