Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. PLC Stop Command Microsoft Defender for IoT

PLC Stop Command Microsoft Defender for IoT

Back
Ida7d3f642-15d8-4e83-99ee-83ca3352525d
RulenamePLC Stop Command (Microsoft Defender for IoT)
DescriptionThis alert leverages Defender for IoT to detect PLC stop commands which could indicate improper configuration or malicious activity on the network such as a threat manipulating PLC programming to affect the function of the network.
SeverityMedium
TacticsDefenseEvasion
TechniquesT0858
Required data connectorsIoT
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTPLCStopCommand.yaml
Version1.0.3
Arm templatea7d3f642-15d8-4e83-99ee-83ca3352525d.json
Deploy To Azure
let alertList = dynamic(["Controller Reset", "An S7 Stop PLC Command was Sent", "Controller Stop", "Excessive Restart Rate of an Outstation", "GE SRTP Stop PLC Command was Sent", "Outstation Restarted", "Outstation Restarts Frequently", "Profinet Device Factory Reset", "Slave Device Unrecoverable Failure", "Suspicion of Hardware Problems in Outstation"]);
SecurityAlert
| where ProviderName == "IoTSecurity"
| where AlertName has_any (alertList) 
| extend ExtendedProperties = parse_json(ExtendedProperties)
| where tostring(ExtendedProperties.isNew) == "True"
| extend DeviceId = tostring(ExtendedProperties.DeviceId), 
         SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress), 
         DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress), 
         RemediationSteps = tostring(parse_json(RemediationSteps)[0]), 
         Protocol = tostring(ExtendedProperties.Protocol), 
         AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
| project
  TimeGenerated,
  DeviceId,
  ProductName,
  ProductComponentName,
  AlertSeverity,
  AlertName,
  Description,
  Protocol,
  SourceDeviceAddress,
  DestDeviceAddress,
  RemediationSteps,
  Tactics,
  Entities,
  VendorOriginalId,
  AlertLink,
  AlertManagementUri,
  Techniques

name: PLC Stop Command (Microsoft Defender for IoT)
eventGroupingSettings:
  aggregationKind: AlertPerResult
kind: Scheduled
sentinelEntitiesMappings:
- columnName: Entities
id: a7d3f642-15d8-4e83-99ee-83ca3352525d
requiredDataConnectors:
- connectorId: IoT
  dataTypes:
  - SecurityAlert (ASC for IoT)
severity: Medium
triggerThreshold: 0
version: 1.0.3
description: |
    'This alert leverages Defender for IoT to detect PLC stop commands which could indicate improper configuration or malicious activity on the network such as a threat manipulating PLC programming to affect the function of the network.'
relevantTechniques:
- T0858
alertDetailsOverride:
  alertTacticsColumnName: Tactics
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: RemediationSteps
    value: RemediationSteps
  - alertProperty: Techniques
    value: Techniques
  - alertProperty: ProductComponentName
    value: ProductComponentName
  - alertProperty: AlertLink
    value: AlertLink
  alertSeverityColumnName: AlertSeverity
  alertDescriptionFormat: (MDIoT) {{Description}}
  alertDisplayNameFormat: (MDIoT) {{AlertName}}
queryPeriod: 1h
tactics:
- DefenseEvasion
customDetails:
  Sensor: DeviceId
  AlertManagementUri: AlertManagementUri
  Protocol: Protocol
  VendorOriginalId: VendorOriginalId
queryFrequency: 1h
entityMappings: 
status: Available
triggerOperator: gt
query: |
  let alertList = dynamic(["Controller Reset", "An S7 Stop PLC Command was Sent", "Controller Stop", "Excessive Restart Rate of an Outstation", "GE SRTP Stop PLC Command was Sent", "Outstation Restarted", "Outstation Restarts Frequently", "Profinet Device Factory Reset", "Slave Device Unrecoverable Failure", "Suspicion of Hardware Problems in Outstation"]);
  SecurityAlert
  | where ProviderName == "IoTSecurity"
  | where AlertName has_any (alertList) 
  | extend ExtendedProperties = parse_json(ExtendedProperties)
  | where tostring(ExtendedProperties.isNew) == "True"
  | extend DeviceId = tostring(ExtendedProperties.DeviceId), 
           SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress), 
           DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress), 
           RemediationSteps = tostring(parse_json(RemediationSteps)[0]), 
           Protocol = tostring(ExtendedProperties.Protocol), 
           AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
  | project
    TimeGenerated,
    DeviceId,
    ProductName,
    ProductComponentName,
    AlertSeverity,
    AlertName,
    Description,
    Protocol,
    SourceDeviceAddress,
    DestDeviceAddress,
    RemediationSteps,
    Tactics,
    Entities,
    VendorOriginalId,
    AlertLink,
    AlertManagementUri,
    Techniques  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTPLCStopCommand.yaml

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a7d3f642-15d8-4e83-99ee-83ca3352525d')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a7d3f642-15d8-4e83-99ee-83ca3352525d')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "(MDIoT) {{Description}}",
          "alertDisplayNameFormat": "(MDIoT) {{AlertName}}",
          "alertDynamicProperties": [
            {
              "alertProperty": "ProductName",
              "value": "ProductName"
            },
            {
              "alertProperty": "RemediationSteps",
              "value": "RemediationSteps"
            },
            {
              "alertProperty": "Techniques",
              "value": "Techniques"
            },
            {
              "alertProperty": "ProductComponentName",
              "value": "ProductComponentName"
            },
            {
              "alertProperty": "AlertLink",
              "value": "AlertLink"
            }
          ],
          "alertSeverityColumnName": "AlertSeverity",
          "alertTacticsColumnName": "Tactics"
        },
        "alertRuleTemplateName": "a7d3f642-15d8-4e83-99ee-83ca3352525d",
        "customDetails": {
          "AlertManagementUri": "AlertManagementUri",
          "Protocol": "Protocol",
          "Sensor": "DeviceId",
          "VendorOriginalId": "VendorOriginalId"
        },
        "description": "'This alert leverages Defender for IoT to detect PLC stop commands which could indicate improper configuration or malicious activity on the network such as a threat manipulating PLC programming to affect the function of the network.'\n",
        "displayName": "PLC Stop Command (Microsoft Defender for IoT)",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTPLCStopCommand.yaml",
        "query": "let alertList = dynamic([\"Controller Reset\", \"An S7 Stop PLC Command was Sent\", \"Controller Stop\", \"Excessive Restart Rate of an Outstation\", \"GE SRTP Stop PLC Command was Sent\", \"Outstation Restarted\", \"Outstation Restarts Frequently\", \"Profinet Device Factory Reset\", \"Slave Device Unrecoverable Failure\", \"Suspicion of Hardware Problems in Outstation\"]);\nSecurityAlert\n| where ProviderName == \"IoTSecurity\"\n| where AlertName has_any (alertList) \n| extend ExtendedProperties = parse_json(ExtendedProperties)\n| where tostring(ExtendedProperties.isNew) == \"True\"\n| extend DeviceId = tostring(ExtendedProperties.DeviceId), \n         SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress), \n         DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress), \n         RemediationSteps = tostring(parse_json(RemediationSteps)[0]), \n         Protocol = tostring(ExtendedProperties.Protocol), \n         AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)\n| project\n  TimeGenerated,\n  DeviceId,\n  ProductName,\n  ProductComponentName,\n  AlertSeverity,\n  AlertName,\n  Description,\n  Protocol,\n  SourceDeviceAddress,\n  DestDeviceAddress,\n  RemediationSteps,\n  Tactics,\n  Entities,\n  VendorOriginalId,\n  AlertLink,\n  AlertManagementUri,\n  Techniques\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "sentinelEntitiesMappings": [
          {
            "columnName": "Entities"
          }
        ],
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": null,
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}