Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Internet Access (Microsoft Defender for IoT)

Back
Id9ff3b13b-287a-4ed0-8f6b-7e7b66cbbcbd
RulenameInternet Access (Microsoft Defender for IoT)
DescriptionThis alert leverages Defender for IoT to detect an OT device communicating with Internet which is possibly an indication of improper configuration of an application or malicious activity on the network.
SeverityHigh
TacticsLateralMovement
TechniquesT0886
Required data connectorsIoT
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTInternetAccess.yaml
Version1.0.1
Arm template9ff3b13b-287a-4ed0-8f6b-7e7b66cbbcbd.json
Deploy To Azure
SecurityAlert
| where ProviderName == "IoTSecurity"
| where AlertName has "Internet"
| extend ExtendedProperties = parse_json(ExtendedProperties)
| where tostring(ExtendedProperties.isNew) == "True"
| extend DeviceId = tostring(ExtendedProperties.DeviceId), 
         SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress), 
         DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress), 
         RemediationSteps = tostring(parse_json(RemediationSteps)[0]), 
         Protocol = tostring(ExtendedProperties.Protocol), 
         AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
| project
  TimeGenerated,
  DeviceId,
  ProductName,
  ProductComponentName,
  AlertSeverity,
  AlertName,
  Description,
  Protocol,
  SourceDeviceAddress,
  DestDeviceAddress,
  RemediationSteps,
  Tactics,
  Entities,
  VendorOriginalId,
  AlertLink,
  AlertManagementUri,
  Techniques
severity: High
sentinelEntitiesMappings:
- columnName: Entities
eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerThreshold: 0
query: |
  SecurityAlert
  | where ProviderName == "IoTSecurity"
  | where AlertName has "Internet"
  | extend ExtendedProperties = parse_json(ExtendedProperties)
  | where tostring(ExtendedProperties.isNew) == "True"
  | extend DeviceId = tostring(ExtendedProperties.DeviceId), 
           SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress), 
           DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress), 
           RemediationSteps = tostring(parse_json(RemediationSteps)[0]), 
           Protocol = tostring(ExtendedProperties.Protocol), 
           AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
  | project
    TimeGenerated,
    DeviceId,
    ProductName,
    ProductComponentName,
    AlertSeverity,
    AlertName,
    Description,
    Protocol,
    SourceDeviceAddress,
    DestDeviceAddress,
    RemediationSteps,
    Tactics,
    Entities,
    VendorOriginalId,
    AlertLink,
    AlertManagementUri,
    Techniques  
customDetails:
  Protocol: Protocol
  Sensor: DeviceId
  AlertManagementUri: AlertManagementUri
  VendorOriginalId: VendorOriginalId
queryFrequency: 5m
requiredDataConnectors:
- connectorId: IoT
  dataTypes:
  - SecurityAlert (ASC for IoT)
id: 9ff3b13b-287a-4ed0-8f6b-7e7b66cbbcbd
version: 1.0.1
name: Internet Access (Microsoft Defender for IoT)
kind: Scheduled
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTInternetAccess.yaml
queryPeriod: 5m
relevantTechniques:
- T0886
triggerOperator: gt
tactics:
- LateralMovement
alertDetailsOverride:
  alertSeverityColumnName: AlertSeverity
  alertDisplayNameFormat: (MDIoT) {{AlertName}}
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: RemediationSteps
    value: RemediationSteps
  - alertProperty: Techniques
    value: Techniques
  - alertProperty: ProductComponentName
    value: ProductComponentName
  - alertProperty: AlertLink
    value: AlertLink
  alertTacticsColumnName: Tactics
  alertDescriptionFormat: (MDIoT) {{Description}}
description: |
    'This alert leverages Defender for IoT to detect an OT device communicating with Internet which is possibly an indication of improper configuration of an application or malicious activity on the network.'
entityMappings: 
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9ff3b13b-287a-4ed0-8f6b-7e7b66cbbcbd')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9ff3b13b-287a-4ed0-8f6b-7e7b66cbbcbd')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Internet Access (Microsoft Defender for IoT)",
        "description": "'This alert leverages Defender for IoT to detect an OT device communicating with Internet which is possibly an indication of improper configuration of an application or malicious activity on the network.'\n",
        "severity": "High",
        "enabled": true,
        "query": "SecurityAlert\n| where ProviderName == \"IoTSecurity\"\n| where AlertName has \"Internet\"\n| extend ExtendedProperties = parse_json(ExtendedProperties)\n| where tostring(ExtendedProperties.isNew) == \"True\"\n| extend DeviceId = tostring(ExtendedProperties.DeviceId), \n         SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress), \n         DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress), \n         RemediationSteps = tostring(parse_json(RemediationSteps)[0]), \n         Protocol = tostring(ExtendedProperties.Protocol), \n         AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)\n| project\n  TimeGenerated,\n  DeviceId,\n  ProductName,\n  ProductComponentName,\n  AlertSeverity,\n  AlertName,\n  Description,\n  Protocol,\n  SourceDeviceAddress,\n  DestDeviceAddress,\n  RemediationSteps,\n  Tactics,\n  Entities,\n  VendorOriginalId,\n  AlertLink,\n  AlertManagementUri,\n  Techniques\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "LateralMovement"
        ],
        "techniques": [
          "T0886"
        ],
        "alertRuleTemplateName": "9ff3b13b-287a-4ed0-8f6b-7e7b66cbbcbd",
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "alertDetailsOverride": {
          "alertDynamicProperties": [
            {
              "value": "ProductName",
              "alertProperty": "ProductName"
            },
            {
              "value": "RemediationSteps",
              "alertProperty": "RemediationSteps"
            },
            {
              "value": "Techniques",
              "alertProperty": "Techniques"
            },
            {
              "value": "ProductComponentName",
              "alertProperty": "ProductComponentName"
            },
            {
              "value": "AlertLink",
              "alertProperty": "AlertLink"
            }
          ],
          "alertSeverityColumnName": "AlertSeverity",
          "alertDescriptionFormat": "(MDIoT) {{Description}}",
          "alertTacticsColumnName": "Tactics",
          "alertDisplayNameFormat": "(MDIoT) {{AlertName}}"
        },
        "customDetails": {
          "Protocol": "Protocol",
          "Sensor": "DeviceId",
          "AlertManagementUri": "AlertManagementUri",
          "VendorOriginalId": "VendorOriginalId"
        },
        "entityMappings": null,
        "sentinelEntitiesMappings": [
          {
            "columnName": "Entities"
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTInternetAccess.yaml",
        "templateVersion": "1.0.1",
        "status": "Available"
      }
    }
  ]
}