Lookout - Device Compliance and Security Status Changes v2
| Id | 9c5b6d8f-3a02-4e9b-af4c-2d7e9b1f5a8c |
| Rulename | Lookout - Device Compliance and Security Status Changes (v2) |
| Description | Monitors device compliance status changes and security posture degradation using Lookout Mobile Risk API v2 enhanced device fields. Detects devices becoming non-compliant, security status changes, and potential device compromise indicators with detailed device context and MDM integration data. |
| Severity | Medium |
| Tactics | Discovery DefenseEvasion Persistence |
| Techniques | T1418 T1629 T1655 |
| Required data connectors | LookoutAPI |
| Kind | Scheduled |
| Query frequency | 10m |
| Query period | 30m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout/Analytic Rules/LookoutDeviceComplianceV2.yaml |
| Version | 2.0.3 |
| Arm template | 9c5b6d8f-3a02-4e9b-af4c-2d7e9b1f5a8c.json |
LookoutEvents
| where EventType == "DEVICE"
| where DeviceComplianceStatus in ("Non-Compliant", "Partial")
or DeviceSecurityStatus in ("THREATS_HIGH", "THREATS_MEDIUM")
or ChangeType == "UPDATE"
| extend
DeviceRiskScore = case(
DeviceSecurityStatus == "THREATS_HIGH", 9,
DeviceSecurityStatus == "THREATS_MEDIUM", 6,
DeviceSecurityStatus == "THREATS_LOW", 3,
DeviceComplianceStatus == "Non-Compliant", 7,
DeviceComplianceStatus == "Partial", 4,
1
),
ComplianceReason = case(
isempty(DeviceCheckinTime), "No Recent Check-in",
DeviceActivationStatus != "ACTIVE", "Inactive Device",
isempty(ClientLookoutSDKVersion), "Missing Security Client",
"Configuration Issue"
),
PlatformRisk = case(
DevicePlatform == "ANDROID" and DeviceOSVersion matches regex @"^[1-9]\..*", "Outdated Android",
DevicePlatform == "IOS" and DeviceOSVersion matches regex @"^1[0-4]\..*", "Outdated iOS",
DevicePlatform == "UNKNOWN", "Unknown Platform",
"Current"
)
| extend MDMIntegrationStatus = case(
isnotempty(MDMConnectorId) and isnotempty(MDMExternalId), "Fully Integrated",
isnotempty(MDMConnectorId), "Partial Integration",
"Not Integrated"
)
| extend SecurityPosture = case(
DeviceRiskScore >= 8, "Critical",
DeviceRiskScore >= 6, "High",
DeviceRiskScore >= 4, "Medium",
"Low"
)
| project
TimeGenerated,
EventId,
DeviceGuid,
DevicePlatform,
DeviceOSVersion,
DeviceManufacturer,
DeviceModel,
DeviceEmailAddress,
DeviceActivationStatus,
DeviceSecurityStatus,
DeviceComplianceStatus,
DeviceRiskScore,
SecurityPosture,
ComplianceReason,
PlatformRisk,
DeviceCheckinTime,
DeviceActivatedAt,
DeviceDeactivatedAt,
DeviceGroupGuid,
ClientLookoutSDKVersion,
ClientOTAVersion,
ClientPackageName,
ClientPackageVersion,
MDMConnectorId,
MDMConnectorUuid,
MDMExternalId,
MDMIntegrationStatus,
ActorType,
ActorGuid,
ChangeType
relevantTechniques:
- T1418
- T1629
- T1655
entityMappings:
- entityType: Account
fieldMappings:
- columnName: DeviceEmailAddress
identifier: FullName
- entityType: Host
fieldMappings:
- columnName: DeviceGuid
identifier: HostName
- columnName: DevicePlatform
identifier: OSFamily
- columnName: DeviceOSVersion
identifier: OSVersion
eventGroupingSettings:
aggregationKind: AlertPerResult
version: 2.0.3
suppressionDuration: PT30M
id: 9c5b6d8f-3a02-4e9b-af4c-2d7e9b1f5a8c
suppressionEnabled: false
severity: Medium
kind: Scheduled
queryFrequency: 10m
description: |
'Monitors device compliance status changes and security posture degradation using Lookout Mobile Risk API v2 enhanced device fields. Detects devices becoming non-compliant, security status changes, and potential device compromise indicators with detailed device context and MDM integration data.'
requiredDataConnectors:
- connectorId: LookoutAPI
dataTypes:
- LookoutEvents
triggerOperator: gt
name: Lookout - Device Compliance and Security Status Changes (v2)
tactics:
- Discovery
- DefenseEvasion
- Persistence
alertDetailsOverride:
alertDescriptionFormat: '{{SecurityPosture}} posture with {{DeviceComplianceStatus}} compliance'
alertTacticsColumnName: SecurityPosture
alertSeverityColumnName: SecurityPosture
alertDisplayNameFormat: 'Device Compliance Issue: {{SecurityPosture}} Risk on {{DevicePlatform}} Device'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout/Analytic Rules/LookoutDeviceComplianceV2.yaml
triggerThreshold: 0
queryPeriod: 30m
query: |
LookoutEvents
| where EventType == "DEVICE"
| where DeviceComplianceStatus in ("Non-Compliant", "Partial")
or DeviceSecurityStatus in ("THREATS_HIGH", "THREATS_MEDIUM")
or ChangeType == "UPDATE"
| extend
DeviceRiskScore = case(
DeviceSecurityStatus == "THREATS_HIGH", 9,
DeviceSecurityStatus == "THREATS_MEDIUM", 6,
DeviceSecurityStatus == "THREATS_LOW", 3,
DeviceComplianceStatus == "Non-Compliant", 7,
DeviceComplianceStatus == "Partial", 4,
1
),
ComplianceReason = case(
isempty(DeviceCheckinTime), "No Recent Check-in",
DeviceActivationStatus != "ACTIVE", "Inactive Device",
isempty(ClientLookoutSDKVersion), "Missing Security Client",
"Configuration Issue"
),
PlatformRisk = case(
DevicePlatform == "ANDROID" and DeviceOSVersion matches regex @"^[1-9]\..*", "Outdated Android",
DevicePlatform == "IOS" and DeviceOSVersion matches regex @"^1[0-4]\..*", "Outdated iOS",
DevicePlatform == "UNKNOWN", "Unknown Platform",
"Current"
)
| extend MDMIntegrationStatus = case(
isnotempty(MDMConnectorId) and isnotempty(MDMExternalId), "Fully Integrated",
isnotempty(MDMConnectorId), "Partial Integration",
"Not Integrated"
)
| extend SecurityPosture = case(
DeviceRiskScore >= 8, "Critical",
DeviceRiskScore >= 6, "High",
DeviceRiskScore >= 4, "Medium",
"Low"
)
| project
TimeGenerated,
EventId,
DeviceGuid,
DevicePlatform,
DeviceOSVersion,
DeviceManufacturer,
DeviceModel,
DeviceEmailAddress,
DeviceActivationStatus,
DeviceSecurityStatus,
DeviceComplianceStatus,
DeviceRiskScore,
SecurityPosture,
ComplianceReason,
PlatformRisk,
DeviceCheckinTime,
DeviceActivatedAt,
DeviceDeactivatedAt,
DeviceGroupGuid,
ClientLookoutSDKVersion,
ClientOTAVersion,
ClientPackageName,
ClientPackageVersion,
MDMConnectorId,
MDMConnectorUuid,
MDMExternalId,
MDMIntegrationStatus,
ActorType,
ActorGuid,
ChangeType
status: Available
customDetails:
SecurityPosture: SecurityPosture
PlatformRisk: PlatformRisk
DeviceRiskScore: DeviceRiskScore
MDMIntegration: MDMIntegrationStatus
ComplianceReason: ComplianceReason
DevCompliance: DeviceComplianceStatus
DeviceSecStatus: DeviceSecurityStatus
DevicePlatform: DevicePlatform
DeviceManufacturer: DeviceManufacturer
DeviceModel: DeviceModel
ClientSDKVersion: ClientLookoutSDKVersion
incidentConfiguration:
createIncident: true
groupingConfiguration:
matchingMethod: Selected
groupByEntities:
- Account
- Host
groupByCustomDetails:
- SecurityPosture
- DevicePlatform
groupByAlertDetails:
- DeviceGuid
reopenClosedIncident: false
enabled: true
lookbackDuration: P1D