Unauthorized remote access to the network Microsoft Defender for IoT

SecurityAlert
| where ProviderName == "IoTSecurity"
| where AlertName == "Unauthorized SSH Access"
| extend ExtendedProperties = parse_json(ExtendedProperties)
| where tostring(ExtendedProperties.isNew) == "True"
| extend DeviceId = tostring(ExtendedProperties.DeviceId), 
         SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress), 
         DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress), 
         RemediationSteps = tostring(parse_json(RemediationSteps)[0]), 
         Protocol = tostring(ExtendedProperties.Protocol), 
         AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
| project
  TimeGenerated,
  DeviceId,
  ProductName,
  ProductComponentName,
  AlertSeverity,
  AlertName,
  Description,
  Protocol,
  SourceDeviceAddress,
  DestDeviceAddress,
  RemediationSteps,
  Tactics,
  Entities,
  VendorOriginalId,
  AlertLink,
  AlertManagementUri,
  Techniques

description: |
    'This alert leverages Defender for IoT to detect unauthorized remote access to network devices, if another device on the network is compromised, target devices can be accessed remotely, increasing the attack surface.'
version: 1.0.3
tactics:
- InitialAccess
queryFrequency: 1h
query: |
  SecurityAlert
  | where ProviderName == "IoTSecurity"
  | where AlertName == "Unauthorized SSH Access"
  | extend ExtendedProperties = parse_json(ExtendedProperties)
  | where tostring(ExtendedProperties.isNew) == "True"
  | extend DeviceId = tostring(ExtendedProperties.DeviceId), 
           SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress), 
           DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress), 
           RemediationSteps = tostring(parse_json(RemediationSteps)[0]), 
           Protocol = tostring(ExtendedProperties.Protocol), 
           AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
  | project
    TimeGenerated,
    DeviceId,
    ProductName,
    ProductComponentName,
    AlertSeverity,
    AlertName,
    Description,
    Protocol,
    SourceDeviceAddress,
    DestDeviceAddress,
    RemediationSteps,
    Tactics,
    Entities,
    VendorOriginalId,
    AlertLink,
    AlertManagementUri,
    Techniques  
status: Available
triggerOperator: gt
kind: Scheduled
triggerThreshold: 0
customDetails:
  VendorOriginalId: VendorOriginalId
  AlertManagementUri: AlertManagementUri
  Protocol: Protocol
  Sensor: DeviceId
sentinelEntitiesMappings:
- columnName: Entities
alertDetailsOverride:
  alertDisplayNameFormat: (MDIoT) {{AlertName}}
  alertDynamicProperties:
  - value: ProductName
    alertProperty: ProductName
  - value: RemediationSteps
    alertProperty: RemediationSteps
  - value: Techniques
    alertProperty: Techniques
  - value: ProductComponentName
    alertProperty: ProductComponentName
  - value: AlertLink
    alertProperty: AlertLink
  alertDescriptionFormat: (MDIoT) {{Description}}
  alertTacticsColumnName: Tactics
  alertSeverityColumnName: AlertSeverity
relevantTechniques:
- T0886
id: 1ff4fa3d-150b-4c87-b733-26c289af0d49
queryPeriod: 1h
entityMappings: 
eventGroupingSettings:
  aggregationKind: AlertPerResult
severity: Medium
name: Unauthorized remote access to the network (Microsoft Defender for IoT)
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTUnauthorizedRemoteAccess.yaml
requiredDataConnectors:
- dataTypes:
  - SecurityAlert (ASC for IoT)
  connectorId: IoT