Internet Access (Microsoft Defender for IoT)
Id | 9ff3b13b-287a-4ed0-8f6b-7e7b66cbbcbd |
Rulename | Internet Access (Microsoft Defender for IoT) |
Description | This alert leverages Defender for IoT to detect an OT device communicating with Internet which is possibly an indication of improper configuration of an application or malicious activity on the network. |
Severity | High |
Tactics | LateralMovement |
Techniques | T0886 |
Required data connectors | IoT |
Kind | Scheduled |
Query frequency | 5m |
Query period | 5m |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTInternetAccess.yaml |
Version | 1.0.1 |
Arm template | 9ff3b13b-287a-4ed0-8f6b-7e7b66cbbcbd.json |
SecurityAlert
| where ProviderName == "IoTSecurity"
| where AlertName has "Internet"
| extend ExtendedProperties = parse_json(ExtendedProperties)
| where tostring(ExtendedProperties.isNew) == "True"
| extend DeviceId = tostring(ExtendedProperties.DeviceId),
SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress),
DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress),
RemediationSteps = tostring(parse_json(RemediationSteps)[0]),
Protocol = tostring(ExtendedProperties.Protocol),
AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
| project
TimeGenerated,
DeviceId,
ProductName,
ProductComponentName,
AlertSeverity,
AlertName,
Description,
Protocol,
SourceDeviceAddress,
DestDeviceAddress,
RemediationSteps,
Tactics,
Entities,
VendorOriginalId,
AlertLink,
AlertManagementUri,
Techniques
requiredDataConnectors:
- connectorId: IoT
dataTypes:
- SecurityAlert (ASC for IoT)
triggerOperator: gt
queryFrequency: 5m
name: Internet Access (Microsoft Defender for IoT)
sentinelEntitiesMappings:
- columnName: Entities
alertDetailsOverride:
alertDescriptionFormat: (MDIoT) {{Description}}
alertSeverityColumnName: AlertSeverity
alertDynamicProperties:
- value: ProductName
alertProperty: ProductName
- value: RemediationSteps
alertProperty: RemediationSteps
- value: Techniques
alertProperty: Techniques
- value: ProductComponentName
alertProperty: ProductComponentName
- value: AlertLink
alertProperty: AlertLink
alertTacticsColumnName: Tactics
alertDisplayNameFormat: (MDIoT) {{AlertName}}
status: Available
queryPeriod: 5m
id: 9ff3b13b-287a-4ed0-8f6b-7e7b66cbbcbd
description: |
'This alert leverages Defender for IoT to detect an OT device communicating with Internet which is possibly an indication of improper configuration of an application or malicious activity on the network.'
severity: High
customDetails:
AlertManagementUri: AlertManagementUri
Protocol: Protocol
VendorOriginalId: VendorOriginalId
Sensor: DeviceId
query: |
SecurityAlert
| where ProviderName == "IoTSecurity"
| where AlertName has "Internet"
| extend ExtendedProperties = parse_json(ExtendedProperties)
| where tostring(ExtendedProperties.isNew) == "True"
| extend DeviceId = tostring(ExtendedProperties.DeviceId),
SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress),
DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress),
RemediationSteps = tostring(parse_json(RemediationSteps)[0]),
Protocol = tostring(ExtendedProperties.Protocol),
AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
| project
TimeGenerated,
DeviceId,
ProductName,
ProductComponentName,
AlertSeverity,
AlertName,
Description,
Protocol,
SourceDeviceAddress,
DestDeviceAddress,
RemediationSteps,
Tactics,
Entities,
VendorOriginalId,
AlertLink,
AlertManagementUri,
Techniques
version: 1.0.1
kind: Scheduled
eventGroupingSettings:
aggregationKind: AlertPerResult
entityMappings:
relevantTechniques:
- T0886
tactics:
- LateralMovement
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTInternetAccess.yaml
triggerThreshold: 0
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9ff3b13b-287a-4ed0-8f6b-7e7b66cbbcbd')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9ff3b13b-287a-4ed0-8f6b-7e7b66cbbcbd')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01-preview",
"properties": {
"displayName": "Internet Access (Microsoft Defender for IoT)",
"description": "'This alert leverages Defender for IoT to detect an OT device communicating with Internet which is possibly an indication of improper configuration of an application or malicious activity on the network.'\n",
"severity": "High",
"enabled": true,
"query": "SecurityAlert\n| where ProviderName == \"IoTSecurity\"\n| where AlertName has \"Internet\"\n| extend ExtendedProperties = parse_json(ExtendedProperties)\n| where tostring(ExtendedProperties.isNew) == \"True\"\n| extend DeviceId = tostring(ExtendedProperties.DeviceId), \n SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress), \n DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress), \n RemediationSteps = tostring(parse_json(RemediationSteps)[0]), \n Protocol = tostring(ExtendedProperties.Protocol), \n AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)\n| project\n TimeGenerated,\n DeviceId,\n ProductName,\n ProductComponentName,\n AlertSeverity,\n AlertName,\n Description,\n Protocol,\n SourceDeviceAddress,\n DestDeviceAddress,\n RemediationSteps,\n Tactics,\n Entities,\n VendorOriginalId,\n AlertLink,\n AlertManagementUri,\n Techniques\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"LateralMovement"
],
"techniques": [
"T0886"
],
"alertRuleTemplateName": "9ff3b13b-287a-4ed0-8f6b-7e7b66cbbcbd",
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"alertDetailsOverride": {
"alertDescriptionFormat": "(MDIoT) {{Description}}",
"alertDynamicProperties": [
{
"alertProperty": "ProductName",
"value": "ProductName"
},
{
"alertProperty": "RemediationSteps",
"value": "RemediationSteps"
},
{
"alertProperty": "Techniques",
"value": "Techniques"
},
{
"alertProperty": "ProductComponentName",
"value": "ProductComponentName"
},
{
"alertProperty": "AlertLink",
"value": "AlertLink"
}
],
"alertDisplayNameFormat": "(MDIoT) {{AlertName}}",
"alertSeverityColumnName": "AlertSeverity",
"alertTacticsColumnName": "Tactics"
},
"customDetails": {
"AlertManagementUri": "AlertManagementUri",
"Protocol": "Protocol",
"VendorOriginalId": "VendorOriginalId",
"Sensor": "DeviceId"
},
"entityMappings": null,
"sentinelEntitiesMappings": [
{
"columnName": "Entities"
}
],
"templateVersion": "1.0.1",
"status": "Available",
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTInternetAccess.yaml"
}
}
]
}