Illegal Function Codes for ICS traffic Microsoft Defender for IoT
| Id | 70be4a31-9d2b-433b-bdc7-da8928988069 |
| Rulename | Illegal Function Codes for ICS traffic (Microsoft Defender for IoT) |
| Description | This alert leverages Defender for IoT to detect Illegal function codes in SCADA equipment indicating improper application configuration or malicious activity such using illegal values within a protocol to exploit a PLC vulnerability. |
| Severity | Medium |
| Tactics | ImpairProcessControl |
| Techniques | T0855 |
| Required data connectors | IoT |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTIllegalFunctionCodes.yaml |
| Version | 1.0.2 |
| Arm template | 70be4a31-9d2b-433b-bdc7-da8928988069.json |
let alertList = dynamic(["Function Code Not Supported by Outstation", "Illegal BACNet message", "Illegal Connection Attempt on Port 0", "Illegal DNP3 Operation", "Illegal MODBUS Operation (Exception Raised by Master)", "Illegal MODBUS Operation (Function Code Zero)", "Incorrect Parameter Sent to Outstation", "Initiation of an Obsolete Function Code (Initialize Data)", "Initiation of an Obsolete Function Code (Save Config)", "Modbus Exception", "Unknown Object Sent to Outstation", "Usage of a Reserved Function Code", "Usage of Improper Formatting by Outstation", "Usage of Reserved Status Flags (IIN)", "Unauthorized communication was detected by a User Defined Protocol Rule", "Unauthorized Operation was detected by a User Defined whitelist Alert", "Illegal Protocol Version", "New Activity Detected - LonTalk Network Variable", "New Activity Detected - Ovation Data Request", "New Activity Detected - Read/Write Command (AMS Index Group)", "New Activity Detected - Read/Write Command (AMS Index Offset)", "New Activity Detected - Unauthorized DeltaV Message Type", "New Activity Detected - Unauthorized DeltaV ROC Operation", "New Activity Detected - Using AMS Protocol Command", "New Activity Detected - Using Siemens SICAM Command", "New Activity Detected - Using Suitelink Protocol command", "New Activity Detected - Using Suitelink Protocol sessions", "New Activity Detected - Using Yokogawa VNetIP Command", "Omron FINS Unauthorized Command", "Toshiba Computer Link Unauthorized Command", "Unauthorized ABB Totalflow File Operation", "Unauthorized ABB Totalflow Register Operation", "Unauthorized Access to Siemens S7 Plus Object", "Unauthorized BACNet Object Access", "Unauthorized BACNet Route", "Unauthorized Emerson ROC Operation", "Unauthorized GE SRTP File Access", "Unauthorized GE SRTP Protocol Command", "Unauthorized GE SRTP System Memory Operation", "Unauthorized Mitsubishi MELSEC Command", "Unauthorized MMS Service", "Unauthorized OPC UA Activity", "Unauthorized OPC UA Request/Response", "Unauthorized Profinet Frame Type", "Unauthorized SAIA S-Bus Command", "Unauthorized Siemens S7 Execution of Control Function", "Unauthorized Siemens S7 Execution of User Defined Function", "Unauthorized Siemens S7 Plus Block Access", "Unauthorized Siemens S7 Plus Operation", "Unauthorized SNMP Operation", "Unpermitted Modbus Schneider Electric Extension", "Unpermitted Usage of ASDU Types", "Unpermitted Usage of DNP3 Function Code", "Unpermitted Usage of Modbus Function Code", "Unauthorized Operation was detected by a User Defined Rule", "Unauthorized PLC Configuration Read", "Unauthorized PLC Programming", "Unauthorized PLC Configuration Write", "Unauthorized PLC Program Upload", "Slave Device Received Illegal"]);
SecurityAlert
| where ProviderName == "IoTSecurity"
| where AlertName has_any (alertList)
| extend ExtendedProperties = parse_json(ExtendedProperties)
| where tostring(ExtendedProperties.isNew) == "True"
| extend DeviceId = tostring(ExtendedProperties.DeviceId),
SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress),
DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress),
RemediationSteps = tostring(parse_json(RemediationSteps)[0]),
Protocol = tostring(ExtendedProperties.Protocol),
AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
| project
TimeGenerated,
DeviceId,
ProductName,
ProductComponentName,
AlertSeverity,
AlertName,
Description,
Protocol,
SourceDeviceAddress,
DestDeviceAddress,
RemediationSteps,
Tactics,
Entities,
VendorOriginalId,
AlertLink,
AlertManagementUri,
Techniques
customDetails:
VendorOriginalId: VendorOriginalId
Protocol: Protocol
Sensor: DeviceId
AlertManagementUri: AlertManagementUri
name: Illegal Function Codes for ICS traffic (Microsoft Defender for IoT)
status: Available
triggerThreshold: 0
severity: Medium
tactics:
- ImpairProcessControl
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTIllegalFunctionCodes.yaml
entityMappings:
- entityType: IP
fieldMappings:
- columnName: SourceDeviceAddress
identifier: Address
- entityType: IP
fieldMappings:
- columnName: DestDeviceAddress
identifier: Address
queryPeriod: 1h
queryFrequency: 1h
version: 1.0.2
triggerOperator: gt
description: |
'This alert leverages Defender for IoT to detect Illegal function codes in SCADA equipment indicating improper application configuration or malicious activity such using illegal values within a protocol to exploit a PLC vulnerability.'
query: |
let alertList = dynamic(["Function Code Not Supported by Outstation", "Illegal BACNet message", "Illegal Connection Attempt on Port 0", "Illegal DNP3 Operation", "Illegal MODBUS Operation (Exception Raised by Master)", "Illegal MODBUS Operation (Function Code Zero)", "Incorrect Parameter Sent to Outstation", "Initiation of an Obsolete Function Code (Initialize Data)", "Initiation of an Obsolete Function Code (Save Config)", "Modbus Exception", "Unknown Object Sent to Outstation", "Usage of a Reserved Function Code", "Usage of Improper Formatting by Outstation", "Usage of Reserved Status Flags (IIN)", "Unauthorized communication was detected by a User Defined Protocol Rule", "Unauthorized Operation was detected by a User Defined whitelist Alert", "Illegal Protocol Version", "New Activity Detected - LonTalk Network Variable", "New Activity Detected - Ovation Data Request", "New Activity Detected - Read/Write Command (AMS Index Group)", "New Activity Detected - Read/Write Command (AMS Index Offset)", "New Activity Detected - Unauthorized DeltaV Message Type", "New Activity Detected - Unauthorized DeltaV ROC Operation", "New Activity Detected - Using AMS Protocol Command", "New Activity Detected - Using Siemens SICAM Command", "New Activity Detected - Using Suitelink Protocol command", "New Activity Detected - Using Suitelink Protocol sessions", "New Activity Detected - Using Yokogawa VNetIP Command", "Omron FINS Unauthorized Command", "Toshiba Computer Link Unauthorized Command", "Unauthorized ABB Totalflow File Operation", "Unauthorized ABB Totalflow Register Operation", "Unauthorized Access to Siemens S7 Plus Object", "Unauthorized BACNet Object Access", "Unauthorized BACNet Route", "Unauthorized Emerson ROC Operation", "Unauthorized GE SRTP File Access", "Unauthorized GE SRTP Protocol Command", "Unauthorized GE SRTP System Memory Operation", "Unauthorized Mitsubishi MELSEC Command", "Unauthorized MMS Service", "Unauthorized OPC UA Activity", "Unauthorized OPC UA Request/Response", "Unauthorized Profinet Frame Type", "Unauthorized SAIA S-Bus Command", "Unauthorized Siemens S7 Execution of Control Function", "Unauthorized Siemens S7 Execution of User Defined Function", "Unauthorized Siemens S7 Plus Block Access", "Unauthorized Siemens S7 Plus Operation", "Unauthorized SNMP Operation", "Unpermitted Modbus Schneider Electric Extension", "Unpermitted Usage of ASDU Types", "Unpermitted Usage of DNP3 Function Code", "Unpermitted Usage of Modbus Function Code", "Unauthorized Operation was detected by a User Defined Rule", "Unauthorized PLC Configuration Read", "Unauthorized PLC Programming", "Unauthorized PLC Configuration Write", "Unauthorized PLC Program Upload", "Slave Device Received Illegal"]);
SecurityAlert
| where ProviderName == "IoTSecurity"
| where AlertName has_any (alertList)
| extend ExtendedProperties = parse_json(ExtendedProperties)
| where tostring(ExtendedProperties.isNew) == "True"
| extend DeviceId = tostring(ExtendedProperties.DeviceId),
SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress),
DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress),
RemediationSteps = tostring(parse_json(RemediationSteps)[0]),
Protocol = tostring(ExtendedProperties.Protocol),
AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
| project
TimeGenerated,
DeviceId,
ProductName,
ProductComponentName,
AlertSeverity,
AlertName,
Description,
Protocol,
SourceDeviceAddress,
DestDeviceAddress,
RemediationSteps,
Tactics,
Entities,
VendorOriginalId,
AlertLink,
AlertManagementUri,
Techniques
relevantTechniques:
- T0855
id: 70be4a31-9d2b-433b-bdc7-da8928988069
requiredDataConnectors:
- dataTypes:
- SecurityAlert (ASC for IoT)
connectorId: IoT
eventGroupingSettings:
aggregationKind: AlertPerResult
alertDetailsOverride:
alertDescriptionFormat: (MDIoT) {{Description}}
alertSeverityColumnName: AlertSeverity
alertDynamicProperties:
- value: ProductName
alertProperty: ProductName
- value: RemediationSteps
alertProperty: RemediationSteps
- value: Techniques
alertProperty: Techniques
- value: ProductComponentName
alertProperty: ProductComponentName
- value: AlertLink
alertProperty: AlertLink
alertTacticsColumnName: Tactics
alertDisplayNameFormat: (MDIoT) {{AlertName}}
kind: Scheduled
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2023-02-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/70be4a31-9d2b-433b-bdc7-da8928988069')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/70be4a31-9d2b-433b-bdc7-da8928988069')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "(MDIoT) {{Description}}",
"alertDisplayNameFormat": "(MDIoT) {{AlertName}}",
"alertDynamicProperties": [
{
"alertProperty": "ProductName",
"value": "ProductName"
},
{
"alertProperty": "RemediationSteps",
"value": "RemediationSteps"
},
{
"alertProperty": "Techniques",
"value": "Techniques"
},
{
"alertProperty": "ProductComponentName",
"value": "ProductComponentName"
},
{
"alertProperty": "AlertLink",
"value": "AlertLink"
}
],
"alertSeverityColumnName": "AlertSeverity",
"alertTacticsColumnName": "Tactics"
},
"alertRuleTemplateName": "70be4a31-9d2b-433b-bdc7-da8928988069",
"customDetails": {
"AlertManagementUri": "AlertManagementUri",
"Protocol": "Protocol",
"Sensor": "DeviceId",
"VendorOriginalId": "VendorOriginalId"
},
"description": "'This alert leverages Defender for IoT to detect Illegal function codes in SCADA equipment indicating improper application configuration or malicious activity such using illegal values within a protocol to exploit a PLC vulnerability.'\n",
"displayName": "Illegal Function Codes for ICS traffic (Microsoft Defender for IoT)",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceDeviceAddress",
"identifier": "Address"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "DestDeviceAddress",
"identifier": "Address"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTIllegalFunctionCodes.yaml",
"query": "let alertList = dynamic([\"Function Code Not Supported by Outstation\", \"Illegal BACNet message\", \"Illegal Connection Attempt on Port 0\", \"Illegal DNP3 Operation\", \"Illegal MODBUS Operation (Exception Raised by Master)\", \"Illegal MODBUS Operation (Function Code Zero)\", \"Incorrect Parameter Sent to Outstation\", \"Initiation of an Obsolete Function Code (Initialize Data)\", \"Initiation of an Obsolete Function Code (Save Config)\", \"Modbus Exception\", \"Unknown Object Sent to Outstation\", \"Usage of a Reserved Function Code\", \"Usage of Improper Formatting by Outstation\", \"Usage of Reserved Status Flags (IIN)\", \"Unauthorized communication was detected by a User Defined Protocol Rule\", \"Unauthorized Operation was detected by a User Defined whitelist Alert\", \"Illegal Protocol Version\", \"New Activity Detected - LonTalk Network Variable\", \"New Activity Detected - Ovation Data Request\", \"New Activity Detected - Read/Write Command (AMS Index Group)\", \"New Activity Detected - Read/Write Command (AMS Index Offset)\", \"New Activity Detected - Unauthorized DeltaV Message Type\", \"New Activity Detected - Unauthorized DeltaV ROC Operation\", \"New Activity Detected - Using AMS Protocol Command\", \"New Activity Detected - Using Siemens SICAM Command\", \"New Activity Detected - Using Suitelink Protocol command\", \"New Activity Detected - Using Suitelink Protocol sessions\", \"New Activity Detected - Using Yokogawa VNetIP Command\", \"Omron FINS Unauthorized Command\", \"Toshiba Computer Link Unauthorized Command\", \"Unauthorized ABB Totalflow File Operation\", \"Unauthorized ABB Totalflow Register Operation\", \"Unauthorized Access to Siemens S7 Plus Object\", \"Unauthorized BACNet Object Access\", \"Unauthorized BACNet Route\", \"Unauthorized Emerson ROC Operation\", \"Unauthorized GE SRTP File Access\", \"Unauthorized GE SRTP Protocol Command\", \"Unauthorized GE SRTP System Memory Operation\", \"Unauthorized Mitsubishi MELSEC Command\", \"Unauthorized MMS Service\", \"Unauthorized OPC UA Activity\", \"Unauthorized OPC UA Request/Response\", \"Unauthorized Profinet Frame Type\", \"Unauthorized SAIA S-Bus Command\", \"Unauthorized Siemens S7 Execution of Control Function\", \"Unauthorized Siemens S7 Execution of User Defined Function\", \"Unauthorized Siemens S7 Plus Block Access\", \"Unauthorized Siemens S7 Plus Operation\", \"Unauthorized SNMP Operation\", \"Unpermitted Modbus Schneider Electric Extension\", \"Unpermitted Usage of ASDU Types\", \"Unpermitted Usage of DNP3 Function Code\", \"Unpermitted Usage of Modbus Function Code\", \"Unauthorized Operation was detected by a User Defined Rule\", \"Unauthorized PLC Configuration Read\", \"Unauthorized PLC Programming\", \"Unauthorized PLC Configuration Write\", \"Unauthorized PLC Program Upload\", \"Slave Device Received Illegal\"]);\nSecurityAlert\n| where ProviderName == \"IoTSecurity\"\n| where AlertName has_any (alertList)\n| extend ExtendedProperties = parse_json(ExtendedProperties)\n| where tostring(ExtendedProperties.isNew) == \"True\"\n| extend DeviceId = tostring(ExtendedProperties.DeviceId), \n SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress), \n DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress), \n RemediationSteps = tostring(parse_json(RemediationSteps)[0]), \n Protocol = tostring(ExtendedProperties.Protocol), \n AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)\n| project\n TimeGenerated,\n DeviceId,\n ProductName,\n ProductComponentName,\n AlertSeverity,\n AlertName,\n Description,\n Protocol,\n SourceDeviceAddress,\n DestDeviceAddress,\n RemediationSteps,\n Tactics,\n Entities,\n VendorOriginalId,\n AlertLink,\n AlertManagementUri,\n Techniques\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"status": "Available",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"ImpairProcessControl"
],
"techniques": null,
"templateVersion": "1.0.2",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}