SecurityAlert
| where ProviderName == "IoTSecurity"
| where AlertName in ("Excessive Login Attempts","Excessive SMB login attempts","Password Guessing Attempt Detected","Excessive Number of Sessions")
| extend ExtendedProperties = parse_json(ExtendedProperties)
| where tostring(ExtendedProperties.isNew) == "True"
| extend DeviceId = tostring(ExtendedProperties.DeviceId),
SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress),
DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress),
RemediationSteps = tostring(parse_json(RemediationSteps)[0]),
Protocol = tostring(ExtendedProperties.Protocol),
AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
| project
TimeGenerated,
DeviceId,
ProductName,
ProductComponentName,
AlertSeverity,
AlertName,
Description,
Protocol,
SourceDeviceAddress,
DestDeviceAddress,
RemediationSteps,
Tactics,
Entities,
VendorOriginalId,
AlertLink,
AlertManagementUri,
Techniques
alertDetailsOverride:
alertSeverityColumnName: AlertSeverity
alertTacticsColumnName: Tactics
alertDynamicProperties:
- alertProperty: ProductName
value: ProductName
- alertProperty: RemediationSteps
value: RemediationSteps
- alertProperty: Techniques
value: Techniques
- alertProperty: ProductComponentName
value: ProductComponentName
- alertProperty: AlertLink
value: AlertLink
alertDisplayNameFormat: (MDIoT) {{AlertName}}
alertDescriptionFormat: (MDIoT) {{Description}}
relevantTechniques:
- T0806
name: Excessive Login Attempts (Microsoft Defender for IoT)
queryFrequency: 5m
version: 1.0.3
triggerThreshold: 0
severity: High
requiredDataConnectors:
- connectorId: IoT
dataTypes:
- SecurityAlert (ASC for IoT)
tactics:
- ImpairProcessControl
sentinelEntitiesMappings:
- columnName: Entities
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTExcessiveLoginAttempts.yaml
query: |
SecurityAlert
| where ProviderName == "IoTSecurity"
| where AlertName in ("Excessive Login Attempts","Excessive SMB login attempts","Password Guessing Attempt Detected","Excessive Number of Sessions")
| extend ExtendedProperties = parse_json(ExtendedProperties)
| where tostring(ExtendedProperties.isNew) == "True"
| extend DeviceId = tostring(ExtendedProperties.DeviceId),
SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress),
DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress),
RemediationSteps = tostring(parse_json(RemediationSteps)[0]),
Protocol = tostring(ExtendedProperties.Protocol),
AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
| project
TimeGenerated,
DeviceId,
ProductName,
ProductComponentName,
AlertSeverity,
AlertName,
Description,
Protocol,
SourceDeviceAddress,
DestDeviceAddress,
RemediationSteps,
Tactics,
Entities,
VendorOriginalId,
AlertLink,
AlertManagementUri,
Techniques
kind: Scheduled
entityMappings:
queryPeriod: 5m
triggerOperator: gt
customDetails:
VendorOriginalId: VendorOriginalId
Sensor: DeviceId
AlertManagementUri: AlertManagementUri
Protocol: Protocol
eventGroupingSettings:
aggregationKind: AlertPerResult
id: f5217b4c-3f1f-4d89-b4f3-5d7581da1c1c
status: Available
description: |
'This alert leverages Defender for IoT to detect excessive login attempts that may indicate improper service configuration, human error, or malicious activity on the network such as a cyber threat attempting to manipulate the SCADA network.'
