Lookout - Device Compliance and Security Status Changes v2
| Id | 9c5b6d8f-3a02-4e9b-af4c-2d7e9b1f5a8c |
| Rulename | Lookout - Device Compliance and Security Status Changes (v2) |
| Description | Monitors device compliance status changes and security posture degradation using Lookout Mobile Risk API v2 enhanced device fields. Detects devices becoming non-compliant, security status changes, and potential device compromise indicators with detailed device context and MDM integration data. |
| Severity | Medium |
| Tactics | Discovery DefenseEvasion Persistence |
| Techniques | T1418 T1629 T1655 |
| Required data connectors | LookoutAPI |
| Kind | Scheduled |
| Query frequency | 10m |
| Query period | 30m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout/Analytic Rules/LookoutDeviceComplianceV2.yaml |
| Version | 2.0.3 |
| Arm template | 9c5b6d8f-3a02-4e9b-af4c-2d7e9b1f5a8c.json |
LookoutEvents
| where EventType == "DEVICE"
| where DeviceComplianceStatus in ("Non-Compliant", "Partial")
or DeviceSecurityStatus in ("THREATS_HIGH", "THREATS_MEDIUM")
or ChangeType == "UPDATE"
| extend
DeviceRiskScore = case(
DeviceSecurityStatus == "THREATS_HIGH", 9,
DeviceSecurityStatus == "THREATS_MEDIUM", 6,
DeviceSecurityStatus == "THREATS_LOW", 3,
DeviceComplianceStatus == "Non-Compliant", 7,
DeviceComplianceStatus == "Partial", 4,
1
),
ComplianceReason = case(
isempty(DeviceCheckinTime), "No Recent Check-in",
DeviceActivationStatus != "ACTIVE", "Inactive Device",
isempty(ClientLookoutSDKVersion), "Missing Security Client",
"Configuration Issue"
),
PlatformRisk = case(
DevicePlatform == "ANDROID" and DeviceOSVersion matches regex @"^[1-9]\..*", "Outdated Android",
DevicePlatform == "IOS" and DeviceOSVersion matches regex @"^1[0-4]\..*", "Outdated iOS",
DevicePlatform == "UNKNOWN", "Unknown Platform",
"Current"
)
| extend MDMIntegrationStatus = case(
isnotempty(MDMConnectorId) and isnotempty(MDMExternalId), "Fully Integrated",
isnotempty(MDMConnectorId), "Partial Integration",
"Not Integrated"
)
| extend SecurityPosture = case(
DeviceRiskScore >= 8, "Critical",
DeviceRiskScore >= 6, "High",
DeviceRiskScore >= 4, "Medium",
"Low"
)
| project
TimeGenerated,
EventId,
DeviceGuid,
DevicePlatform,
DeviceOSVersion,
DeviceManufacturer,
DeviceModel,
DeviceEmailAddress,
DeviceActivationStatus,
DeviceSecurityStatus,
DeviceComplianceStatus,
DeviceRiskScore,
SecurityPosture,
ComplianceReason,
PlatformRisk,
DeviceCheckinTime,
DeviceActivatedAt,
DeviceDeactivatedAt,
DeviceGroupGuid,
ClientLookoutSDKVersion,
ClientOTAVersion,
ClientPackageName,
ClientPackageVersion,
MDMConnectorId,
MDMConnectorUuid,
MDMExternalId,
MDMIntegrationStatus,
ActorType,
ActorGuid,
ChangeType
status: Available
queryFrequency: 10m
suppressionEnabled: false
queryPeriod: 30m
triggerOperator: gt
query: |
LookoutEvents
| where EventType == "DEVICE"
| where DeviceComplianceStatus in ("Non-Compliant", "Partial")
or DeviceSecurityStatus in ("THREATS_HIGH", "THREATS_MEDIUM")
or ChangeType == "UPDATE"
| extend
DeviceRiskScore = case(
DeviceSecurityStatus == "THREATS_HIGH", 9,
DeviceSecurityStatus == "THREATS_MEDIUM", 6,
DeviceSecurityStatus == "THREATS_LOW", 3,
DeviceComplianceStatus == "Non-Compliant", 7,
DeviceComplianceStatus == "Partial", 4,
1
),
ComplianceReason = case(
isempty(DeviceCheckinTime), "No Recent Check-in",
DeviceActivationStatus != "ACTIVE", "Inactive Device",
isempty(ClientLookoutSDKVersion), "Missing Security Client",
"Configuration Issue"
),
PlatformRisk = case(
DevicePlatform == "ANDROID" and DeviceOSVersion matches regex @"^[1-9]\..*", "Outdated Android",
DevicePlatform == "IOS" and DeviceOSVersion matches regex @"^1[0-4]\..*", "Outdated iOS",
DevicePlatform == "UNKNOWN", "Unknown Platform",
"Current"
)
| extend MDMIntegrationStatus = case(
isnotempty(MDMConnectorId) and isnotempty(MDMExternalId), "Fully Integrated",
isnotempty(MDMConnectorId), "Partial Integration",
"Not Integrated"
)
| extend SecurityPosture = case(
DeviceRiskScore >= 8, "Critical",
DeviceRiskScore >= 6, "High",
DeviceRiskScore >= 4, "Medium",
"Low"
)
| project
TimeGenerated,
EventId,
DeviceGuid,
DevicePlatform,
DeviceOSVersion,
DeviceManufacturer,
DeviceModel,
DeviceEmailAddress,
DeviceActivationStatus,
DeviceSecurityStatus,
DeviceComplianceStatus,
DeviceRiskScore,
SecurityPosture,
ComplianceReason,
PlatformRisk,
DeviceCheckinTime,
DeviceActivatedAt,
DeviceDeactivatedAt,
DeviceGroupGuid,
ClientLookoutSDKVersion,
ClientOTAVersion,
ClientPackageName,
ClientPackageVersion,
MDMConnectorId,
MDMConnectorUuid,
MDMExternalId,
MDMIntegrationStatus,
ActorType,
ActorGuid,
ChangeType
eventGroupingSettings:
aggregationKind: AlertPerResult
suppressionDuration: PT30M
tactics:
- Discovery
- DefenseEvasion
- Persistence
triggerThreshold: 0
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: DeviceEmailAddress
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: DeviceGuid
- identifier: OSFamily
columnName: DevicePlatform
- identifier: OSVersion
columnName: DeviceOSVersion
requiredDataConnectors:
- connectorId: LookoutAPI
dataTypes:
- LookoutEvents
alertDetailsOverride:
alertDescriptionFormat: '{{SecurityPosture}} posture with {{DeviceComplianceStatus}} compliance'
alertDisplayNameFormat: 'Device Compliance Issue: {{SecurityPosture}} Risk on {{DevicePlatform}} Device'
alertTacticsColumnName: SecurityPosture
alertSeverityColumnName: SecurityPosture
relevantTechniques:
- T1418
- T1629
- T1655
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout/Analytic Rules/LookoutDeviceComplianceV2.yaml
customDetails:
DevCompliance: DeviceComplianceStatus
DeviceRiskScore: DeviceRiskScore
DeviceModel: DeviceModel
DeviceManufacturer: DeviceManufacturer
SecurityPosture: SecurityPosture
MDMIntegration: MDMIntegrationStatus
ClientSDKVersion: ClientLookoutSDKVersion
DeviceSecStatus: DeviceSecurityStatus
ComplianceReason: ComplianceReason
PlatformRisk: PlatformRisk
DevicePlatform: DevicePlatform
description: |
'Monitors device compliance status changes and security posture degradation using Lookout Mobile Risk API v2 enhanced device fields. Detects devices becoming non-compliant, security status changes, and potential device compromise indicators with detailed device context and MDM integration data.'
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
groupByCustomDetails:
- SecurityPosture
- DevicePlatform
enabled: true
groupByAlertDetails:
- DeviceGuid
matchingMethod: Selected
lookbackDuration: P1D
groupByEntities:
- Account
- Host
createIncident: true
name: Lookout - Device Compliance and Security Status Changes (v2)
version: 2.0.3
kind: Scheduled
id: 9c5b6d8f-3a02-4e9b-af4c-2d7e9b1f5a8c
severity: Medium