Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. PLC Stop Command Microsoft Defender for IoT

PLC Stop Command Microsoft Defender for IoT

Back
Ida7d3f642-15d8-4e83-99ee-83ca3352525d
RulenamePLC Stop Command (Microsoft Defender for IoT)
DescriptionThis alert leverages Defender for IoT to detect PLC stop commands which could indicate improper configuration or malicious activity on the network such as a threat manipulating PLC programming to affect the function of the network.
SeverityMedium
TacticsDefenseEvasion
TechniquesT0858
Required data connectorsIoT
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTPLCStopCommand.yaml
Version1.0.3
Arm templatea7d3f642-15d8-4e83-99ee-83ca3352525d.json
Deploy To Azure
let alertList = dynamic(["Controller Reset", "An S7 Stop PLC Command was Sent", "Controller Stop", "Excessive Restart Rate of an Outstation", "GE SRTP Stop PLC Command was Sent", "Outstation Restarted", "Outstation Restarts Frequently", "Profinet Device Factory Reset", "Slave Device Unrecoverable Failure", "Suspicion of Hardware Problems in Outstation"]);
SecurityAlert
| where ProviderName == "IoTSecurity"
| where AlertName has_any (alertList) 
| extend ExtendedProperties = parse_json(ExtendedProperties)
| where tostring(ExtendedProperties.isNew) == "True"
| extend DeviceId = tostring(ExtendedProperties.DeviceId), 
         SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress), 
         DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress), 
         RemediationSteps = tostring(parse_json(RemediationSteps)[0]), 
         Protocol = tostring(ExtendedProperties.Protocol), 
         AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
| project
  TimeGenerated,
  DeviceId,
  ProductName,
  ProductComponentName,
  AlertSeverity,
  AlertName,
  Description,
  Protocol,
  SourceDeviceAddress,
  DestDeviceAddress,
  RemediationSteps,
  Tactics,
  Entities,
  VendorOriginalId,
  AlertLink,
  AlertManagementUri,
  Techniques

description: |
    'This alert leverages Defender for IoT to detect PLC stop commands which could indicate improper configuration or malicious activity on the network such as a threat manipulating PLC programming to affect the function of the network.'
tactics:
- DefenseEvasion
requiredDataConnectors:
- connectorId: IoT
  dataTypes:
  - SecurityAlert (ASC for IoT)
queryPeriod: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTPLCStopCommand.yaml
query: |
  let alertList = dynamic(["Controller Reset", "An S7 Stop PLC Command was Sent", "Controller Stop", "Excessive Restart Rate of an Outstation", "GE SRTP Stop PLC Command was Sent", "Outstation Restarted", "Outstation Restarts Frequently", "Profinet Device Factory Reset", "Slave Device Unrecoverable Failure", "Suspicion of Hardware Problems in Outstation"]);
  SecurityAlert
  | where ProviderName == "IoTSecurity"
  | where AlertName has_any (alertList) 
  | extend ExtendedProperties = parse_json(ExtendedProperties)
  | where tostring(ExtendedProperties.isNew) == "True"
  | extend DeviceId = tostring(ExtendedProperties.DeviceId), 
           SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress), 
           DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress), 
           RemediationSteps = tostring(parse_json(RemediationSteps)[0]), 
           Protocol = tostring(ExtendedProperties.Protocol), 
           AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
  | project
    TimeGenerated,
    DeviceId,
    ProductName,
    ProductComponentName,
    AlertSeverity,
    AlertName,
    Description,
    Protocol,
    SourceDeviceAddress,
    DestDeviceAddress,
    RemediationSteps,
    Tactics,
    Entities,
    VendorOriginalId,
    AlertLink,
    AlertManagementUri,
    Techniques  
version: 1.0.3
sentinelEntitiesMappings:
- columnName: Entities
customDetails:
  VendorOriginalId: VendorOriginalId
  Sensor: DeviceId
  AlertManagementUri: AlertManagementUri
  Protocol: Protocol
alertDetailsOverride:
  alertTacticsColumnName: Tactics
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: RemediationSteps
    value: RemediationSteps
  - alertProperty: Techniques
    value: Techniques
  - alertProperty: ProductComponentName
    value: ProductComponentName
  - alertProperty: AlertLink
    value: AlertLink
  alertSeverityColumnName: AlertSeverity
  alertDescriptionFormat: (MDIoT) {{Description}}
  alertDisplayNameFormat: (MDIoT) {{AlertName}}
entityMappings: 
id: a7d3f642-15d8-4e83-99ee-83ca3352525d
kind: Scheduled
relevantTechniques:
- T0858
severity: Medium
triggerThreshold: 0
triggerOperator: gt
eventGroupingSettings:
  aggregationKind: AlertPerResult
name: PLC Stop Command (Microsoft Defender for IoT)
queryFrequency: 1h
status: Available

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a7d3f642-15d8-4e83-99ee-83ca3352525d')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a7d3f642-15d8-4e83-99ee-83ca3352525d')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "(MDIoT) {{Description}}",
          "alertDisplayNameFormat": "(MDIoT) {{AlertName}}",
          "alertDynamicProperties": [
            {
              "alertProperty": "ProductName",
              "value": "ProductName"
            },
            {
              "alertProperty": "RemediationSteps",
              "value": "RemediationSteps"
            },
            {
              "alertProperty": "Techniques",
              "value": "Techniques"
            },
            {
              "alertProperty": "ProductComponentName",
              "value": "ProductComponentName"
            },
            {
              "alertProperty": "AlertLink",
              "value": "AlertLink"
            }
          ],
          "alertSeverityColumnName": "AlertSeverity",
          "alertTacticsColumnName": "Tactics"
        },
        "alertRuleTemplateName": "a7d3f642-15d8-4e83-99ee-83ca3352525d",
        "customDetails": {
          "AlertManagementUri": "AlertManagementUri",
          "Protocol": "Protocol",
          "Sensor": "DeviceId",
          "VendorOriginalId": "VendorOriginalId"
        },
        "description": "'This alert leverages Defender for IoT to detect PLC stop commands which could indicate improper configuration or malicious activity on the network such as a threat manipulating PLC programming to affect the function of the network.'\n",
        "displayName": "PLC Stop Command (Microsoft Defender for IoT)",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTPLCStopCommand.yaml",
        "query": "let alertList = dynamic([\"Controller Reset\", \"An S7 Stop PLC Command was Sent\", \"Controller Stop\", \"Excessive Restart Rate of an Outstation\", \"GE SRTP Stop PLC Command was Sent\", \"Outstation Restarted\", \"Outstation Restarts Frequently\", \"Profinet Device Factory Reset\", \"Slave Device Unrecoverable Failure\", \"Suspicion of Hardware Problems in Outstation\"]);\nSecurityAlert\n| where ProviderName == \"IoTSecurity\"\n| where AlertName has_any (alertList) \n| extend ExtendedProperties = parse_json(ExtendedProperties)\n| where tostring(ExtendedProperties.isNew) == \"True\"\n| extend DeviceId = tostring(ExtendedProperties.DeviceId), \n         SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress), \n         DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress), \n         RemediationSteps = tostring(parse_json(RemediationSteps)[0]), \n         Protocol = tostring(ExtendedProperties.Protocol), \n         AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)\n| project\n  TimeGenerated,\n  DeviceId,\n  ProductName,\n  ProductComponentName,\n  AlertSeverity,\n  AlertName,\n  Description,\n  Protocol,\n  SourceDeviceAddress,\n  DestDeviceAddress,\n  RemediationSteps,\n  Tactics,\n  Entities,\n  VendorOriginalId,\n  AlertLink,\n  AlertManagementUri,\n  Techniques\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "sentinelEntitiesMappings": [
          {
            "columnName": "Entities"
          }
        ],
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": null,
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}