Internet Access Microsoft Defender for IoT
| Id | 9ff3b13b-287a-4ed0-8f6b-7e7b66cbbcbd |
| Rulename | Internet Access (Microsoft Defender for IoT) |
| Description | This alert leverages Defender for IoT to detect an OT device communicating with Internet which is possibly an indication of improper configuration of an application or malicious activity on the network. |
| Severity | High |
| Tactics | LateralMovement |
| Techniques | T0886 |
| Required data connectors | IoT |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTInternetAccess.yaml |
| Version | 1.0.3 |
| Arm template | 9ff3b13b-287a-4ed0-8f6b-7e7b66cbbcbd.json |
SecurityAlert
| where ProviderName == "IoTSecurity"
| where AlertName has "Internet"
| extend ExtendedProperties = parse_json(ExtendedProperties)
| where tostring(ExtendedProperties.isNew) == "True"
| extend DeviceId = tostring(ExtendedProperties.DeviceId),
SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress),
DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress),
RemediationSteps = tostring(parse_json(RemediationSteps)[0]),
Protocol = tostring(ExtendedProperties.Protocol),
AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
| project
TimeGenerated,
DeviceId,
ProductName,
ProductComponentName,
AlertSeverity,
AlertName,
Description,
Protocol,
SourceDeviceAddress,
DestDeviceAddress,
RemediationSteps,
Tactics,
Entities,
VendorOriginalId,
AlertLink,
AlertManagementUri,
Techniques
kind: Scheduled
eventGroupingSettings:
aggregationKind: AlertPerResult
alertDetailsOverride:
alertSeverityColumnName: AlertSeverity
alertDynamicProperties:
- value: ProductName
alertProperty: ProductName
- value: RemediationSteps
alertProperty: RemediationSteps
- value: Techniques
alertProperty: Techniques
- value: ProductComponentName
alertProperty: ProductComponentName
- value: AlertLink
alertProperty: AlertLink
alertTacticsColumnName: Tactics
alertDescriptionFormat: (MDIoT) {{Description}}
alertDisplayNameFormat: (MDIoT) {{AlertName}}
entityMappings:
sentinelEntitiesMappings:
- columnName: Entities
description: |
'This alert leverages Defender for IoT to detect an OT device communicating with Internet which is possibly an indication of improper configuration of an application or malicious activity on the network.'
severity: High
queryFrequency: 5m
customDetails:
AlertManagementUri: AlertManagementUri
Protocol: Protocol
VendorOriginalId: VendorOriginalId
Sensor: DeviceId
triggerThreshold: 0
relevantTechniques:
- T0886
status: Available
tactics:
- LateralMovement
name: Internet Access (Microsoft Defender for IoT)
id: 9ff3b13b-287a-4ed0-8f6b-7e7b66cbbcbd
query: |
SecurityAlert
| where ProviderName == "IoTSecurity"
| where AlertName has "Internet"
| extend ExtendedProperties = parse_json(ExtendedProperties)
| where tostring(ExtendedProperties.isNew) == "True"
| extend DeviceId = tostring(ExtendedProperties.DeviceId),
SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress),
DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress),
RemediationSteps = tostring(parse_json(RemediationSteps)[0]),
Protocol = tostring(ExtendedProperties.Protocol),
AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
| project
TimeGenerated,
DeviceId,
ProductName,
ProductComponentName,
AlertSeverity,
AlertName,
Description,
Protocol,
SourceDeviceAddress,
DestDeviceAddress,
RemediationSteps,
Tactics,
Entities,
VendorOriginalId,
AlertLink,
AlertManagementUri,
Techniques
requiredDataConnectors:
- dataTypes:
- SecurityAlert (ASC for IoT)
connectorId: IoT
version: 1.0.3
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTInternetAccess.yaml
queryPeriod: 5m
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9ff3b13b-287a-4ed0-8f6b-7e7b66cbbcbd')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9ff3b13b-287a-4ed0-8f6b-7e7b66cbbcbd')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "(MDIoT) {{Description}}",
"alertDisplayNameFormat": "(MDIoT) {{AlertName}}",
"alertDynamicProperties": [
{
"alertProperty": "ProductName",
"value": "ProductName"
},
{
"alertProperty": "RemediationSteps",
"value": "RemediationSteps"
},
{
"alertProperty": "Techniques",
"value": "Techniques"
},
{
"alertProperty": "ProductComponentName",
"value": "ProductComponentName"
},
{
"alertProperty": "AlertLink",
"value": "AlertLink"
}
],
"alertSeverityColumnName": "AlertSeverity",
"alertTacticsColumnName": "Tactics"
},
"alertRuleTemplateName": "9ff3b13b-287a-4ed0-8f6b-7e7b66cbbcbd",
"customDetails": {
"AlertManagementUri": "AlertManagementUri",
"Protocol": "Protocol",
"Sensor": "DeviceId",
"VendorOriginalId": "VendorOriginalId"
},
"description": "'This alert leverages Defender for IoT to detect an OT device communicating with Internet which is possibly an indication of improper configuration of an application or malicious activity on the network.'\n",
"displayName": "Internet Access (Microsoft Defender for IoT)",
"enabled": true,
"entityMappings": null,
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTInternetAccess.yaml",
"query": "SecurityAlert\n| where ProviderName == \"IoTSecurity\"\n| where AlertName has \"Internet\"\n| extend ExtendedProperties = parse_json(ExtendedProperties)\n| where tostring(ExtendedProperties.isNew) == \"True\"\n| extend DeviceId = tostring(ExtendedProperties.DeviceId), \n SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress), \n DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress), \n RemediationSteps = tostring(parse_json(RemediationSteps)[0]), \n Protocol = tostring(ExtendedProperties.Protocol), \n AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)\n| project\n TimeGenerated,\n DeviceId,\n ProductName,\n ProductComponentName,\n AlertSeverity,\n AlertName,\n Description,\n Protocol,\n SourceDeviceAddress,\n DestDeviceAddress,\n RemediationSteps,\n Tactics,\n Entities,\n VendorOriginalId,\n AlertLink,\n AlertManagementUri,\n Techniques\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"sentinelEntitiesMappings": [
{
"columnName": "Entities"
}
],
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"LateralMovement"
],
"techniques": null,
"templateVersion": "1.0.3",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}