SecurityAlert
| where ProviderName == "IoTSecurity"
| where AlertName has "Internet"
| extend ExtendedProperties = parse_json(ExtendedProperties)
| where tostring(ExtendedProperties.isNew) == "True"
| extend DeviceId = tostring(ExtendedProperties.DeviceId),
SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress),
DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress),
RemediationSteps = tostring(parse_json(RemediationSteps)[0]),
Protocol = tostring(ExtendedProperties.Protocol),
AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
| project
TimeGenerated,
DeviceId,
ProductName,
ProductComponentName,
AlertSeverity,
AlertName,
Description,
Protocol,
SourceDeviceAddress,
DestDeviceAddress,
RemediationSteps,
Tactics,
Entities,
VendorOriginalId,
AlertLink,
AlertManagementUri,
Techniques
name: Internet Access (Microsoft Defender for IoT)
alertDetailsOverride:
alertDynamicProperties:
- value: ProductName
alertProperty: ProductName
- value: RemediationSteps
alertProperty: RemediationSteps
- value: Techniques
alertProperty: Techniques
- value: ProductComponentName
alertProperty: ProductComponentName
- value: AlertLink
alertProperty: AlertLink
alertDisplayNameFormat: (MDIoT) {{AlertName}}
alertTacticsColumnName: Tactics
alertSeverityColumnName: AlertSeverity
alertDescriptionFormat: (MDIoT) {{Description}}
id: 9ff3b13b-287a-4ed0-8f6b-7e7b66cbbcbd
description: |
'This alert leverages Defender for IoT to detect an OT device communicating with Internet which is possibly an indication of improper configuration of an application or malicious activity on the network.'
triggerThreshold: 0
entityMappings:
sentinelEntitiesMappings:
- columnName: Entities
triggerOperator: gt
query: |
SecurityAlert
| where ProviderName == "IoTSecurity"
| where AlertName has "Internet"
| extend ExtendedProperties = parse_json(ExtendedProperties)
| where tostring(ExtendedProperties.isNew) == "True"
| extend DeviceId = tostring(ExtendedProperties.DeviceId),
SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress),
DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress),
RemediationSteps = tostring(parse_json(RemediationSteps)[0]),
Protocol = tostring(ExtendedProperties.Protocol),
AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
| project
TimeGenerated,
DeviceId,
ProductName,
ProductComponentName,
AlertSeverity,
AlertName,
Description,
Protocol,
SourceDeviceAddress,
DestDeviceAddress,
RemediationSteps,
Tactics,
Entities,
VendorOriginalId,
AlertLink,
AlertManagementUri,
Techniques
tactics:
- LateralMovement
version: 1.0.3
kind: Scheduled
queryFrequency: 5m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTInternetAccess.yaml
severity: High
queryPeriod: 5m
requiredDataConnectors:
- dataTypes:
- SecurityAlert (ASC for IoT)
connectorId: IoT
status: Available
customDetails:
Protocol: Protocol
Sensor: DeviceId
VendorOriginalId: VendorOriginalId
AlertManagementUri: AlertManagementUri
eventGroupingSettings:
aggregationKind: AlertPerResult
relevantTechniques:
- T0886
