SecurityAlert
| where ProviderName == "IoTSecurity"
| where AlertName has "Internet"
| extend ExtendedProperties = parse_json(ExtendedProperties)
| where tostring(ExtendedProperties.isNew) == "True"
| extend DeviceId = tostring(ExtendedProperties.DeviceId),
SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress),
DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress),
RemediationSteps = tostring(parse_json(RemediationSteps)[0]),
Protocol = tostring(ExtendedProperties.Protocol),
AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
| project
TimeGenerated,
DeviceId,
ProductName,
ProductComponentName,
AlertSeverity,
AlertName,
Description,
Protocol,
SourceDeviceAddress,
DestDeviceAddress,
RemediationSteps,
Tactics,
Entities,
VendorOriginalId,
AlertLink,
AlertManagementUri,
Techniques
status: Available
relevantTechniques:
- T0886
query: |
SecurityAlert
| where ProviderName == "IoTSecurity"
| where AlertName has "Internet"
| extend ExtendedProperties = parse_json(ExtendedProperties)
| where tostring(ExtendedProperties.isNew) == "True"
| extend DeviceId = tostring(ExtendedProperties.DeviceId),
SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress),
DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress),
RemediationSteps = tostring(parse_json(RemediationSteps)[0]),
Protocol = tostring(ExtendedProperties.Protocol),
AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
| project
TimeGenerated,
DeviceId,
ProductName,
ProductComponentName,
AlertSeverity,
AlertName,
Description,
Protocol,
SourceDeviceAddress,
DestDeviceAddress,
RemediationSteps,
Tactics,
Entities,
VendorOriginalId,
AlertLink,
AlertManagementUri,
Techniques
eventGroupingSettings:
aggregationKind: AlertPerResult
requiredDataConnectors:
- dataTypes:
- SecurityAlert (ASC for IoT)
connectorId: IoT
id: 9ff3b13b-287a-4ed0-8f6b-7e7b66cbbcbd
description: |
'This alert leverages Defender for IoT to detect an OT device communicating with Internet which is possibly an indication of improper configuration of an application or malicious activity on the network.'
entityMappings:
sentinelEntitiesMappings:
- columnName: Entities
queryPeriod: 5m
version: 1.0.3
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTInternetAccess.yaml
triggerThreshold: 0
triggerOperator: gt
name: Internet Access (Microsoft Defender for IoT)
kind: Scheduled
queryFrequency: 5m
tactics:
- LateralMovement
alertDetailsOverride:
alertSeverityColumnName: AlertSeverity
alertDisplayNameFormat: (MDIoT) {{AlertName}}
alertTacticsColumnName: Tactics
alertDynamicProperties:
- value: ProductName
alertProperty: ProductName
- value: RemediationSteps
alertProperty: RemediationSteps
- value: Techniques
alertProperty: Techniques
- value: ProductComponentName
alertProperty: ProductComponentName
- value: AlertLink
alertProperty: AlertLink
alertDescriptionFormat: (MDIoT) {{Description}}
customDetails:
VendorOriginalId: VendorOriginalId
Protocol: Protocol
AlertManagementUri: AlertManagementUri
Sensor: DeviceId
