Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Lookout - Device Compliance and Security Status Changes v2

Lookout - Device Compliance and Security Status Changes v2

Back
Id9c5b6d8f-3a02-4e9b-af4c-2d7e9b1f5a8c
RulenameLookout - Device Compliance and Security Status Changes (v2)
DescriptionMonitors device compliance status changes and security posture degradation using Lookout Mobile Risk API v2 enhanced device fields. Detects devices becoming non-compliant, security status changes, and potential device compromise indicators with detailed device context and MDM integration data.
SeverityMedium
TacticsDiscovery
DefenseEvasion
Persistence
TechniquesT1418
T1629
T1655
Required data connectorsLookoutAPI
KindScheduled
Query frequency10m
Query period30m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout/Analytic Rules/LookoutDeviceComplianceV2.yaml
Version2.0.3
Arm template9c5b6d8f-3a02-4e9b-af4c-2d7e9b1f5a8c.json
Deploy To Azure
LookoutEvents
| where EventType == "DEVICE"
| where DeviceComplianceStatus in ("Non-Compliant", "Partial") 
   or DeviceSecurityStatus in ("THREATS_HIGH", "THREATS_MEDIUM")
   or ChangeType == "UPDATE"
| extend 
    DeviceRiskScore = case(
        DeviceSecurityStatus == "THREATS_HIGH", 9,
        DeviceSecurityStatus == "THREATS_MEDIUM", 6,
        DeviceSecurityStatus == "THREATS_LOW", 3,
        DeviceComplianceStatus == "Non-Compliant", 7,
        DeviceComplianceStatus == "Partial", 4,
        1
    ),
    ComplianceReason = case(
        isempty(DeviceCheckinTime), "No Recent Check-in",
        DeviceActivationStatus != "ACTIVE", "Inactive Device",
        isempty(ClientLookoutSDKVersion), "Missing Security Client",
        "Configuration Issue"
    ),
    PlatformRisk = case(
        DevicePlatform == "ANDROID" and DeviceOSVersion matches regex @"^[1-9]\..*", "Outdated Android",
        DevicePlatform == "IOS" and DeviceOSVersion matches regex @"^1[0-4]\..*", "Outdated iOS",
        DevicePlatform == "UNKNOWN", "Unknown Platform",
        "Current"
    )
| extend MDMIntegrationStatus = case(
    isnotempty(MDMConnectorId) and isnotempty(MDMExternalId), "Fully Integrated",
    isnotempty(MDMConnectorId), "Partial Integration", 
    "Not Integrated"
)
| extend SecurityPosture = case(
    DeviceRiskScore >= 8, "Critical",
    DeviceRiskScore >= 6, "High",
    DeviceRiskScore >= 4, "Medium",
    "Low"
)
| project
    TimeGenerated,
    EventId,
    DeviceGuid,
    DevicePlatform,
    DeviceOSVersion,
    DeviceManufacturer,
    DeviceModel,
    DeviceEmailAddress,
    DeviceActivationStatus,
    DeviceSecurityStatus,
    DeviceComplianceStatus,
    DeviceRiskScore,
    SecurityPosture,
    ComplianceReason,
    PlatformRisk,
    DeviceCheckinTime,
    DeviceActivatedAt,
    DeviceDeactivatedAt,
    DeviceGroupGuid,
    ClientLookoutSDKVersion,
    ClientOTAVersion,
    ClientPackageName,
    ClientPackageVersion,
    MDMConnectorId,
    MDMConnectorUuid,
    MDMExternalId,
    MDMIntegrationStatus,
    ActorType,
    ActorGuid,
    ChangeType

name: Lookout - Device Compliance and Security Status Changes (v2)
suppressionDuration: PT30M
id: 9c5b6d8f-3a02-4e9b-af4c-2d7e9b1f5a8c
query: |
  LookoutEvents
  | where EventType == "DEVICE"
  | where DeviceComplianceStatus in ("Non-Compliant", "Partial") 
     or DeviceSecurityStatus in ("THREATS_HIGH", "THREATS_MEDIUM")
     or ChangeType == "UPDATE"
  | extend 
      DeviceRiskScore = case(
          DeviceSecurityStatus == "THREATS_HIGH", 9,
          DeviceSecurityStatus == "THREATS_MEDIUM", 6,
          DeviceSecurityStatus == "THREATS_LOW", 3,
          DeviceComplianceStatus == "Non-Compliant", 7,
          DeviceComplianceStatus == "Partial", 4,
          1
      ),
      ComplianceReason = case(
          isempty(DeviceCheckinTime), "No Recent Check-in",
          DeviceActivationStatus != "ACTIVE", "Inactive Device",
          isempty(ClientLookoutSDKVersion), "Missing Security Client",
          "Configuration Issue"
      ),
      PlatformRisk = case(
          DevicePlatform == "ANDROID" and DeviceOSVersion matches regex @"^[1-9]\..*", "Outdated Android",
          DevicePlatform == "IOS" and DeviceOSVersion matches regex @"^1[0-4]\..*", "Outdated iOS",
          DevicePlatform == "UNKNOWN", "Unknown Platform",
          "Current"
      )
  | extend MDMIntegrationStatus = case(
      isnotempty(MDMConnectorId) and isnotempty(MDMExternalId), "Fully Integrated",
      isnotempty(MDMConnectorId), "Partial Integration", 
      "Not Integrated"
  )
  | extend SecurityPosture = case(
      DeviceRiskScore >= 8, "Critical",
      DeviceRiskScore >= 6, "High",
      DeviceRiskScore >= 4, "Medium",
      "Low"
  )
  | project
      TimeGenerated,
      EventId,
      DeviceGuid,
      DevicePlatform,
      DeviceOSVersion,
      DeviceManufacturer,
      DeviceModel,
      DeviceEmailAddress,
      DeviceActivationStatus,
      DeviceSecurityStatus,
      DeviceComplianceStatus,
      DeviceRiskScore,
      SecurityPosture,
      ComplianceReason,
      PlatformRisk,
      DeviceCheckinTime,
      DeviceActivatedAt,
      DeviceDeactivatedAt,
      DeviceGroupGuid,
      ClientLookoutSDKVersion,
      ClientOTAVersion,
      ClientPackageName,
      ClientPackageVersion,
      MDMConnectorId,
      MDMConnectorUuid,
      MDMExternalId,
      MDMIntegrationStatus,
      ActorType,
      ActorGuid,
      ChangeType  
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: DeviceEmailAddress
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: DeviceGuid
  - identifier: OSFamily
    columnName: DevicePlatform
  - identifier: OSVersion
    columnName: DeviceOSVersion
relevantTechniques:
- T1418
- T1629
- T1655
description: |
    'Monitors device compliance status changes and security posture degradation using Lookout Mobile Risk API v2 enhanced device fields. Detects devices becoming non-compliant, security status changes, and potential device compromise indicators with detailed device context and MDM integration data.'
queryPeriod: 30m
incidentConfiguration:
  groupingConfiguration:
    groupByEntities:
    - Account
    - Host
    reopenClosedIncident: false
    groupByCustomDetails:
    - SecurityPosture
    - DevicePlatform
    groupByAlertDetails:
    - DeviceGuid
    matchingMethod: Selected
    lookbackDuration: P1D
    enabled: true
  createIncident: true
status: Available
suppressionEnabled: false
kind: Scheduled
triggerOperator: gt
severity: Medium
alertDetailsOverride:
  alertSeverityColumnName: SecurityPosture
  alertDisplayNameFormat: 'Device Compliance Issue: {{SecurityPosture}} Risk on {{DevicePlatform}} Device'
  alertDescriptionFormat: '{{SecurityPosture}} posture with {{DeviceComplianceStatus}} compliance'
  alertTacticsColumnName: SecurityPosture
version: 2.0.3
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryFrequency: 10m
tactics:
- Discovery
- DefenseEvasion
- Persistence
customDetails:
  DevicePlatform: DevicePlatform
  PlatformRisk: PlatformRisk
  ComplianceReason: ComplianceReason
  DevCompliance: DeviceComplianceStatus
  ClientSDKVersion: ClientLookoutSDKVersion
  SecurityPosture: SecurityPosture
  DeviceModel: DeviceModel
  DeviceRiskScore: DeviceRiskScore
  DeviceSecStatus: DeviceSecurityStatus
  DeviceManufacturer: DeviceManufacturer
  MDMIntegration: MDMIntegrationStatus
triggerThreshold: 0
requiredDataConnectors:
- connectorId: LookoutAPI
  dataTypes:
  - LookoutEvents
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout/Analytic Rules/LookoutDeviceComplianceV2.yaml