PLC Stop Command Microsoft Defender for IoT
| Id | a7d3f642-15d8-4e83-99ee-83ca3352525d |
| Rulename | PLC Stop Command (Microsoft Defender for IoT) |
| Description | This alert leverages Defender for IoT to detect PLC stop commands which could indicate improper configuration or malicious activity on the network such as a threat manipulating PLC programming to affect the function of the network. |
| Severity | Medium |
| Tactics | DefenseEvasion |
| Techniques | T0858 |
| Required data connectors | IoT |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTPLCStopCommand.yaml |
| Version | 1.0.2 |
| Arm template | a7d3f642-15d8-4e83-99ee-83ca3352525d.json |
let alertList = dynamic(["Controller Reset", "An S7 Stop PLC Command was Sent", "Controller Stop", "Excessive Restart Rate of an Outstation", "GE SRTP Stop PLC Command was Sent", "Outstation Restarted", "Outstation Restarts Frequently", "Profinet Device Factory Reset", "Slave Device Unrecoverable Failure", "Suspicion of Hardware Problems in Outstation"]);
SecurityAlert
| where ProviderName == "IoTSecurity"
| where AlertName has_any (alertList)
| extend ExtendedProperties = parse_json(ExtendedProperties)
| where tostring(ExtendedProperties.isNew) == "True"
| extend DeviceId = tostring(ExtendedProperties.DeviceId),
SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress),
DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress),
RemediationSteps = tostring(parse_json(RemediationSteps)[0]),
Protocol = tostring(ExtendedProperties.Protocol),
AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
| project
TimeGenerated,
DeviceId,
ProductName,
ProductComponentName,
AlertSeverity,
AlertName,
Description,
Protocol,
SourceDeviceAddress,
DestDeviceAddress,
RemediationSteps,
Tactics,
Entities,
VendorOriginalId,
AlertLink,
AlertManagementUri,
Techniques
relevantTechniques:
- T0858
name: PLC Stop Command (Microsoft Defender for IoT)
requiredDataConnectors:
- dataTypes:
- SecurityAlert (ASC for IoT)
connectorId: IoT
entityMappings:
- fieldMappings:
- identifier: Address
columnName: SourceDeviceAddress
entityType: IP
- fieldMappings:
- identifier: Address
columnName: DestDeviceAddress
entityType: IP
triggerThreshold: 0
id: a7d3f642-15d8-4e83-99ee-83ca3352525d
tactics:
- DefenseEvasion
version: 1.0.2
customDetails:
Sensor: DeviceId
VendorOriginalId: VendorOriginalId
Protocol: Protocol
AlertManagementUri: AlertManagementUri
alertDetailsOverride:
alertDescriptionFormat: (MDIoT) {{Description}}
alertTacticsColumnName: Tactics
alertSeverityColumnName: AlertSeverity
alertDynamicProperties:
- alertProperty: ProductName
value: ProductName
- alertProperty: RemediationSteps
value: RemediationSteps
- alertProperty: Techniques
value: Techniques
- alertProperty: ProductComponentName
value: ProductComponentName
- alertProperty: AlertLink
value: AlertLink
alertDisplayNameFormat: (MDIoT) {{AlertName}}
queryPeriod: 1h
kind: Scheduled
eventGroupingSettings:
aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTPLCStopCommand.yaml
queryFrequency: 1h
severity: Medium
status: Available
description: |
'This alert leverages Defender for IoT to detect PLC stop commands which could indicate improper configuration or malicious activity on the network such as a threat manipulating PLC programming to affect the function of the network.'
query: |
let alertList = dynamic(["Controller Reset", "An S7 Stop PLC Command was Sent", "Controller Stop", "Excessive Restart Rate of an Outstation", "GE SRTP Stop PLC Command was Sent", "Outstation Restarted", "Outstation Restarts Frequently", "Profinet Device Factory Reset", "Slave Device Unrecoverable Failure", "Suspicion of Hardware Problems in Outstation"]);
SecurityAlert
| where ProviderName == "IoTSecurity"
| where AlertName has_any (alertList)
| extend ExtendedProperties = parse_json(ExtendedProperties)
| where tostring(ExtendedProperties.isNew) == "True"
| extend DeviceId = tostring(ExtendedProperties.DeviceId),
SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress),
DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress),
RemediationSteps = tostring(parse_json(RemediationSteps)[0]),
Protocol = tostring(ExtendedProperties.Protocol),
AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
| project
TimeGenerated,
DeviceId,
ProductName,
ProductComponentName,
AlertSeverity,
AlertName,
Description,
Protocol,
SourceDeviceAddress,
DestDeviceAddress,
RemediationSteps,
Tactics,
Entities,
VendorOriginalId,
AlertLink,
AlertManagementUri,
Techniques
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a7d3f642-15d8-4e83-99ee-83ca3352525d')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a7d3f642-15d8-4e83-99ee-83ca3352525d')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "(MDIoT) {{Description}}",
"alertDisplayNameFormat": "(MDIoT) {{AlertName}}",
"alertDynamicProperties": [
{
"alertProperty": "ProductName",
"value": "ProductName"
},
{
"alertProperty": "RemediationSteps",
"value": "RemediationSteps"
},
{
"alertProperty": "Techniques",
"value": "Techniques"
},
{
"alertProperty": "ProductComponentName",
"value": "ProductComponentName"
},
{
"alertProperty": "AlertLink",
"value": "AlertLink"
}
],
"alertSeverityColumnName": "AlertSeverity",
"alertTacticsColumnName": "Tactics"
},
"alertRuleTemplateName": "a7d3f642-15d8-4e83-99ee-83ca3352525d",
"customDetails": {
"AlertManagementUri": "AlertManagementUri",
"Protocol": "Protocol",
"Sensor": "DeviceId",
"VendorOriginalId": "VendorOriginalId"
},
"description": "'This alert leverages Defender for IoT to detect PLC stop commands which could indicate improper configuration or malicious activity on the network such as a threat manipulating PLC programming to affect the function of the network.'\n",
"displayName": "PLC Stop Command (Microsoft Defender for IoT)",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceDeviceAddress",
"identifier": "Address"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "DestDeviceAddress",
"identifier": "Address"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTPLCStopCommand.yaml",
"query": "let alertList = dynamic([\"Controller Reset\", \"An S7 Stop PLC Command was Sent\", \"Controller Stop\", \"Excessive Restart Rate of an Outstation\", \"GE SRTP Stop PLC Command was Sent\", \"Outstation Restarted\", \"Outstation Restarts Frequently\", \"Profinet Device Factory Reset\", \"Slave Device Unrecoverable Failure\", \"Suspicion of Hardware Problems in Outstation\"]);\nSecurityAlert\n| where ProviderName == \"IoTSecurity\"\n| where AlertName has_any (alertList) \n| extend ExtendedProperties = parse_json(ExtendedProperties)\n| where tostring(ExtendedProperties.isNew) == \"True\"\n| extend DeviceId = tostring(ExtendedProperties.DeviceId), \n SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress), \n DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress), \n RemediationSteps = tostring(parse_json(RemediationSteps)[0]), \n Protocol = tostring(ExtendedProperties.Protocol), \n AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)\n| project\n TimeGenerated,\n DeviceId,\n ProductName,\n ProductComponentName,\n AlertSeverity,\n AlertName,\n Description,\n Protocol,\n SourceDeviceAddress,\n DestDeviceAddress,\n RemediationSteps,\n Tactics,\n Entities,\n VendorOriginalId,\n AlertLink,\n AlertManagementUri,\n Techniques\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"DefenseEvasion"
],
"techniques": null,
"templateVersion": "1.0.2",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}