Lookout - Device Compliance and Security Status Changes v2
| Id | 9c5b6d8f-3a02-4e9b-af4c-2d7e9b1f5a8c |
| Rulename | Lookout - Device Compliance and Security Status Changes (v2) |
| Description | Monitors device compliance status changes and security posture degradation using Lookout Mobile Risk API v2 enhanced device fields. Detects devices becoming non-compliant, security status changes, and potential device compromise indicators with detailed device context and MDM integration data. |
| Severity | Medium |
| Tactics | Discovery DefenseEvasion Persistence |
| Techniques | T1418 T1629 T1655 |
| Required data connectors | LookoutAPI |
| Kind | Scheduled |
| Query frequency | 10m |
| Query period | 30m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout/Analytic Rules/LookoutDeviceComplianceV2.yaml |
| Version | 2.0.3 |
| Arm template | 9c5b6d8f-3a02-4e9b-af4c-2d7e9b1f5a8c.json |
LookoutEvents
| where EventType == "DEVICE"
| where DeviceComplianceStatus in ("Non-Compliant", "Partial")
or DeviceSecurityStatus in ("THREATS_HIGH", "THREATS_MEDIUM")
or ChangeType == "UPDATE"
| extend
DeviceRiskScore = case(
DeviceSecurityStatus == "THREATS_HIGH", 9,
DeviceSecurityStatus == "THREATS_MEDIUM", 6,
DeviceSecurityStatus == "THREATS_LOW", 3,
DeviceComplianceStatus == "Non-Compliant", 7,
DeviceComplianceStatus == "Partial", 4,
1
),
ComplianceReason = case(
isempty(DeviceCheckinTime), "No Recent Check-in",
DeviceActivationStatus != "ACTIVE", "Inactive Device",
isempty(ClientLookoutSDKVersion), "Missing Security Client",
"Configuration Issue"
),
PlatformRisk = case(
DevicePlatform == "ANDROID" and DeviceOSVersion matches regex @"^[1-9]\..*", "Outdated Android",
DevicePlatform == "IOS" and DeviceOSVersion matches regex @"^1[0-4]\..*", "Outdated iOS",
DevicePlatform == "UNKNOWN", "Unknown Platform",
"Current"
)
| extend MDMIntegrationStatus = case(
isnotempty(MDMConnectorId) and isnotempty(MDMExternalId), "Fully Integrated",
isnotempty(MDMConnectorId), "Partial Integration",
"Not Integrated"
)
| extend SecurityPosture = case(
DeviceRiskScore >= 8, "Critical",
DeviceRiskScore >= 6, "High",
DeviceRiskScore >= 4, "Medium",
"Low"
)
| project
TimeGenerated,
EventId,
DeviceGuid,
DevicePlatform,
DeviceOSVersion,
DeviceManufacturer,
DeviceModel,
DeviceEmailAddress,
DeviceActivationStatus,
DeviceSecurityStatus,
DeviceComplianceStatus,
DeviceRiskScore,
SecurityPosture,
ComplianceReason,
PlatformRisk,
DeviceCheckinTime,
DeviceActivatedAt,
DeviceDeactivatedAt,
DeviceGroupGuid,
ClientLookoutSDKVersion,
ClientOTAVersion,
ClientPackageName,
ClientPackageVersion,
MDMConnectorId,
MDMConnectorUuid,
MDMExternalId,
MDMIntegrationStatus,
ActorType,
ActorGuid,
ChangeType
customDetails:
DevicePlatform: DevicePlatform
ComplianceReason: ComplianceReason
PlatformRisk: PlatformRisk
ClientSDKVersion: ClientLookoutSDKVersion
MDMIntegration: MDMIntegrationStatus
DeviceSecStatus: DeviceSecurityStatus
DevCompliance: DeviceComplianceStatus
DeviceModel: DeviceModel
DeviceManufacturer: DeviceManufacturer
DeviceRiskScore: DeviceRiskScore
SecurityPosture: SecurityPosture
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout/Analytic Rules/LookoutDeviceComplianceV2.yaml
query: |
LookoutEvents
| where EventType == "DEVICE"
| where DeviceComplianceStatus in ("Non-Compliant", "Partial")
or DeviceSecurityStatus in ("THREATS_HIGH", "THREATS_MEDIUM")
or ChangeType == "UPDATE"
| extend
DeviceRiskScore = case(
DeviceSecurityStatus == "THREATS_HIGH", 9,
DeviceSecurityStatus == "THREATS_MEDIUM", 6,
DeviceSecurityStatus == "THREATS_LOW", 3,
DeviceComplianceStatus == "Non-Compliant", 7,
DeviceComplianceStatus == "Partial", 4,
1
),
ComplianceReason = case(
isempty(DeviceCheckinTime), "No Recent Check-in",
DeviceActivationStatus != "ACTIVE", "Inactive Device",
isempty(ClientLookoutSDKVersion), "Missing Security Client",
"Configuration Issue"
),
PlatformRisk = case(
DevicePlatform == "ANDROID" and DeviceOSVersion matches regex @"^[1-9]\..*", "Outdated Android",
DevicePlatform == "IOS" and DeviceOSVersion matches regex @"^1[0-4]\..*", "Outdated iOS",
DevicePlatform == "UNKNOWN", "Unknown Platform",
"Current"
)
| extend MDMIntegrationStatus = case(
isnotempty(MDMConnectorId) and isnotempty(MDMExternalId), "Fully Integrated",
isnotempty(MDMConnectorId), "Partial Integration",
"Not Integrated"
)
| extend SecurityPosture = case(
DeviceRiskScore >= 8, "Critical",
DeviceRiskScore >= 6, "High",
DeviceRiskScore >= 4, "Medium",
"Low"
)
| project
TimeGenerated,
EventId,
DeviceGuid,
DevicePlatform,
DeviceOSVersion,
DeviceManufacturer,
DeviceModel,
DeviceEmailAddress,
DeviceActivationStatus,
DeviceSecurityStatus,
DeviceComplianceStatus,
DeviceRiskScore,
SecurityPosture,
ComplianceReason,
PlatformRisk,
DeviceCheckinTime,
DeviceActivatedAt,
DeviceDeactivatedAt,
DeviceGroupGuid,
ClientLookoutSDKVersion,
ClientOTAVersion,
ClientPackageName,
ClientPackageVersion,
MDMConnectorId,
MDMConnectorUuid,
MDMExternalId,
MDMIntegrationStatus,
ActorType,
ActorGuid,
ChangeType
requiredDataConnectors:
- dataTypes:
- LookoutEvents
connectorId: LookoutAPI
incidentConfiguration:
groupingConfiguration:
groupByCustomDetails:
- SecurityPosture
- DevicePlatform
enabled: true
matchingMethod: Selected
groupByEntities:
- Account
- Host
lookbackDuration: P1D
groupByAlertDetails:
- DeviceGuid
reopenClosedIncident: false
createIncident: true
tactics:
- Discovery
- DefenseEvasion
- Persistence
name: Lookout - Device Compliance and Security Status Changes (v2)
relevantTechniques:
- T1418
- T1629
- T1655
severity: Medium
entityMappings:
- fieldMappings:
- identifier: FullName
columnName: DeviceEmailAddress
entityType: Account
- fieldMappings:
- identifier: HostName
columnName: DeviceGuid
- identifier: OSFamily
columnName: DevicePlatform
- identifier: OSVersion
columnName: DeviceOSVersion
entityType: Host
kind: Scheduled
queryFrequency: 10m
description: |
'Monitors device compliance status changes and security posture degradation using Lookout Mobile Risk API v2 enhanced device fields. Detects devices becoming non-compliant, security status changes, and potential device compromise indicators with detailed device context and MDM integration data.'
alertDetailsOverride:
alertDisplayNameFormat: 'Device Compliance Issue: {{SecurityPosture}} Risk on {{DevicePlatform}} Device'
alertDescriptionFormat: '{{SecurityPosture}} posture with {{DeviceComplianceStatus}} compliance'
alertTacticsColumnName: SecurityPosture
alertSeverityColumnName: SecurityPosture
triggerThreshold: 0
triggerOperator: gt
version: 2.0.3
suppressionEnabled: false
suppressionDuration: PT30M
eventGroupingSettings:
aggregationKind: AlertPerResult
queryPeriod: 30m
id: 9c5b6d8f-3a02-4e9b-af4c-2d7e9b1f5a8c