Unauthorized remote access to the network (Microsoft Defender for IoT)
| Id | 1ff4fa3d-150b-4c87-b733-26c289af0d49 |
| Rulename | Unauthorized remote access to the network (Microsoft Defender for IoT) |
| Description | This alert leverages Defender for IoT to detect unauthorized remote access to network devices, if another device on the network is compromised, target devices can be accessed remotely, increasing the attack surface. |
| Severity | Medium |
| Tactics | InitialAccess |
| Techniques | T0886 |
| Required data connectors | IoT |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTUnauthorizedRemoteAccess.yaml |
| Version | 1.0.1 |
| Arm template | 1ff4fa3d-150b-4c87-b733-26c289af0d49.json |
SecurityAlert
| where ProviderName == "IoTSecurity"
| where AlertName == "Unauthorized SSH Access"
| extend ExtendedProperties = parse_json(ExtendedProperties)
| where tostring(ExtendedProperties.isNew) == "True"
| extend DeviceId = tostring(ExtendedProperties.DeviceId),
SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress),
DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress),
RemediationSteps = tostring(parse_json(RemediationSteps)[0]),
Protocol = tostring(ExtendedProperties.Protocol),
AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
| project
TimeGenerated,
DeviceId,
ProductName,
ProductComponentName,
AlertSeverity,
AlertName,
Description,
Protocol,
SourceDeviceAddress,
DestDeviceAddress,
RemediationSteps,
Tactics,
Entities,
VendorOriginalId,
AlertLink,
AlertManagementUri,
Techniques
severity: Medium
queryFrequency: 1h
relevantTechniques:
- T0886
tactics:
- InitialAccess
eventGroupingSettings:
aggregationKind: AlertPerResult
version: 1.0.1
alertDetailsOverride:
alertDescriptionFormat: (MDIoT) {{Description}}
alertDisplayNameFormat: (MDIoT) {{AlertName}}
alertTacticsColumnName: Tactics
alertSeverityColumnName: AlertSeverity
alertDynamicProperties:
- alertProperty: ProductName
value: ProductName
- alertProperty: RemediationSteps
value: RemediationSteps
- alertProperty: Techniques
value: Techniques
- alertProperty: ProductComponentName
value: ProductComponentName
- alertProperty: AlertLink
value: AlertLink
customDetails:
VendorOriginalId: VendorOriginalId
Protocol: Protocol
AlertManagementUri: AlertManagementUri
Sensor: DeviceId
query: |
SecurityAlert
| where ProviderName == "IoTSecurity"
| where AlertName == "Unauthorized SSH Access"
| extend ExtendedProperties = parse_json(ExtendedProperties)
| where tostring(ExtendedProperties.isNew) == "True"
| extend DeviceId = tostring(ExtendedProperties.DeviceId),
SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress),
DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress),
RemediationSteps = tostring(parse_json(RemediationSteps)[0]),
Protocol = tostring(ExtendedProperties.Protocol),
AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
| project
TimeGenerated,
DeviceId,
ProductName,
ProductComponentName,
AlertSeverity,
AlertName,
Description,
Protocol,
SourceDeviceAddress,
DestDeviceAddress,
RemediationSteps,
Tactics,
Entities,
VendorOriginalId,
AlertLink,
AlertManagementUri,
Techniques
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTUnauthorizedRemoteAccess.yaml
queryPeriod: 1h
status: Available
sentinelEntitiesMappings:
- columnName: Entities
name: Unauthorized remote access to the network (Microsoft Defender for IoT)
kind: Scheduled
requiredDataConnectors:
- dataTypes:
- SecurityAlert (ASC for IoT)
connectorId: IoT
triggerOperator: gt
entityMappings:
id: 1ff4fa3d-150b-4c87-b733-26c289af0d49
description: |
'This alert leverages Defender for IoT to detect unauthorized remote access to network devices, if another device on the network is compromised, target devices can be accessed remotely, increasing the attack surface.'
triggerThreshold: 0
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1ff4fa3d-150b-4c87-b733-26c289af0d49')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1ff4fa3d-150b-4c87-b733-26c289af0d49')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01-preview",
"properties": {
"displayName": "Unauthorized remote access to the network (Microsoft Defender for IoT)",
"description": "'This alert leverages Defender for IoT to detect unauthorized remote access to network devices, if another device on the network is compromised, target devices can be accessed remotely, increasing the attack surface.'\n",
"severity": "Medium",
"enabled": true,
"query": "SecurityAlert\n| where ProviderName == \"IoTSecurity\"\n| where AlertName == \"Unauthorized SSH Access\"\n| extend ExtendedProperties = parse_json(ExtendedProperties)\n| where tostring(ExtendedProperties.isNew) == \"True\"\n| extend DeviceId = tostring(ExtendedProperties.DeviceId), \n SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress), \n DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress), \n RemediationSteps = tostring(parse_json(RemediationSteps)[0]), \n Protocol = tostring(ExtendedProperties.Protocol), \n AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)\n| project\n TimeGenerated,\n DeviceId,\n ProductName,\n ProductComponentName,\n AlertSeverity,\n AlertName,\n Description,\n Protocol,\n SourceDeviceAddress,\n DestDeviceAddress,\n RemediationSteps,\n Tactics,\n Entities,\n VendorOriginalId,\n AlertLink,\n AlertManagementUri,\n Techniques\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"InitialAccess"
],
"techniques": [
"T0886"
],
"alertRuleTemplateName": "1ff4fa3d-150b-4c87-b733-26c289af0d49",
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"alertDetailsOverride": {
"alertDescriptionFormat": "(MDIoT) {{Description}}",
"alertSeverityColumnName": "AlertSeverity",
"alertDisplayNameFormat": "(MDIoT) {{AlertName}}",
"alertDynamicProperties": [
{
"value": "ProductName",
"alertProperty": "ProductName"
},
{
"value": "RemediationSteps",
"alertProperty": "RemediationSteps"
},
{
"value": "Techniques",
"alertProperty": "Techniques"
},
{
"value": "ProductComponentName",
"alertProperty": "ProductComponentName"
},
{
"value": "AlertLink",
"alertProperty": "AlertLink"
}
],
"alertTacticsColumnName": "Tactics"
},
"customDetails": {
"VendorOriginalId": "VendorOriginalId",
"Sensor": "DeviceId",
"Protocol": "Protocol",
"AlertManagementUri": "AlertManagementUri"
},
"entityMappings": null,
"sentinelEntitiesMappings": [
{
"columnName": "Entities"
}
],
"templateVersion": "1.0.1",
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTUnauthorizedRemoteAccess.yaml",
"status": "Available"
}
}
]
}