Lookout - Device Compliance and Security Status Changes v2
| Id | 9c5b6d8f-3a02-4e9b-af4c-2d7e9b1f5a8c |
| Rulename | Lookout - Device Compliance and Security Status Changes (v2) |
| Description | Monitors device compliance status changes and security posture degradation using Lookout Mobile Risk API v2 enhanced device fields. Detects devices becoming non-compliant, security status changes, and potential device compromise indicators with detailed device context and MDM integration data. |
| Severity | Medium |
| Tactics | Discovery DefenseEvasion Persistence |
| Techniques | T1418 T1629 T1655 |
| Required data connectors | LookoutAPI |
| Kind | Scheduled |
| Query frequency | 10m |
| Query period | 30m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout/Analytic Rules/LookoutDeviceComplianceV2.yaml |
| Version | 2.0.3 |
| Arm template | 9c5b6d8f-3a02-4e9b-af4c-2d7e9b1f5a8c.json |
LookoutEvents
| where EventType == "DEVICE"
| where DeviceComplianceStatus in ("Non-Compliant", "Partial")
or DeviceSecurityStatus in ("THREATS_HIGH", "THREATS_MEDIUM")
or ChangeType == "UPDATE"
| extend
DeviceRiskScore = case(
DeviceSecurityStatus == "THREATS_HIGH", 9,
DeviceSecurityStatus == "THREATS_MEDIUM", 6,
DeviceSecurityStatus == "THREATS_LOW", 3,
DeviceComplianceStatus == "Non-Compliant", 7,
DeviceComplianceStatus == "Partial", 4,
1
),
ComplianceReason = case(
isempty(DeviceCheckinTime), "No Recent Check-in",
DeviceActivationStatus != "ACTIVE", "Inactive Device",
isempty(ClientLookoutSDKVersion), "Missing Security Client",
"Configuration Issue"
),
PlatformRisk = case(
DevicePlatform == "ANDROID" and DeviceOSVersion matches regex @"^[1-9]\..*", "Outdated Android",
DevicePlatform == "IOS" and DeviceOSVersion matches regex @"^1[0-4]\..*", "Outdated iOS",
DevicePlatform == "UNKNOWN", "Unknown Platform",
"Current"
)
| extend MDMIntegrationStatus = case(
isnotempty(MDMConnectorId) and isnotempty(MDMExternalId), "Fully Integrated",
isnotempty(MDMConnectorId), "Partial Integration",
"Not Integrated"
)
| extend SecurityPosture = case(
DeviceRiskScore >= 8, "Critical",
DeviceRiskScore >= 6, "High",
DeviceRiskScore >= 4, "Medium",
"Low"
)
| project
TimeGenerated,
EventId,
DeviceGuid,
DevicePlatform,
DeviceOSVersion,
DeviceManufacturer,
DeviceModel,
DeviceEmailAddress,
DeviceActivationStatus,
DeviceSecurityStatus,
DeviceComplianceStatus,
DeviceRiskScore,
SecurityPosture,
ComplianceReason,
PlatformRisk,
DeviceCheckinTime,
DeviceActivatedAt,
DeviceDeactivatedAt,
DeviceGroupGuid,
ClientLookoutSDKVersion,
ClientOTAVersion,
ClientPackageName,
ClientPackageVersion,
MDMConnectorId,
MDMConnectorUuid,
MDMExternalId,
MDMIntegrationStatus,
ActorType,
ActorGuid,
ChangeType
id: 9c5b6d8f-3a02-4e9b-af4c-2d7e9b1f5a8c
eventGroupingSettings:
aggregationKind: AlertPerResult
suppressionDuration: PT30M
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout/Analytic Rules/LookoutDeviceComplianceV2.yaml
entityMappings:
- fieldMappings:
- identifier: FullName
columnName: DeviceEmailAddress
entityType: Account
- fieldMappings:
- identifier: HostName
columnName: DeviceGuid
- identifier: OSFamily
columnName: DevicePlatform
- identifier: OSVersion
columnName: DeviceOSVersion
entityType: Host
requiredDataConnectors:
- dataTypes:
- LookoutEvents
connectorId: LookoutAPI
queryFrequency: 10m
alertDetailsOverride:
alertTacticsColumnName: SecurityPosture
alertDisplayNameFormat: 'Device Compliance Issue: {{SecurityPosture}} Risk on {{DevicePlatform}} Device'
alertSeverityColumnName: SecurityPosture
alertDescriptionFormat: '{{SecurityPosture}} posture with {{DeviceComplianceStatus}} compliance'
suppressionEnabled: false
queryPeriod: 30m
status: Available
incidentConfiguration:
groupingConfiguration:
lookbackDuration: P1D
groupByAlertDetails:
- DeviceGuid
reopenClosedIncident: false
matchingMethod: Selected
groupByCustomDetails:
- SecurityPosture
- DevicePlatform
groupByEntities:
- Account
- Host
enabled: true
createIncident: true
query: |
LookoutEvents
| where EventType == "DEVICE"
| where DeviceComplianceStatus in ("Non-Compliant", "Partial")
or DeviceSecurityStatus in ("THREATS_HIGH", "THREATS_MEDIUM")
or ChangeType == "UPDATE"
| extend
DeviceRiskScore = case(
DeviceSecurityStatus == "THREATS_HIGH", 9,
DeviceSecurityStatus == "THREATS_MEDIUM", 6,
DeviceSecurityStatus == "THREATS_LOW", 3,
DeviceComplianceStatus == "Non-Compliant", 7,
DeviceComplianceStatus == "Partial", 4,
1
),
ComplianceReason = case(
isempty(DeviceCheckinTime), "No Recent Check-in",
DeviceActivationStatus != "ACTIVE", "Inactive Device",
isempty(ClientLookoutSDKVersion), "Missing Security Client",
"Configuration Issue"
),
PlatformRisk = case(
DevicePlatform == "ANDROID" and DeviceOSVersion matches regex @"^[1-9]\..*", "Outdated Android",
DevicePlatform == "IOS" and DeviceOSVersion matches regex @"^1[0-4]\..*", "Outdated iOS",
DevicePlatform == "UNKNOWN", "Unknown Platform",
"Current"
)
| extend MDMIntegrationStatus = case(
isnotempty(MDMConnectorId) and isnotempty(MDMExternalId), "Fully Integrated",
isnotempty(MDMConnectorId), "Partial Integration",
"Not Integrated"
)
| extend SecurityPosture = case(
DeviceRiskScore >= 8, "Critical",
DeviceRiskScore >= 6, "High",
DeviceRiskScore >= 4, "Medium",
"Low"
)
| project
TimeGenerated,
EventId,
DeviceGuid,
DevicePlatform,
DeviceOSVersion,
DeviceManufacturer,
DeviceModel,
DeviceEmailAddress,
DeviceActivationStatus,
DeviceSecurityStatus,
DeviceComplianceStatus,
DeviceRiskScore,
SecurityPosture,
ComplianceReason,
PlatformRisk,
DeviceCheckinTime,
DeviceActivatedAt,
DeviceDeactivatedAt,
DeviceGroupGuid,
ClientLookoutSDKVersion,
ClientOTAVersion,
ClientPackageName,
ClientPackageVersion,
MDMConnectorId,
MDMConnectorUuid,
MDMExternalId,
MDMIntegrationStatus,
ActorType,
ActorGuid,
ChangeType
name: Lookout - Device Compliance and Security Status Changes (v2)
kind: Scheduled
tactics:
- Discovery
- DefenseEvasion
- Persistence
severity: Medium
relevantTechniques:
- T1418
- T1629
- T1655
triggerThreshold: 0
version: 2.0.3
description: |
'Monitors device compliance status changes and security posture degradation using Lookout Mobile Risk API v2 enhanced device fields. Detects devices becoming non-compliant, security status changes, and potential device compromise indicators with detailed device context and MDM integration data.'
customDetails:
ClientSDKVersion: ClientLookoutSDKVersion
ComplianceReason: ComplianceReason
DeviceManufacturer: DeviceManufacturer
DevCompliance: DeviceComplianceStatus
SecurityPosture: SecurityPosture
DeviceModel: DeviceModel
PlatformRisk: PlatformRisk
DeviceSecStatus: DeviceSecurityStatus
MDMIntegration: MDMIntegrationStatus
DevicePlatform: DevicePlatform
DeviceRiskScore: DeviceRiskScore