let alertList = dynamic(["Malware", "Suspicion of Malicious Activity", "Invalid SMB Message (DoublePulsar Backdoor Implant)", "Connection Attempt to Known Malicious IP", "Malicious Domain Name Request", "Suspicion of Remote Code Execution with PsExec", "Suspicion of Remote Windows Service Management", "Suspicious Executable File Detected on Endpoint", "Suspicious Traffic Detected"]);
SecurityAlert
| where ProviderName == "IoTSecurity"
| where AlertName has_any (alertList)
| extend ExtendedProperties = parse_json(ExtendedProperties)
| where tostring(ExtendedProperties.isNew) == "True"
| extend DeviceId = tostring(ExtendedProperties.DeviceId),
SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress),
DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress),
RemediationSteps = tostring(parse_json(RemediationSteps)[0]),
Protocol = tostring(ExtendedProperties.Protocol),
AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
| project
TimeGenerated,
DeviceId,
ProductName,
ProductComponentName,
AlertSeverity,
AlertName,
Description,
Protocol,
SourceDeviceAddress,
DestDeviceAddress,
RemediationSteps,
Tactics,
Entities,
VendorOriginalId,
AlertLink,
AlertManagementUri,
Techniques
alertDetailsOverride:
alertSeverityColumnName: AlertSeverity
alertTacticsColumnName: Tactics
alertDynamicProperties:
- alertProperty: ProductName
value: ProductName
- alertProperty: RemediationSteps
value: RemediationSteps
- alertProperty: Techniques
value: Techniques
- alertProperty: ProductComponentName
value: ProductComponentName
- alertProperty: AlertLink
value: AlertLink
alertDisplayNameFormat: (MDIoT) {{AlertName}}
alertDescriptionFormat: (MDIoT) {{Description}}
relevantTechniques:
- T0882
name: Suspicious malware found in the network (Microsoft Defender for IoT)
queryFrequency: 5m
version: 1.0.3
triggerThreshold: 0
severity: High
requiredDataConnectors:
- connectorId: IoT
dataTypes:
- SecurityAlert (ASC for IoT)
tactics:
- Impact
sentinelEntitiesMappings:
- columnName: Entities
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTMalware.yaml
query: |
let alertList = dynamic(["Malware", "Suspicion of Malicious Activity", "Invalid SMB Message (DoublePulsar Backdoor Implant)", "Connection Attempt to Known Malicious IP", "Malicious Domain Name Request", "Suspicion of Remote Code Execution with PsExec", "Suspicion of Remote Windows Service Management", "Suspicious Executable File Detected on Endpoint", "Suspicious Traffic Detected"]);
SecurityAlert
| where ProviderName == "IoTSecurity"
| where AlertName has_any (alertList)
| extend ExtendedProperties = parse_json(ExtendedProperties)
| where tostring(ExtendedProperties.isNew) == "True"
| extend DeviceId = tostring(ExtendedProperties.DeviceId),
SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress),
DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress),
RemediationSteps = tostring(parse_json(RemediationSteps)[0]),
Protocol = tostring(ExtendedProperties.Protocol),
AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
| project
TimeGenerated,
DeviceId,
ProductName,
ProductComponentName,
AlertSeverity,
AlertName,
Description,
Protocol,
SourceDeviceAddress,
DestDeviceAddress,
RemediationSteps,
Tactics,
Entities,
VendorOriginalId,
AlertLink,
AlertManagementUri,
Techniques
kind: Scheduled
entityMappings:
queryPeriod: 5m
triggerOperator: gt
customDetails:
VendorOriginalId: VendorOriginalId
Sensor: DeviceId
AlertManagementUri: AlertManagementUri
Protocol: Protocol
eventGroupingSettings:
aggregationKind: AlertPerResult
id: 6fb1acd5-356d-40f7-9b97-78d993c6a183
status: Available
description: |
'This alert leverages Defender for IoT to detect IoT/OT malware found on the network indicating possible attempts to compromise production systems.'
