Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

PLC unsecure key state Microsoft Defender for IoT

Back
Idf9df500a-e2a4-4104-a517-dc1d85bb654f
RulenamePLC unsecure key state (Microsoft Defender for IoT)
DescriptionThis alert leverages Defender for IoT to detect PLC operating mode changes indicating the PLC is potentially insecure. If the PLC is compromised, devices that interact with it may be impacted. This may affect overall system security and safety.
SeverityLow
TacticsExecution
TechniquesT0858
Required data connectorsIoT
KindScheduled
Query frequency3h
Query period3h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTInsecurePLC.yaml
Version1.0.3
Arm templatef9df500a-e2a4-4104-a517-dc1d85bb654f.json
Deploy To Azure
SecurityAlert
| where ProviderName == "IoTSecurity"
| where AlertName has "PLC Operating Mode Changed"
| extend ExtendedProperties = parse_json(ExtendedProperties)
| where tostring(ExtendedProperties.isNew) == "True"
| extend DeviceId = tostring(ExtendedProperties.DeviceId), 
         SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress), 
         DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress), 
         RemediationSteps = tostring(parse_json(RemediationSteps)[0]), 
         Protocol = tostring(ExtendedProperties.Protocol), 
         AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
| project
  TimeGenerated,
  DeviceId,
  ProductName,
  ProductComponentName,
  AlertSeverity,
  AlertName,
  Description,
  Protocol,
  SourceDeviceAddress,
  DestDeviceAddress,
  RemediationSteps,
  Tactics,
  Entities,
  VendorOriginalId,
  AlertLink,
  AlertManagementUri,
  Techniques
version: 1.0.3
id: f9df500a-e2a4-4104-a517-dc1d85bb654f
relevantTechniques:
- T0858
requiredDataConnectors:
- connectorId: IoT
  dataTypes:
  - SecurityAlert (ASC for IoT)
alertDetailsOverride:
  alertDynamicProperties:
  - value: ProductName
    alertProperty: ProductName
  - value: RemediationSteps
    alertProperty: RemediationSteps
  - value: Techniques
    alertProperty: Techniques
  - value: ProductComponentName
    alertProperty: ProductComponentName
  - value: AlertLink
    alertProperty: AlertLink
  alertTacticsColumnName: Tactics
  alertDisplayNameFormat: (MDIoT) {{AlertName}}
  alertSeverityColumnName: AlertSeverity
  alertDescriptionFormat: (MDIoT) {{Description}}
triggerOperator: gt
entityMappings: 
name: PLC unsecure key state (Microsoft Defender for IoT)
queryFrequency: 3h
triggerThreshold: 0
customDetails:
  AlertManagementUri: AlertManagementUri
  VendorOriginalId: VendorOriginalId
  Protocol: Protocol
  Sensor: DeviceId
description: |
    'This alert leverages Defender for IoT to detect PLC operating mode changes indicating the PLC is potentially insecure. If the PLC is compromised, devices that interact with it may be impacted. This may affect overall system security and safety.'
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTInsecurePLC.yaml
queryPeriod: 3h
severity: Low
kind: Scheduled
sentinelEntitiesMappings:
- columnName: Entities
tactics:
- Execution
query: |
  SecurityAlert
  | where ProviderName == "IoTSecurity"
  | where AlertName has "PLC Operating Mode Changed"
  | extend ExtendedProperties = parse_json(ExtendedProperties)
  | where tostring(ExtendedProperties.isNew) == "True"
  | extend DeviceId = tostring(ExtendedProperties.DeviceId), 
           SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress), 
           DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress), 
           RemediationSteps = tostring(parse_json(RemediationSteps)[0]), 
           Protocol = tostring(ExtendedProperties.Protocol), 
           AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
  | project
    TimeGenerated,
    DeviceId,
    ProductName,
    ProductComponentName,
    AlertSeverity,
    AlertName,
    Description,
    Protocol,
    SourceDeviceAddress,
    DestDeviceAddress,
    RemediationSteps,
    Tactics,
    Entities,
    VendorOriginalId,
    AlertLink,
    AlertManagementUri,
    Techniques  
eventGroupingSettings:
  aggregationKind: AlertPerResult