Suspicious malware found in the network Microsoft Defender for IoT
| Id | 6fb1acd5-356d-40f7-9b97-78d993c6a183 |
| Rulename | Suspicious malware found in the network (Microsoft Defender for IoT) |
| Description | This alert leverages Defender for IoT to detect IoT/OT malware found on the network indicating possible attempts to compromise production systems. |
| Severity | High |
| Tactics | Impact |
| Techniques | T0882 |
| Required data connectors | IoT |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTMalware.yaml |
| Version | 1.0.3 |
| Arm template | 6fb1acd5-356d-40f7-9b97-78d993c6a183.json |
let alertList = dynamic(["Malware", "Suspicion of Malicious Activity", "Invalid SMB Message (DoublePulsar Backdoor Implant)", "Connection Attempt to Known Malicious IP", "Malicious Domain Name Request", "Suspicion of Remote Code Execution with PsExec", "Suspicion of Remote Windows Service Management", "Suspicious Executable File Detected on Endpoint", "Suspicious Traffic Detected"]);
SecurityAlert
| where ProviderName == "IoTSecurity"
| where AlertName has_any (alertList)
| extend ExtendedProperties = parse_json(ExtendedProperties)
| where tostring(ExtendedProperties.isNew) == "True"
| extend DeviceId = tostring(ExtendedProperties.DeviceId),
SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress),
DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress),
RemediationSteps = tostring(parse_json(RemediationSteps)[0]),
Protocol = tostring(ExtendedProperties.Protocol),
AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
| project
TimeGenerated,
DeviceId,
ProductName,
ProductComponentName,
AlertSeverity,
AlertName,
Description,
Protocol,
SourceDeviceAddress,
DestDeviceAddress,
RemediationSteps,
Tactics,
Entities,
VendorOriginalId,
AlertLink,
AlertManagementUri,
Techniques
customDetails:
Protocol: Protocol
AlertManagementUri: AlertManagementUri
VendorOriginalId: VendorOriginalId
Sensor: DeviceId
status: Available
id: 6fb1acd5-356d-40f7-9b97-78d993c6a183
alertDetailsOverride:
alertDescriptionFormat: (MDIoT) {{Description}}
alertDynamicProperties:
- alertProperty: ProductName
value: ProductName
- alertProperty: RemediationSteps
value: RemediationSteps
- alertProperty: Techniques
value: Techniques
- alertProperty: ProductComponentName
value: ProductComponentName
- alertProperty: AlertLink
value: AlertLink
alertDisplayNameFormat: (MDIoT) {{AlertName}}
alertTacticsColumnName: Tactics
alertSeverityColumnName: AlertSeverity
query: |
let alertList = dynamic(["Malware", "Suspicion of Malicious Activity", "Invalid SMB Message (DoublePulsar Backdoor Implant)", "Connection Attempt to Known Malicious IP", "Malicious Domain Name Request", "Suspicion of Remote Code Execution with PsExec", "Suspicion of Remote Windows Service Management", "Suspicious Executable File Detected on Endpoint", "Suspicious Traffic Detected"]);
SecurityAlert
| where ProviderName == "IoTSecurity"
| where AlertName has_any (alertList)
| extend ExtendedProperties = parse_json(ExtendedProperties)
| where tostring(ExtendedProperties.isNew) == "True"
| extend DeviceId = tostring(ExtendedProperties.DeviceId),
SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress),
DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress),
RemediationSteps = tostring(parse_json(RemediationSteps)[0]),
Protocol = tostring(ExtendedProperties.Protocol),
AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
| project
TimeGenerated,
DeviceId,
ProductName,
ProductComponentName,
AlertSeverity,
AlertName,
Description,
Protocol,
SourceDeviceAddress,
DestDeviceAddress,
RemediationSteps,
Tactics,
Entities,
VendorOriginalId,
AlertLink,
AlertManagementUri,
Techniques
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTMalware.yaml
description: |
'This alert leverages Defender for IoT to detect IoT/OT malware found on the network indicating possible attempts to compromise production systems.'
name: Suspicious malware found in the network (Microsoft Defender for IoT)
relevantTechniques:
- T0882
entityMappings:
triggerThreshold: 0
severity: High
requiredDataConnectors:
- dataTypes:
- SecurityAlert (ASC for IoT)
connectorId: IoT
eventGroupingSettings:
aggregationKind: AlertPerResult
sentinelEntitiesMappings:
- columnName: Entities
queryFrequency: 5m
queryPeriod: 5m
version: 1.0.3
kind: Scheduled
tactics:
- Impact
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6fb1acd5-356d-40f7-9b97-78d993c6a183')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6fb1acd5-356d-40f7-9b97-78d993c6a183')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "(MDIoT) {{Description}}",
"alertDisplayNameFormat": "(MDIoT) {{AlertName}}",
"alertDynamicProperties": [
{
"alertProperty": "ProductName",
"value": "ProductName"
},
{
"alertProperty": "RemediationSteps",
"value": "RemediationSteps"
},
{
"alertProperty": "Techniques",
"value": "Techniques"
},
{
"alertProperty": "ProductComponentName",
"value": "ProductComponentName"
},
{
"alertProperty": "AlertLink",
"value": "AlertLink"
}
],
"alertSeverityColumnName": "AlertSeverity",
"alertTacticsColumnName": "Tactics"
},
"alertRuleTemplateName": "6fb1acd5-356d-40f7-9b97-78d993c6a183",
"customDetails": {
"AlertManagementUri": "AlertManagementUri",
"Protocol": "Protocol",
"Sensor": "DeviceId",
"VendorOriginalId": "VendorOriginalId"
},
"description": "'This alert leverages Defender for IoT to detect IoT/OT malware found on the network indicating possible attempts to compromise production systems.'\n",
"displayName": "Suspicious malware found in the network (Microsoft Defender for IoT)",
"enabled": true,
"entityMappings": null,
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTMalware.yaml",
"query": "let alertList = dynamic([\"Malware\", \"Suspicion of Malicious Activity\", \"Invalid SMB Message (DoublePulsar Backdoor Implant)\", \"Connection Attempt to Known Malicious IP\", \"Malicious Domain Name Request\", \"Suspicion of Remote Code Execution with PsExec\", \"Suspicion of Remote Windows Service Management\", \"Suspicious Executable File Detected on Endpoint\", \"Suspicious Traffic Detected\"]);\nSecurityAlert\n| where ProviderName == \"IoTSecurity\"\n| where AlertName has_any (alertList) \n| extend ExtendedProperties = parse_json(ExtendedProperties)\n| where tostring(ExtendedProperties.isNew) == \"True\"\n| extend DeviceId = tostring(ExtendedProperties.DeviceId), \n SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress), \n DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress), \n RemediationSteps = tostring(parse_json(RemediationSteps)[0]), \n Protocol = tostring(ExtendedProperties.Protocol), \n AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)\n| project\n TimeGenerated,\n DeviceId,\n ProductName,\n ProductComponentName,\n AlertSeverity,\n AlertName,\n Description,\n Protocol,\n SourceDeviceAddress,\n DestDeviceAddress,\n RemediationSteps,\n Tactics,\n Entities,\n VendorOriginalId,\n AlertLink,\n AlertManagementUri,\n Techniques\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"sentinelEntitiesMappings": [
{
"columnName": "Entities"
}
],
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Impact"
],
"techniques": null,
"templateVersion": "1.0.3",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}