Unauthorized remote access to the network Microsoft Defender for IoT

SecurityAlert
| where ProviderName == "IoTSecurity"
| where AlertName == "Unauthorized SSH Access"
| extend ExtendedProperties = parse_json(ExtendedProperties)
| where tostring(ExtendedProperties.isNew) == "True"
| extend DeviceId = tostring(ExtendedProperties.DeviceId), 
         SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress), 
         DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress), 
         RemediationSteps = tostring(parse_json(RemediationSteps)[0]), 
         Protocol = tostring(ExtendedProperties.Protocol), 
         AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
| project
  TimeGenerated,
  DeviceId,
  ProductName,
  ProductComponentName,
  AlertSeverity,
  AlertName,
  Description,
  Protocol,
  SourceDeviceAddress,
  DestDeviceAddress,
  RemediationSteps,
  Tactics,
  Entities,
  VendorOriginalId,
  AlertLink,
  AlertManagementUri,
  Techniques

queryPeriod: 1h
requiredDataConnectors:
- connectorId: IoT
  dataTypes:
  - SecurityAlert (ASC for IoT)
severity: Medium
triggerOperator: gt
customDetails:
  AlertManagementUri: AlertManagementUri
  Protocol: Protocol
  Sensor: DeviceId
  VendorOriginalId: VendorOriginalId
entityMappings: 
version: 1.0.3
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T0886
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTUnauthorizedRemoteAccess.yaml
eventGroupingSettings:
  aggregationKind: AlertPerResult
query: |
  SecurityAlert
  | where ProviderName == "IoTSecurity"
  | where AlertName == "Unauthorized SSH Access"
  | extend ExtendedProperties = parse_json(ExtendedProperties)
  | where tostring(ExtendedProperties.isNew) == "True"
  | extend DeviceId = tostring(ExtendedProperties.DeviceId), 
           SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress), 
           DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress), 
           RemediationSteps = tostring(parse_json(RemediationSteps)[0]), 
           Protocol = tostring(ExtendedProperties.Protocol), 
           AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
  | project
    TimeGenerated,
    DeviceId,
    ProductName,
    ProductComponentName,
    AlertSeverity,
    AlertName,
    Description,
    Protocol,
    SourceDeviceAddress,
    DestDeviceAddress,
    RemediationSteps,
    Tactics,
    Entities,
    VendorOriginalId,
    AlertLink,
    AlertManagementUri,
    Techniques  
id: 1ff4fa3d-150b-4c87-b733-26c289af0d49
name: Unauthorized remote access to the network (Microsoft Defender for IoT)
status: Available
description: |
    'This alert leverages Defender for IoT to detect unauthorized remote access to network devices, if another device on the network is compromised, target devices can be accessed remotely, increasing the attack surface.'
alertDetailsOverride:
  alertSeverityColumnName: AlertSeverity
  alertTacticsColumnName: Tactics
  alertDisplayNameFormat: (MDIoT) {{AlertName}}
  alertDescriptionFormat: (MDIoT) {{Description}}
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: RemediationSteps
    value: RemediationSteps
  - alertProperty: Techniques
    value: Techniques
  - alertProperty: ProductComponentName
    value: ProductComponentName
  - alertProperty: AlertLink
    value: AlertLink
kind: Scheduled
sentinelEntitiesMappings:
- columnName: Entities
queryFrequency: 1h