SecurityAlert
| where ProviderName == "IoTSecurity"
| where AlertName has_any ("Beckhoff Software Changed", "Firmware Version Changed", "Firmware Change", "Firmware Changed", "Firmware Update")
| extend ExtendedProperties = parse_json(ExtendedProperties)
| where tostring(ExtendedProperties.isNew) == "True"
| extend DeviceId = tostring(ExtendedProperties.DeviceId),
SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress),
DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress),
RemediationSteps = tostring(parse_json(RemediationSteps)[0]),
Protocol = tostring(ExtendedProperties.Protocol),
AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
| project
TimeGenerated,
DeviceId,
ProductName,
ProductComponentName,
AlertSeverity,
AlertName,
Description,
Protocol,
SourceDeviceAddress,
DestDeviceAddress,
RemediationSteps,
Tactics,
Entities,
VendorOriginalId,
AlertLink,
AlertManagementUri,
Techniques
queryFrequency: 1h
version: 1.0.3
queryPeriod: 1h
relevantTechniques:
- T0857
name: Firmware Updates (Microsoft Defender for IoT)
alertDetailsOverride:
alertTacticsColumnName: Tactics
alertDynamicProperties:
- alertProperty: ProductName
value: ProductName
- alertProperty: RemediationSteps
value: RemediationSteps
- alertProperty: Techniques
value: Techniques
- alertProperty: ProductComponentName
value: ProductComponentName
- alertProperty: AlertLink
value: AlertLink
alertSeverityColumnName: AlertSeverity
alertDescriptionFormat: (MDIoT) {{Description}}
alertDisplayNameFormat: (MDIoT) {{AlertName}}
sentinelEntitiesMappings:
- columnName: Entities
kind: Scheduled
severity: Medium
tactics:
- Persistence
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTFirmwareUpdates.yaml
requiredDataConnectors:
- dataTypes:
- SecurityAlert (ASC for IoT)
connectorId: IoT
triggerOperator: gt
customDetails:
Sensor: DeviceId
Protocol: Protocol
AlertManagementUri: AlertManagementUri
VendorOriginalId: VendorOriginalId
id: 7cad4b66-5e83-4756-8de4-f21315ab1e77
eventGroupingSettings:
aggregationKind: AlertPerResult
entityMappings:
triggerThreshold: 0
query: |
SecurityAlert
| where ProviderName == "IoTSecurity"
| where AlertName has_any ("Beckhoff Software Changed", "Firmware Version Changed", "Firmware Change", "Firmware Changed", "Firmware Update")
| extend ExtendedProperties = parse_json(ExtendedProperties)
| where tostring(ExtendedProperties.isNew) == "True"
| extend DeviceId = tostring(ExtendedProperties.DeviceId),
SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress),
DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress),
RemediationSteps = tostring(parse_json(RemediationSteps)[0]),
Protocol = tostring(ExtendedProperties.Protocol),
AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
| project
TimeGenerated,
DeviceId,
ProductName,
ProductComponentName,
AlertSeverity,
AlertName,
Description,
Protocol,
SourceDeviceAddress,
DestDeviceAddress,
RemediationSteps,
Tactics,
Entities,
VendorOriginalId,
AlertLink,
AlertManagementUri,
Techniques
status: Available
description: |
'This alert leverages Defender for IoT to detect unauthorized firmware updates that may indicate malicious activity on the network such as a cyber threat that attempts to manipulate PLC firmware to compromise PLC function.'
