Illegal Function Codes for ICS traffic Microsoft Defender for IoT
| Id | 70be4a31-9d2b-433b-bdc7-da8928988069 |
| Rulename | Illegal Function Codes for ICS traffic (Microsoft Defender for IoT) |
| Description | This alert leverages Defender for IoT to detect Illegal function codes in SCADA equipment indicating improper application configuration or malicious activity such using illegal values within a protocol to exploit a PLC vulnerability. |
| Severity | Medium |
| Tactics | ImpairProcessControl |
| Techniques | T0855 |
| Required data connectors | IoT |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTIllegalFunctionCodes.yaml |
| Version | 1.0.2 |
| Arm template | 70be4a31-9d2b-433b-bdc7-da8928988069.json |
let alertList = dynamic(["Function Code Not Supported by Outstation", "Illegal BACNet message", "Illegal Connection Attempt on Port 0", "Illegal DNP3 Operation", "Illegal MODBUS Operation (Exception Raised by Master)", "Illegal MODBUS Operation (Function Code Zero)", "Incorrect Parameter Sent to Outstation", "Initiation of an Obsolete Function Code (Initialize Data)", "Initiation of an Obsolete Function Code (Save Config)", "Modbus Exception", "Unknown Object Sent to Outstation", "Usage of a Reserved Function Code", "Usage of Improper Formatting by Outstation", "Usage of Reserved Status Flags (IIN)", "Unauthorized communication was detected by a User Defined Protocol Rule", "Unauthorized Operation was detected by a User Defined whitelist Alert", "Illegal Protocol Version", "New Activity Detected - LonTalk Network Variable", "New Activity Detected - Ovation Data Request", "New Activity Detected - Read/Write Command (AMS Index Group)", "New Activity Detected - Read/Write Command (AMS Index Offset)", "New Activity Detected - Unauthorized DeltaV Message Type", "New Activity Detected - Unauthorized DeltaV ROC Operation", "New Activity Detected - Using AMS Protocol Command", "New Activity Detected - Using Siemens SICAM Command", "New Activity Detected - Using Suitelink Protocol command", "New Activity Detected - Using Suitelink Protocol sessions", "New Activity Detected - Using Yokogawa VNetIP Command", "Omron FINS Unauthorized Command", "Toshiba Computer Link Unauthorized Command", "Unauthorized ABB Totalflow File Operation", "Unauthorized ABB Totalflow Register Operation", "Unauthorized Access to Siemens S7 Plus Object", "Unauthorized BACNet Object Access", "Unauthorized BACNet Route", "Unauthorized Emerson ROC Operation", "Unauthorized GE SRTP File Access", "Unauthorized GE SRTP Protocol Command", "Unauthorized GE SRTP System Memory Operation", "Unauthorized Mitsubishi MELSEC Command", "Unauthorized MMS Service", "Unauthorized OPC UA Activity", "Unauthorized OPC UA Request/Response", "Unauthorized Profinet Frame Type", "Unauthorized SAIA S-Bus Command", "Unauthorized Siemens S7 Execution of Control Function", "Unauthorized Siemens S7 Execution of User Defined Function", "Unauthorized Siemens S7 Plus Block Access", "Unauthorized Siemens S7 Plus Operation", "Unauthorized SNMP Operation", "Unpermitted Modbus Schneider Electric Extension", "Unpermitted Usage of ASDU Types", "Unpermitted Usage of DNP3 Function Code", "Unpermitted Usage of Modbus Function Code", "Unauthorized Operation was detected by a User Defined Rule", "Unauthorized PLC Configuration Read", "Unauthorized PLC Programming", "Unauthorized PLC Configuration Write", "Unauthorized PLC Program Upload", "Slave Device Received Illegal"]);
SecurityAlert
| where ProviderName == "IoTSecurity"
| where AlertName has_any (alertList)
| extend ExtendedProperties = parse_json(ExtendedProperties)
| where tostring(ExtendedProperties.isNew) == "True"
| extend DeviceId = tostring(ExtendedProperties.DeviceId),
SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress),
DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress),
RemediationSteps = tostring(parse_json(RemediationSteps)[0]),
Protocol = tostring(ExtendedProperties.Protocol),
AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
| project
TimeGenerated,
DeviceId,
ProductName,
ProductComponentName,
AlertSeverity,
AlertName,
Description,
Protocol,
SourceDeviceAddress,
DestDeviceAddress,
RemediationSteps,
Tactics,
Entities,
VendorOriginalId,
AlertLink,
AlertManagementUri,
Techniques
relevantTechniques:
- T0855
name: Illegal Function Codes for ICS traffic (Microsoft Defender for IoT)
requiredDataConnectors:
- dataTypes:
- SecurityAlert (ASC for IoT)
connectorId: IoT
entityMappings:
- fieldMappings:
- identifier: Address
columnName: SourceDeviceAddress
entityType: IP
- fieldMappings:
- identifier: Address
columnName: DestDeviceAddress
entityType: IP
triggerThreshold: 0
id: 70be4a31-9d2b-433b-bdc7-da8928988069
tactics:
- ImpairProcessControl
version: 1.0.2
customDetails:
Sensor: DeviceId
VendorOriginalId: VendorOriginalId
Protocol: Protocol
AlertManagementUri: AlertManagementUri
alertDetailsOverride:
alertDescriptionFormat: (MDIoT) {{Description}}
alertTacticsColumnName: Tactics
alertSeverityColumnName: AlertSeverity
alertDynamicProperties:
- alertProperty: ProductName
value: ProductName
- alertProperty: RemediationSteps
value: RemediationSteps
- alertProperty: Techniques
value: Techniques
- alertProperty: ProductComponentName
value: ProductComponentName
- alertProperty: AlertLink
value: AlertLink
alertDisplayNameFormat: (MDIoT) {{AlertName}}
queryPeriod: 1h
kind: Scheduled
eventGroupingSettings:
aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTIllegalFunctionCodes.yaml
queryFrequency: 1h
severity: Medium
status: Available
description: |
'This alert leverages Defender for IoT to detect Illegal function codes in SCADA equipment indicating improper application configuration or malicious activity such using illegal values within a protocol to exploit a PLC vulnerability.'
query: |
let alertList = dynamic(["Function Code Not Supported by Outstation", "Illegal BACNet message", "Illegal Connection Attempt on Port 0", "Illegal DNP3 Operation", "Illegal MODBUS Operation (Exception Raised by Master)", "Illegal MODBUS Operation (Function Code Zero)", "Incorrect Parameter Sent to Outstation", "Initiation of an Obsolete Function Code (Initialize Data)", "Initiation of an Obsolete Function Code (Save Config)", "Modbus Exception", "Unknown Object Sent to Outstation", "Usage of a Reserved Function Code", "Usage of Improper Formatting by Outstation", "Usage of Reserved Status Flags (IIN)", "Unauthorized communication was detected by a User Defined Protocol Rule", "Unauthorized Operation was detected by a User Defined whitelist Alert", "Illegal Protocol Version", "New Activity Detected - LonTalk Network Variable", "New Activity Detected - Ovation Data Request", "New Activity Detected - Read/Write Command (AMS Index Group)", "New Activity Detected - Read/Write Command (AMS Index Offset)", "New Activity Detected - Unauthorized DeltaV Message Type", "New Activity Detected - Unauthorized DeltaV ROC Operation", "New Activity Detected - Using AMS Protocol Command", "New Activity Detected - Using Siemens SICAM Command", "New Activity Detected - Using Suitelink Protocol command", "New Activity Detected - Using Suitelink Protocol sessions", "New Activity Detected - Using Yokogawa VNetIP Command", "Omron FINS Unauthorized Command", "Toshiba Computer Link Unauthorized Command", "Unauthorized ABB Totalflow File Operation", "Unauthorized ABB Totalflow Register Operation", "Unauthorized Access to Siemens S7 Plus Object", "Unauthorized BACNet Object Access", "Unauthorized BACNet Route", "Unauthorized Emerson ROC Operation", "Unauthorized GE SRTP File Access", "Unauthorized GE SRTP Protocol Command", "Unauthorized GE SRTP System Memory Operation", "Unauthorized Mitsubishi MELSEC Command", "Unauthorized MMS Service", "Unauthorized OPC UA Activity", "Unauthorized OPC UA Request/Response", "Unauthorized Profinet Frame Type", "Unauthorized SAIA S-Bus Command", "Unauthorized Siemens S7 Execution of Control Function", "Unauthorized Siemens S7 Execution of User Defined Function", "Unauthorized Siemens S7 Plus Block Access", "Unauthorized Siemens S7 Plus Operation", "Unauthorized SNMP Operation", "Unpermitted Modbus Schneider Electric Extension", "Unpermitted Usage of ASDU Types", "Unpermitted Usage of DNP3 Function Code", "Unpermitted Usage of Modbus Function Code", "Unauthorized Operation was detected by a User Defined Rule", "Unauthorized PLC Configuration Read", "Unauthorized PLC Programming", "Unauthorized PLC Configuration Write", "Unauthorized PLC Program Upload", "Slave Device Received Illegal"]);
SecurityAlert
| where ProviderName == "IoTSecurity"
| where AlertName has_any (alertList)
| extend ExtendedProperties = parse_json(ExtendedProperties)
| where tostring(ExtendedProperties.isNew) == "True"
| extend DeviceId = tostring(ExtendedProperties.DeviceId),
SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress),
DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress),
RemediationSteps = tostring(parse_json(RemediationSteps)[0]),
Protocol = tostring(ExtendedProperties.Protocol),
AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
| project
TimeGenerated,
DeviceId,
ProductName,
ProductComponentName,
AlertSeverity,
AlertName,
Description,
Protocol,
SourceDeviceAddress,
DestDeviceAddress,
RemediationSteps,
Tactics,
Entities,
VendorOriginalId,
AlertLink,
AlertManagementUri,
Techniques
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/70be4a31-9d2b-433b-bdc7-da8928988069')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/70be4a31-9d2b-433b-bdc7-da8928988069')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "(MDIoT) {{Description}}",
"alertDisplayNameFormat": "(MDIoT) {{AlertName}}",
"alertDynamicProperties": [
{
"alertProperty": "ProductName",
"value": "ProductName"
},
{
"alertProperty": "RemediationSteps",
"value": "RemediationSteps"
},
{
"alertProperty": "Techniques",
"value": "Techniques"
},
{
"alertProperty": "ProductComponentName",
"value": "ProductComponentName"
},
{
"alertProperty": "AlertLink",
"value": "AlertLink"
}
],
"alertSeverityColumnName": "AlertSeverity",
"alertTacticsColumnName": "Tactics"
},
"alertRuleTemplateName": "70be4a31-9d2b-433b-bdc7-da8928988069",
"customDetails": {
"AlertManagementUri": "AlertManagementUri",
"Protocol": "Protocol",
"Sensor": "DeviceId",
"VendorOriginalId": "VendorOriginalId"
},
"description": "'This alert leverages Defender for IoT to detect Illegal function codes in SCADA equipment indicating improper application configuration or malicious activity such using illegal values within a protocol to exploit a PLC vulnerability.'\n",
"displayName": "Illegal Function Codes for ICS traffic (Microsoft Defender for IoT)",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceDeviceAddress",
"identifier": "Address"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "DestDeviceAddress",
"identifier": "Address"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTIllegalFunctionCodes.yaml",
"query": "let alertList = dynamic([\"Function Code Not Supported by Outstation\", \"Illegal BACNet message\", \"Illegal Connection Attempt on Port 0\", \"Illegal DNP3 Operation\", \"Illegal MODBUS Operation (Exception Raised by Master)\", \"Illegal MODBUS Operation (Function Code Zero)\", \"Incorrect Parameter Sent to Outstation\", \"Initiation of an Obsolete Function Code (Initialize Data)\", \"Initiation of an Obsolete Function Code (Save Config)\", \"Modbus Exception\", \"Unknown Object Sent to Outstation\", \"Usage of a Reserved Function Code\", \"Usage of Improper Formatting by Outstation\", \"Usage of Reserved Status Flags (IIN)\", \"Unauthorized communication was detected by a User Defined Protocol Rule\", \"Unauthorized Operation was detected by a User Defined whitelist Alert\", \"Illegal Protocol Version\", \"New Activity Detected - LonTalk Network Variable\", \"New Activity Detected - Ovation Data Request\", \"New Activity Detected - Read/Write Command (AMS Index Group)\", \"New Activity Detected - Read/Write Command (AMS Index Offset)\", \"New Activity Detected - Unauthorized DeltaV Message Type\", \"New Activity Detected - Unauthorized DeltaV ROC Operation\", \"New Activity Detected - Using AMS Protocol Command\", \"New Activity Detected - Using Siemens SICAM Command\", \"New Activity Detected - Using Suitelink Protocol command\", \"New Activity Detected - Using Suitelink Protocol sessions\", \"New Activity Detected - Using Yokogawa VNetIP Command\", \"Omron FINS Unauthorized Command\", \"Toshiba Computer Link Unauthorized Command\", \"Unauthorized ABB Totalflow File Operation\", \"Unauthorized ABB Totalflow Register Operation\", \"Unauthorized Access to Siemens S7 Plus Object\", \"Unauthorized BACNet Object Access\", \"Unauthorized BACNet Route\", \"Unauthorized Emerson ROC Operation\", \"Unauthorized GE SRTP File Access\", \"Unauthorized GE SRTP Protocol Command\", \"Unauthorized GE SRTP System Memory Operation\", \"Unauthorized Mitsubishi MELSEC Command\", \"Unauthorized MMS Service\", \"Unauthorized OPC UA Activity\", \"Unauthorized OPC UA Request/Response\", \"Unauthorized Profinet Frame Type\", \"Unauthorized SAIA S-Bus Command\", \"Unauthorized Siemens S7 Execution of Control Function\", \"Unauthorized Siemens S7 Execution of User Defined Function\", \"Unauthorized Siemens S7 Plus Block Access\", \"Unauthorized Siemens S7 Plus Operation\", \"Unauthorized SNMP Operation\", \"Unpermitted Modbus Schneider Electric Extension\", \"Unpermitted Usage of ASDU Types\", \"Unpermitted Usage of DNP3 Function Code\", \"Unpermitted Usage of Modbus Function Code\", \"Unauthorized Operation was detected by a User Defined Rule\", \"Unauthorized PLC Configuration Read\", \"Unauthorized PLC Programming\", \"Unauthorized PLC Configuration Write\", \"Unauthorized PLC Program Upload\", \"Slave Device Received Illegal\"]);\nSecurityAlert\n| where ProviderName == \"IoTSecurity\"\n| where AlertName has_any (alertList)\n| extend ExtendedProperties = parse_json(ExtendedProperties)\n| where tostring(ExtendedProperties.isNew) == \"True\"\n| extend DeviceId = tostring(ExtendedProperties.DeviceId), \n SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress), \n DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress), \n RemediationSteps = tostring(parse_json(RemediationSteps)[0]), \n Protocol = tostring(ExtendedProperties.Protocol), \n AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)\n| project\n TimeGenerated,\n DeviceId,\n ProductName,\n ProductComponentName,\n AlertSeverity,\n AlertName,\n Description,\n Protocol,\n SourceDeviceAddress,\n DestDeviceAddress,\n RemediationSteps,\n Tactics,\n Entities,\n VendorOriginalId,\n AlertLink,\n AlertManagementUri,\n Techniques\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"ImpairProcessControl"
],
"techniques": null,
"templateVersion": "1.0.2",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}