Suspicious malware found in the network Microsoft Defender for IoT
| Id | 6fb1acd5-356d-40f7-9b97-78d993c6a183 |
| Rulename | Suspicious malware found in the network (Microsoft Defender for IoT) |
| Description | This alert leverages Defender for IoT to detect IoT/OT malware found on the network indicating possible attempts to compromise production systems. |
| Severity | High |
| Tactics | Impact |
| Techniques | T0882 |
| Required data connectors | IoT |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTMalware.yaml |
| Version | 1.0.3 |
| Arm template | 6fb1acd5-356d-40f7-9b97-78d993c6a183.json |
let alertList = dynamic(["Malware", "Suspicion of Malicious Activity", "Invalid SMB Message (DoublePulsar Backdoor Implant)", "Connection Attempt to Known Malicious IP", "Malicious Domain Name Request", "Suspicion of Remote Code Execution with PsExec", "Suspicion of Remote Windows Service Management", "Suspicious Executable File Detected on Endpoint", "Suspicious Traffic Detected"]);
SecurityAlert
| where ProviderName == "IoTSecurity"
| where AlertName has_any (alertList)
| extend ExtendedProperties = parse_json(ExtendedProperties)
| where tostring(ExtendedProperties.isNew) == "True"
| extend DeviceId = tostring(ExtendedProperties.DeviceId),
SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress),
DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress),
RemediationSteps = tostring(parse_json(RemediationSteps)[0]),
Protocol = tostring(ExtendedProperties.Protocol),
AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
| project
TimeGenerated,
DeviceId,
ProductName,
ProductComponentName,
AlertSeverity,
AlertName,
Description,
Protocol,
SourceDeviceAddress,
DestDeviceAddress,
RemediationSteps,
Tactics,
Entities,
VendorOriginalId,
AlertLink,
AlertManagementUri,
Techniques
severity: High
version: 1.0.3
requiredDataConnectors:
- dataTypes:
- SecurityAlert (ASC for IoT)
connectorId: IoT
id: 6fb1acd5-356d-40f7-9b97-78d993c6a183
name: Suspicious malware found in the network (Microsoft Defender for IoT)
customDetails:
AlertManagementUri: AlertManagementUri
Protocol: Protocol
Sensor: DeviceId
VendorOriginalId: VendorOriginalId
status: Available
relevantTechniques:
- T0882
entityMappings:
triggerThreshold: 0
queryPeriod: 5m
query: |
let alertList = dynamic(["Malware", "Suspicion of Malicious Activity", "Invalid SMB Message (DoublePulsar Backdoor Implant)", "Connection Attempt to Known Malicious IP", "Malicious Domain Name Request", "Suspicion of Remote Code Execution with PsExec", "Suspicion of Remote Windows Service Management", "Suspicious Executable File Detected on Endpoint", "Suspicious Traffic Detected"]);
SecurityAlert
| where ProviderName == "IoTSecurity"
| where AlertName has_any (alertList)
| extend ExtendedProperties = parse_json(ExtendedProperties)
| where tostring(ExtendedProperties.isNew) == "True"
| extend DeviceId = tostring(ExtendedProperties.DeviceId),
SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress),
DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress),
RemediationSteps = tostring(parse_json(RemediationSteps)[0]),
Protocol = tostring(ExtendedProperties.Protocol),
AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
| project
TimeGenerated,
DeviceId,
ProductName,
ProductComponentName,
AlertSeverity,
AlertName,
Description,
Protocol,
SourceDeviceAddress,
DestDeviceAddress,
RemediationSteps,
Tactics,
Entities,
VendorOriginalId,
AlertLink,
AlertManagementUri,
Techniques
eventGroupingSettings:
aggregationKind: AlertPerResult
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTMalware.yaml
triggerOperator: gt
sentinelEntitiesMappings:
- columnName: Entities
tactics:
- Impact
alertDetailsOverride:
alertTacticsColumnName: Tactics
alertDynamicProperties:
- value: ProductName
alertProperty: ProductName
- value: RemediationSteps
alertProperty: RemediationSteps
- value: Techniques
alertProperty: Techniques
- value: ProductComponentName
alertProperty: ProductComponentName
- value: AlertLink
alertProperty: AlertLink
alertSeverityColumnName: AlertSeverity
alertDisplayNameFormat: (MDIoT) {{AlertName}}
alertDescriptionFormat: (MDIoT) {{Description}}
description: |
'This alert leverages Defender for IoT to detect IoT/OT malware found on the network indicating possible attempts to compromise production systems.'
queryFrequency: 5m
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6fb1acd5-356d-40f7-9b97-78d993c6a183')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6fb1acd5-356d-40f7-9b97-78d993c6a183')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "(MDIoT) {{Description}}",
"alertDisplayNameFormat": "(MDIoT) {{AlertName}}",
"alertDynamicProperties": [
{
"alertProperty": "ProductName",
"value": "ProductName"
},
{
"alertProperty": "RemediationSteps",
"value": "RemediationSteps"
},
{
"alertProperty": "Techniques",
"value": "Techniques"
},
{
"alertProperty": "ProductComponentName",
"value": "ProductComponentName"
},
{
"alertProperty": "AlertLink",
"value": "AlertLink"
}
],
"alertSeverityColumnName": "AlertSeverity",
"alertTacticsColumnName": "Tactics"
},
"alertRuleTemplateName": "6fb1acd5-356d-40f7-9b97-78d993c6a183",
"customDetails": {
"AlertManagementUri": "AlertManagementUri",
"Protocol": "Protocol",
"Sensor": "DeviceId",
"VendorOriginalId": "VendorOriginalId"
},
"description": "'This alert leverages Defender for IoT to detect IoT/OT malware found on the network indicating possible attempts to compromise production systems.'\n",
"displayName": "Suspicious malware found in the network (Microsoft Defender for IoT)",
"enabled": true,
"entityMappings": null,
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTMalware.yaml",
"query": "let alertList = dynamic([\"Malware\", \"Suspicion of Malicious Activity\", \"Invalid SMB Message (DoublePulsar Backdoor Implant)\", \"Connection Attempt to Known Malicious IP\", \"Malicious Domain Name Request\", \"Suspicion of Remote Code Execution with PsExec\", \"Suspicion of Remote Windows Service Management\", \"Suspicious Executable File Detected on Endpoint\", \"Suspicious Traffic Detected\"]);\nSecurityAlert\n| where ProviderName == \"IoTSecurity\"\n| where AlertName has_any (alertList) \n| extend ExtendedProperties = parse_json(ExtendedProperties)\n| where tostring(ExtendedProperties.isNew) == \"True\"\n| extend DeviceId = tostring(ExtendedProperties.DeviceId), \n SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress), \n DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress), \n RemediationSteps = tostring(parse_json(RemediationSteps)[0]), \n Protocol = tostring(ExtendedProperties.Protocol), \n AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)\n| project\n TimeGenerated,\n DeviceId,\n ProductName,\n ProductComponentName,\n AlertSeverity,\n AlertName,\n Description,\n Protocol,\n SourceDeviceAddress,\n DestDeviceAddress,\n RemediationSteps,\n Tactics,\n Entities,\n VendorOriginalId,\n AlertLink,\n AlertManagementUri,\n Techniques\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"sentinelEntitiesMappings": [
{
"columnName": "Entities"
}
],
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Impact"
],
"techniques": null,
"templateVersion": "1.0.3",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}