High bandwidth in the network Microsoft Defender for IoT

SecurityAlert
| where ProviderName == "IoTSecurity"
| where AlertName in ("Abnormal Traffic Bandwidth", "Abnormal Traffic Bandwidth Between Devices", "ARP Spoofing", "ICMP Flooding")
| extend ExtendedProperties = parse_json(ExtendedProperties)
| where tostring(ExtendedProperties.isNew) == "True"
| extend DeviceId = tostring(ExtendedProperties.DeviceId), 
         SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress), 
         DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress), 
         RemediationSteps = tostring(parse_json(RemediationSteps)[0]), 
         Protocol = tostring(ExtendedProperties.Protocol), 
         AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
| project
  TimeGenerated,
  DeviceId,
  ProductName,
  ProductComponentName,
  AlertSeverity,
  AlertName,
  Description,
  Protocol,
  SourceDeviceAddress,
  DestDeviceAddress,
  RemediationSteps,
  Tactics,
  Entities,
  VendorOriginalId,
  AlertLink,
  AlertManagementUri,
  Techniques

eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerThreshold: 0
entityMappings: 
requiredDataConnectors:
- dataTypes:
  - SecurityAlert (ASC for IoT)
  connectorId: IoT
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTHighBandwidth.yaml
customDetails:
  AlertManagementUri: AlertManagementUri
  VendorOriginalId: VendorOriginalId
  Protocol: Protocol
  Sensor: DeviceId
name: High bandwidth in the network (Microsoft Defender for IoT)
alertDetailsOverride:
  alertTacticsColumnName: Tactics
  alertDynamicProperties:
  - value: ProductName
    alertProperty: ProductName
  - value: RemediationSteps
    alertProperty: RemediationSteps
  - value: Techniques
    alertProperty: Techniques
  - value: ProductComponentName
    alertProperty: ProductComponentName
  - value: AlertLink
    alertProperty: AlertLink
  alertDescriptionFormat: (MDIoT) {{Description}}
  alertDisplayNameFormat: (MDIoT) {{AlertName}}
  alertSeverityColumnName: AlertSeverity
relevantTechniques:
- T0842
status: Available
version: 1.0.3
queryPeriod: 3h
kind: Scheduled
id: caa4665f-21fa-462d-bb31-92226e746c68
query: |
  SecurityAlert
  | where ProviderName == "IoTSecurity"
  | where AlertName in ("Abnormal Traffic Bandwidth", "Abnormal Traffic Bandwidth Between Devices", "ARP Spoofing", "ICMP Flooding")
  | extend ExtendedProperties = parse_json(ExtendedProperties)
  | where tostring(ExtendedProperties.isNew) == "True"
  | extend DeviceId = tostring(ExtendedProperties.DeviceId), 
           SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress), 
           DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress), 
           RemediationSteps = tostring(parse_json(RemediationSteps)[0]), 
           Protocol = tostring(ExtendedProperties.Protocol), 
           AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
  | project
    TimeGenerated,
    DeviceId,
    ProductName,
    ProductComponentName,
    AlertSeverity,
    AlertName,
    Description,
    Protocol,
    SourceDeviceAddress,
    DestDeviceAddress,
    RemediationSteps,
    Tactics,
    Entities,
    VendorOriginalId,
    AlertLink,
    AlertManagementUri,
    Techniques  
description: |
    'This alert leverages Defender for IoT to detect an unusually high bandwidth which may be an indication of a new service/process or malicious activity on the network. An example scenario is a cyber threat attempting to manipulate the SCADA network.'
queryFrequency: 3h
severity: Low
triggerOperator: gt
tactics:
- Discovery
sentinelEntitiesMappings:
- columnName: Entities