Internet Access (Microsoft Defender for IoT)
| Id | 9ff3b13b-287a-4ed0-8f6b-7e7b66cbbcbd |
| Rulename | Internet Access (Microsoft Defender for IoT) |
| Description | This alert leverages Defender for IoT to detect an OT device communicating with Internet which is possibly an indication of improper configuration of an application or malicious activity on the network. |
| Severity | High |
| Tactics | LateralMovement |
| Techniques | T0886 |
| Required data connectors | IoT |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTInternetAccess.yaml |
| Version | 1.0.1 |
| Arm template | 9ff3b13b-287a-4ed0-8f6b-7e7b66cbbcbd.json |
SecurityAlert
| where ProviderName == "IoTSecurity"
| where AlertName has "Internet"
| extend ExtendedProperties = parse_json(ExtendedProperties)
| where tostring(ExtendedProperties.isNew) == "True"
| extend DeviceId = tostring(ExtendedProperties.DeviceId),
SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress),
DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress),
RemediationSteps = tostring(parse_json(RemediationSteps)[0]),
Protocol = tostring(ExtendedProperties.Protocol),
AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
| project
TimeGenerated,
DeviceId,
ProductName,
ProductComponentName,
AlertSeverity,
AlertName,
Description,
Protocol,
SourceDeviceAddress,
DestDeviceAddress,
RemediationSteps,
Tactics,
Entities,
VendorOriginalId,
AlertLink,
AlertManagementUri,
Techniques
severity: High
sentinelEntitiesMappings:
- columnName: Entities
eventGroupingSettings:
aggregationKind: AlertPerResult
triggerThreshold: 0
query: |
SecurityAlert
| where ProviderName == "IoTSecurity"
| where AlertName has "Internet"
| extend ExtendedProperties = parse_json(ExtendedProperties)
| where tostring(ExtendedProperties.isNew) == "True"
| extend DeviceId = tostring(ExtendedProperties.DeviceId),
SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress),
DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress),
RemediationSteps = tostring(parse_json(RemediationSteps)[0]),
Protocol = tostring(ExtendedProperties.Protocol),
AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
| project
TimeGenerated,
DeviceId,
ProductName,
ProductComponentName,
AlertSeverity,
AlertName,
Description,
Protocol,
SourceDeviceAddress,
DestDeviceAddress,
RemediationSteps,
Tactics,
Entities,
VendorOriginalId,
AlertLink,
AlertManagementUri,
Techniques
customDetails:
Protocol: Protocol
Sensor: DeviceId
AlertManagementUri: AlertManagementUri
VendorOriginalId: VendorOriginalId
queryFrequency: 5m
requiredDataConnectors:
- connectorId: IoT
dataTypes:
- SecurityAlert (ASC for IoT)
id: 9ff3b13b-287a-4ed0-8f6b-7e7b66cbbcbd
version: 1.0.1
name: Internet Access (Microsoft Defender for IoT)
kind: Scheduled
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTInternetAccess.yaml
queryPeriod: 5m
relevantTechniques:
- T0886
triggerOperator: gt
tactics:
- LateralMovement
alertDetailsOverride:
alertSeverityColumnName: AlertSeverity
alertDisplayNameFormat: (MDIoT) {{AlertName}}
alertDynamicProperties:
- alertProperty: ProductName
value: ProductName
- alertProperty: RemediationSteps
value: RemediationSteps
- alertProperty: Techniques
value: Techniques
- alertProperty: ProductComponentName
value: ProductComponentName
- alertProperty: AlertLink
value: AlertLink
alertTacticsColumnName: Tactics
alertDescriptionFormat: (MDIoT) {{Description}}
description: |
'This alert leverages Defender for IoT to detect an OT device communicating with Internet which is possibly an indication of improper configuration of an application or malicious activity on the network.'
entityMappings:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9ff3b13b-287a-4ed0-8f6b-7e7b66cbbcbd')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9ff3b13b-287a-4ed0-8f6b-7e7b66cbbcbd')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "Internet Access (Microsoft Defender for IoT)",
"description": "'This alert leverages Defender for IoT to detect an OT device communicating with Internet which is possibly an indication of improper configuration of an application or malicious activity on the network.'\n",
"severity": "High",
"enabled": true,
"query": "SecurityAlert\n| where ProviderName == \"IoTSecurity\"\n| where AlertName has \"Internet\"\n| extend ExtendedProperties = parse_json(ExtendedProperties)\n| where tostring(ExtendedProperties.isNew) == \"True\"\n| extend DeviceId = tostring(ExtendedProperties.DeviceId), \n SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress), \n DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress), \n RemediationSteps = tostring(parse_json(RemediationSteps)[0]), \n Protocol = tostring(ExtendedProperties.Protocol), \n AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)\n| project\n TimeGenerated,\n DeviceId,\n ProductName,\n ProductComponentName,\n AlertSeverity,\n AlertName,\n Description,\n Protocol,\n SourceDeviceAddress,\n DestDeviceAddress,\n RemediationSteps,\n Tactics,\n Entities,\n VendorOriginalId,\n AlertLink,\n AlertManagementUri,\n Techniques\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"LateralMovement"
],
"techniques": [
"T0886"
],
"alertRuleTemplateName": "9ff3b13b-287a-4ed0-8f6b-7e7b66cbbcbd",
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"alertDetailsOverride": {
"alertDynamicProperties": [
{
"value": "ProductName",
"alertProperty": "ProductName"
},
{
"value": "RemediationSteps",
"alertProperty": "RemediationSteps"
},
{
"value": "Techniques",
"alertProperty": "Techniques"
},
{
"value": "ProductComponentName",
"alertProperty": "ProductComponentName"
},
{
"value": "AlertLink",
"alertProperty": "AlertLink"
}
],
"alertSeverityColumnName": "AlertSeverity",
"alertDescriptionFormat": "(MDIoT) {{Description}}",
"alertTacticsColumnName": "Tactics",
"alertDisplayNameFormat": "(MDIoT) {{AlertName}}"
},
"customDetails": {
"Protocol": "Protocol",
"Sensor": "DeviceId",
"AlertManagementUri": "AlertManagementUri",
"VendorOriginalId": "VendorOriginalId"
},
"entityMappings": null,
"sentinelEntitiesMappings": [
{
"columnName": "Entities"
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTInternetAccess.yaml",
"templateVersion": "1.0.1",
"status": "Available"
}
}
]
}