Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

PLC unsecure key state Microsoft Defender for IoT

Back
Idf9df500a-e2a4-4104-a517-dc1d85bb654f
RulenamePLC unsecure key state (Microsoft Defender for IoT)
DescriptionThis alert leverages Defender for IoT to detect PLC operating mode changes indicating the PLC is potentially insecure. If the PLC is compromised, devices that interact with it may be impacted. This may affect overall system security and safety.
SeverityLow
TacticsExecution
TechniquesT0858
Required data connectorsIoT
KindScheduled
Query frequency3h
Query period3h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTInsecurePLC.yaml
Version1.0.2
Arm templatef9df500a-e2a4-4104-a517-dc1d85bb654f.json
Deploy To Azure
SecurityAlert
| where ProviderName == "IoTSecurity"
| where AlertName has "PLC Operating Mode Changed"
| extend ExtendedProperties = parse_json(ExtendedProperties)
| where tostring(ExtendedProperties.isNew) == "True"
| extend DeviceId = tostring(ExtendedProperties.DeviceId), 
         SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress), 
         DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress), 
         RemediationSteps = tostring(parse_json(RemediationSteps)[0]), 
         Protocol = tostring(ExtendedProperties.Protocol), 
         AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
| project
  TimeGenerated,
  DeviceId,
  ProductName,
  ProductComponentName,
  AlertSeverity,
  AlertName,
  Description,
  Protocol,
  SourceDeviceAddress,
  DestDeviceAddress,
  RemediationSteps,
  Tactics,
  Entities,
  VendorOriginalId,
  AlertLink,
  AlertManagementUri,
  Techniques
status: Available
id: f9df500a-e2a4-4104-a517-dc1d85bb654f
name: PLC unsecure key state (Microsoft Defender for IoT)
customDetails:
  Sensor: DeviceId
  VendorOriginalId: VendorOriginalId
  Protocol: Protocol
  AlertManagementUri: AlertManagementUri
kind: Scheduled
requiredDataConnectors:
- connectorId: IoT
  dataTypes:
  - SecurityAlert (ASC for IoT)
alertDetailsOverride:
  alertDisplayNameFormat: (MDIoT) {{AlertName}}
  alertDynamicProperties:
  - value: ProductName
    alertProperty: ProductName
  - value: RemediationSteps
    alertProperty: RemediationSteps
  - value: Techniques
    alertProperty: Techniques
  - value: ProductComponentName
    alertProperty: ProductComponentName
  - value: AlertLink
    alertProperty: AlertLink
  alertSeverityColumnName: AlertSeverity
  alertTacticsColumnName: Tactics
  alertDescriptionFormat: (MDIoT) {{Description}}
severity: Low
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTInsecurePLC.yaml
eventGroupingSettings:
  aggregationKind: AlertPerResult
description: |
    'This alert leverages Defender for IoT to detect PLC operating mode changes indicating the PLC is potentially insecure. If the PLC is compromised, devices that interact with it may be impacted. This may affect overall system security and safety.'
relevantTechniques:
- T0858
queryPeriod: 3h
triggerOperator: gt
queryFrequency: 3h
query: |
  SecurityAlert
  | where ProviderName == "IoTSecurity"
  | where AlertName has "PLC Operating Mode Changed"
  | extend ExtendedProperties = parse_json(ExtendedProperties)
  | where tostring(ExtendedProperties.isNew) == "True"
  | extend DeviceId = tostring(ExtendedProperties.DeviceId), 
           SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress), 
           DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress), 
           RemediationSteps = tostring(parse_json(RemediationSteps)[0]), 
           Protocol = tostring(ExtendedProperties.Protocol), 
           AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
  | project
    TimeGenerated,
    DeviceId,
    ProductName,
    ProductComponentName,
    AlertSeverity,
    AlertName,
    Description,
    Protocol,
    SourceDeviceAddress,
    DestDeviceAddress,
    RemediationSteps,
    Tactics,
    Entities,
    VendorOriginalId,
    AlertLink,
    AlertManagementUri,
    Techniques  
version: 1.0.2
tactics:
- Execution
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: SourceDeviceAddress
  entityType: IP
- fieldMappings:
  - identifier: Address
    columnName: DestDeviceAddress
  entityType: IP
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f9df500a-e2a4-4104-a517-dc1d85bb654f')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f9df500a-e2a4-4104-a517-dc1d85bb654f')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "(MDIoT) {{Description}}",
          "alertDisplayNameFormat": "(MDIoT) {{AlertName}}",
          "alertDynamicProperties": [
            {
              "alertProperty": "ProductName",
              "value": "ProductName"
            },
            {
              "alertProperty": "RemediationSteps",
              "value": "RemediationSteps"
            },
            {
              "alertProperty": "Techniques",
              "value": "Techniques"
            },
            {
              "alertProperty": "ProductComponentName",
              "value": "ProductComponentName"
            },
            {
              "alertProperty": "AlertLink",
              "value": "AlertLink"
            }
          ],
          "alertSeverityColumnName": "AlertSeverity",
          "alertTacticsColumnName": "Tactics"
        },
        "alertRuleTemplateName": "f9df500a-e2a4-4104-a517-dc1d85bb654f",
        "customDetails": {
          "AlertManagementUri": "AlertManagementUri",
          "Protocol": "Protocol",
          "Sensor": "DeviceId",
          "VendorOriginalId": "VendorOriginalId"
        },
        "description": "'This alert leverages Defender for IoT to detect PLC operating mode changes indicating the PLC is potentially insecure. If the PLC is compromised, devices that interact with it may be impacted. This may affect overall system security and safety.'\n",
        "displayName": "PLC unsecure key state (Microsoft Defender for IoT)",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceDeviceAddress",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "DestDeviceAddress",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTInsecurePLC.yaml",
        "query": "SecurityAlert\n| where ProviderName == \"IoTSecurity\"\n| where AlertName has \"PLC Operating Mode Changed\"\n| extend ExtendedProperties = parse_json(ExtendedProperties)\n| where tostring(ExtendedProperties.isNew) == \"True\"\n| extend DeviceId = tostring(ExtendedProperties.DeviceId), \n         SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress), \n         DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress), \n         RemediationSteps = tostring(parse_json(RemediationSteps)[0]), \n         Protocol = tostring(ExtendedProperties.Protocol), \n         AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)\n| project\n  TimeGenerated,\n  DeviceId,\n  ProductName,\n  ProductComponentName,\n  AlertSeverity,\n  AlertName,\n  Description,\n  Protocol,\n  SourceDeviceAddress,\n  DestDeviceAddress,\n  RemediationSteps,\n  Tactics,\n  Entities,\n  VendorOriginalId,\n  AlertLink,\n  AlertManagementUri,\n  Techniques\n",
        "queryFrequency": "PT3H",
        "queryPeriod": "PT3H",
        "severity": "Low",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution"
        ],
        "techniques": null,
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}