Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Lookout - Device Compliance and Security Status Changes v2

Lookout - Device Compliance and Security Status Changes v2

Back
Id9c5b6d8f-3a02-4e9b-af4c-2d7e9b1f5a8c
RulenameLookout - Device Compliance and Security Status Changes (v2)
DescriptionMonitors device compliance status changes and security posture degradation using Lookout Mobile Risk API v2 enhanced device fields. Detects devices becoming non-compliant, security status changes, and potential device compromise indicators with detailed device context and MDM integration data.
SeverityMedium
TacticsDiscovery
DefenseEvasion
Persistence
TechniquesT1418
T1629
T1655
Required data connectorsLookoutAPI
KindScheduled
Query frequency10m
Query period30m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout/Analytic Rules/LookoutDeviceComplianceV2.yaml
Version2.0.3
Arm template9c5b6d8f-3a02-4e9b-af4c-2d7e9b1f5a8c.json
Deploy To Azure
LookoutEvents
| where EventType == "DEVICE"
| where DeviceComplianceStatus in ("Non-Compliant", "Partial") 
   or DeviceSecurityStatus in ("THREATS_HIGH", "THREATS_MEDIUM")
   or ChangeType == "UPDATE"
| extend 
    DeviceRiskScore = case(
        DeviceSecurityStatus == "THREATS_HIGH", 9,
        DeviceSecurityStatus == "THREATS_MEDIUM", 6,
        DeviceSecurityStatus == "THREATS_LOW", 3,
        DeviceComplianceStatus == "Non-Compliant", 7,
        DeviceComplianceStatus == "Partial", 4,
        1
    ),
    ComplianceReason = case(
        isempty(DeviceCheckinTime), "No Recent Check-in",
        DeviceActivationStatus != "ACTIVE", "Inactive Device",
        isempty(ClientLookoutSDKVersion), "Missing Security Client",
        "Configuration Issue"
    ),
    PlatformRisk = case(
        DevicePlatform == "ANDROID" and DeviceOSVersion matches regex @"^[1-9]\..*", "Outdated Android",
        DevicePlatform == "IOS" and DeviceOSVersion matches regex @"^1[0-4]\..*", "Outdated iOS",
        DevicePlatform == "UNKNOWN", "Unknown Platform",
        "Current"
    )
| extend MDMIntegrationStatus = case(
    isnotempty(MDMConnectorId) and isnotempty(MDMExternalId), "Fully Integrated",
    isnotempty(MDMConnectorId), "Partial Integration", 
    "Not Integrated"
)
| extend SecurityPosture = case(
    DeviceRiskScore >= 8, "Critical",
    DeviceRiskScore >= 6, "High",
    DeviceRiskScore >= 4, "Medium",
    "Low"
)
| project
    TimeGenerated,
    EventId,
    DeviceGuid,
    DevicePlatform,
    DeviceOSVersion,
    DeviceManufacturer,
    DeviceModel,
    DeviceEmailAddress,
    DeviceActivationStatus,
    DeviceSecurityStatus,
    DeviceComplianceStatus,
    DeviceRiskScore,
    SecurityPosture,
    ComplianceReason,
    PlatformRisk,
    DeviceCheckinTime,
    DeviceActivatedAt,
    DeviceDeactivatedAt,
    DeviceGroupGuid,
    ClientLookoutSDKVersion,
    ClientOTAVersion,
    ClientPackageName,
    ClientPackageVersion,
    MDMConnectorId,
    MDMConnectorUuid,
    MDMExternalId,
    MDMIntegrationStatus,
    ActorType,
    ActorGuid,
    ChangeType

version: 2.0.3
queryFrequency: 10m
kind: Scheduled
suppressionDuration: PT30M
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1418
- T1629
- T1655
alertDetailsOverride:
  alertDisplayNameFormat: 'Device Compliance Issue: {{SecurityPosture}} Risk on {{DevicePlatform}} Device'
  alertDescriptionFormat: '{{SecurityPosture}} posture with {{DeviceComplianceStatus}} compliance'
  alertSeverityColumnName: SecurityPosture
  alertTacticsColumnName: SecurityPosture
triggerOperator: gt
customDetails:
  MDMIntegration: MDMIntegrationStatus
  DeviceSecStatus: DeviceSecurityStatus
  DevCompliance: DeviceComplianceStatus
  ComplianceReason: ComplianceReason
  ClientSDKVersion: ClientLookoutSDKVersion
  DeviceModel: DeviceModel
  DeviceRiskScore: DeviceRiskScore
  DevicePlatform: DevicePlatform
  SecurityPosture: SecurityPosture
  PlatformRisk: PlatformRisk
  DeviceManufacturer: DeviceManufacturer
status: Available
requiredDataConnectors:
- connectorId: LookoutAPI
  dataTypes:
  - LookoutEvents
id: 9c5b6d8f-3a02-4e9b-af4c-2d7e9b1f5a8c
name: Lookout - Device Compliance and Security Status Changes (v2)
query: |
  LookoutEvents
  | where EventType == "DEVICE"
  | where DeviceComplianceStatus in ("Non-Compliant", "Partial") 
     or DeviceSecurityStatus in ("THREATS_HIGH", "THREATS_MEDIUM")
     or ChangeType == "UPDATE"
  | extend 
      DeviceRiskScore = case(
          DeviceSecurityStatus == "THREATS_HIGH", 9,
          DeviceSecurityStatus == "THREATS_MEDIUM", 6,
          DeviceSecurityStatus == "THREATS_LOW", 3,
          DeviceComplianceStatus == "Non-Compliant", 7,
          DeviceComplianceStatus == "Partial", 4,
          1
      ),
      ComplianceReason = case(
          isempty(DeviceCheckinTime), "No Recent Check-in",
          DeviceActivationStatus != "ACTIVE", "Inactive Device",
          isempty(ClientLookoutSDKVersion), "Missing Security Client",
          "Configuration Issue"
      ),
      PlatformRisk = case(
          DevicePlatform == "ANDROID" and DeviceOSVersion matches regex @"^[1-9]\..*", "Outdated Android",
          DevicePlatform == "IOS" and DeviceOSVersion matches regex @"^1[0-4]\..*", "Outdated iOS",
          DevicePlatform == "UNKNOWN", "Unknown Platform",
          "Current"
      )
  | extend MDMIntegrationStatus = case(
      isnotempty(MDMConnectorId) and isnotempty(MDMExternalId), "Fully Integrated",
      isnotempty(MDMConnectorId), "Partial Integration", 
      "Not Integrated"
  )
  | extend SecurityPosture = case(
      DeviceRiskScore >= 8, "Critical",
      DeviceRiskScore >= 6, "High",
      DeviceRiskScore >= 4, "Medium",
      "Low"
  )
  | project
      TimeGenerated,
      EventId,
      DeviceGuid,
      DevicePlatform,
      DeviceOSVersion,
      DeviceManufacturer,
      DeviceModel,
      DeviceEmailAddress,
      DeviceActivationStatus,
      DeviceSecurityStatus,
      DeviceComplianceStatus,
      DeviceRiskScore,
      SecurityPosture,
      ComplianceReason,
      PlatformRisk,
      DeviceCheckinTime,
      DeviceActivatedAt,
      DeviceDeactivatedAt,
      DeviceGroupGuid,
      ClientLookoutSDKVersion,
      ClientOTAVersion,
      ClientPackageName,
      ClientPackageVersion,
      MDMConnectorId,
      MDMConnectorUuid,
      MDMExternalId,
      MDMIntegrationStatus,
      ActorType,
      ActorGuid,
      ChangeType  
queryPeriod: 30m
suppressionEnabled: false
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout/Analytic Rules/LookoutDeviceComplianceV2.yaml
triggerThreshold: 0
description: |
    'Monitors device compliance status changes and security posture degradation using Lookout Mobile Risk API v2 enhanced device fields. Detects devices becoming non-compliant, security status changes, and potential device compromise indicators with detailed device context and MDM integration data.'
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: DeviceEmailAddress
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: DeviceGuid
  - identifier: OSFamily
    columnName: DevicePlatform
  - identifier: OSVersion
    columnName: DeviceOSVersion
severity: Medium
tactics:
- Discovery
- DefenseEvasion
- Persistence
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: P1D
    matchingMethod: Selected
    groupByEntities:
    - Account
    - Host
    groupByCustomDetails:
    - SecurityPosture
    - DevicePlatform
    groupByAlertDetails:
    - DeviceGuid
    reopenClosedIncident: false
    enabled: true