Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Analytics+Playbooks

This commit is contained in:
thbanasi 2021-10-25 18:32:23 -04:00
Родитель 1d028d72a5
Коммит bd4254f0fa
18 изменённых файлов: 1138 добавлений и 4 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

32
Excessive login attempts.json Normal file
Просмотреть файл

@ -0,0 +1,32 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/71fec017-1d21-49b7-9c53-d2245e3e4f25')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/71fec017-1d21-49b7-9c53-d2245e3e4f25')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "MicrosoftSecurityIncidentCreation",
"apiVersion": "2021-09-01-preview",
"properties": {
"displayName": "Create incidents based on Microsoft Defender for IoT alerts on excessive login attempts",
"description": "Excessive login attempts may indicate improper service configuration, human error, or malicious activity on the network; a cyber threat attempting to manipulate the SCADA network.",
"enabled": true,
"productFilter": "Azure Security Center for IoT",
"severitiesFilter": null,
"displayNamesFilter": [
"Excessive Login Attempts",
"Excessive SMB login attempts",
"Password Guessing Attempt Detected"
],
"displayNamesExcludeFilter": null,
"alertRuleTemplateName": null
}
}
]
}

36
Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoT_DenialofService.yaml Normal file
Просмотреть файл

@ -0,0 +1,36 @@
id: e068187a-01f5-4737-bc13-25db4027b7ea
name: Denial of Service - Microsoft Defender for IoT
description: |
'Detect attacks that would prevent the use or proper operation of the DCS system.'
severity: Medium
requiredDataConnectors:
- connectorId: IoT
dataTypes:
- SecurityAlert (ASC for IoT)
queryFrequency: 6h
queryPeriod: 6h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InhibitResponseFunction
relevantTechniques:
- T814
query: |
SecurityAlert
| where ProductName == "Azure Security Center for IoT"
| where AlertName == "Suspicion of Denial Of Service Attack"
| extend DeviceId = tostring(parse_json(ExtendedProperties).DeviceId)
| extend IPAddress = tostring(parse_json(tostring(parse_json(Entities)[0].IpAddress)).Address)
| extend Protocol = tostring(parse_json(tostring(parse_json(Entities)[0].Protocols))[0])
| extend DeviceType = tostring(parse_json(Entities)[0].DeviceName)
| extend IoTSecurityAgentId = tostring(parse_json(Entities)[0].IoTSecurityAgentId)
| extend Vendor = tostring(parse_json(Entities)[0].Vendor)
| extend RemediationSteps = tostring(parse_json(RemediationSteps)[0])
| project AlertName, ResourceId, DeviceId, IPAddress, Protocol, DeviceType, Vendor, IoTSecurityAgentId, Tactics, TimeGenerated, RemediationSteps
| extend IPCustomEntity = IPAddress
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0

36
Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoT_ExcessiveLoginAttempts.yaml Normal file
Просмотреть файл

@ -0,0 +1,36 @@
id: f5217b4c-3f1f-4d89-b4f3-5d7581da1c1c
name: Excessive Login Attempts - Microsoft Defender for IoT
description: |
'Excessive login attempts may indicate improper service configuration, human error, or malicious activity on the network; a cyber threat attempting to manipulate the SCADA network.'
severity: Medium
requiredDataConnectors:
- connectorId: IoT
dataTypes:
- SecurityAlert (ASC for IoT)
queryFrequency: 6h
queryPeriod: 6h
triggerOperator: gt
triggerThreshold: 0
tactics:
- LateralMovement
relevantTechniques:
- T814
query: |
SecurityAlert
| where ProductName == "Azure Security Center for IoT"
| where AlertName == "Excessive Login Attempts" or AlertName == "Excessive SMB login attempts" or AlertName == "Password Guessing Attempt Detected"
| extend DeviceId = tostring(parse_json(ExtendedProperties).DeviceId)
| extend IPAddress = tostring(parse_json(tostring(parse_json(Entities)[0].IpAddress)).Address)
| extend Protocol = tostring(parse_json(tostring(parse_json(Entities)[0].Protocols))[0])
| extend DeviceType = tostring(parse_json(Entities)[0].DeviceName)
| extend IoTSecurityAgentId = tostring(parse_json(Entities)[0].IoTSecurityAgentId)
| extend Vendor = tostring(parse_json(Entities)[0].Vendor)
| extend RemediationSteps = tostring(parse_json(RemediationSteps)[0])
| project AlertName, ResourceId, DeviceId, IPAddress, Protocol, DeviceType, Vendor, IoTSecurityAgentId, Tactics, TimeGenerated, RemediationSteps
| extend IPCustomEntity = IPAddress
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0

35
Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoT_FirmwareUpdates.yaml Normal file
Просмотреть файл

@ -0,0 +1,35 @@
id: 7cad4b66-5e83-4756-8de4-f21315ab1e77
name: IoT Firmware Updates - Microsoft Defender for IoT
description: |
'Unauthorized firmware updates may indicate malicious activity on the network; a cyber threat that attempts to manipulate PLC firmware to compromise PLC function.'
severity: Medium
requiredDataConnectors:
- connectorId: IoT
dataTypes:
- SecurityAlert (ASC for IoT)
queryFrequency: 6h
queryPeriod: 6h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
relevantTechniques:
- T857
query: |
SecurityAlert
| where ProductName == "Azure Security Center for IoT"
| where AlertName contains "firmware"
| extend DeviceId = tostring(parse_json(ExtendedProperties).DeviceId)
| extend IPAddress = tostring(parse_json(tostring(parse_json(Entities)[0].IpAddress)).Address)
| extend Protocol = tostring(parse_json(tostring(parse_json(Entities)[0].Protocols))[0])
| extend DeviceType = tostring(parse_json(Entities)[0].DeviceName)
| extend IoTSecurityAgentId = tostring(parse_json(Entities)[0].IoTSecurityAgentId)
| extend Vendor = tostring(parse_json(Entities)[0].Vendor)
| extend RemediationSteps = tostring(parse_json(RemediationSteps)[0])
| project AlertName, ResourceId, DeviceId, IPAddress, Protocol, DeviceType, Vendor, IoTSecurityAgentId, Tactics, TimeGenerated, RemediationSteps
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0

35
Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoT_HighBandwidth.yaml Normal file
Просмотреть файл

@ -0,0 +1,35 @@
id: caa4665f-21fa-462d-bb31-92226e746c68
name: IoT High Bandwidth - Microsoft Defender for IoT
description: |
'An unusually high bandwidth may be an indication of a new service/process on the network, such as backup, or an indication of malicious activity on the network; a cyber threat attempting to manipulate the SCADA network.'
severity: Medium
requiredDataConnectors:
- connectorId: IoT
dataTypes:
- SecurityAlert (ASC for IoT)
queryFrequency: 6h
queryPeriod: 6h
triggerOperator: gt
triggerThreshold: 0
tactics:
- ImpairProcessControl
relevantTechniques:
- T812
query: |
SecurityAlert
| where ProductName == "Azure Security Center for IoT"
| where AlertName == "Abnormal Traffic Bandwidth" or AlertName == "Abnormal Traffic Bandwidth Between Devices" or AlertName == "ARP Spoofing" or AlertName == "ICMP Flooding" or AlertName == "Excessive Number of Sessions"
| extend DeviceId = tostring(parse_json(ExtendedProperties).DeviceId)
| extend IPAddress = tostring(parse_json(tostring(parse_json(Entities)[0].IpAddress)).Address)
| extend Protocol = tostring(parse_json(tostring(parse_json(Entities)[0].Protocols))[0])
| extend DeviceType = tostring(parse_json(Entities)[0].DeviceName)
| extend IoTSecurityAgentId = tostring(parse_json(Entities)[0].IoTSecurityAgentId)
| extend Vendor = tostring(parse_json(Entities)[0].Vendor)
| extend RemediationSteps = tostring(parse_json(RemediationSteps)[0])
| project AlertName, ResourceId, DeviceId, IPAddress, Protocol, DeviceType, Vendor, IoTSecurityAgentId, Tactics, TimeGenerated, RemediationSteps
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0

35
Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoT_InsecurePLC.yaml Normal file
Просмотреть файл

@ -0,0 +1,35 @@
id: f9df500a-e2a4-4104-a517-dc1d85bb654f
name: Insecure Programmable Logic Controller - Microsoft Defender for IoT
description: |
'The new mode may indicate that the PLC is not secure. Leaving the PLC in an insecure operating mode may allow adversaries to perform malicious activities on it, such as a program download. If the PLC is compromised, devices and processes that interact with it may be impacted. This may affect overall system security and safety.'
severity: Medium
requiredDataConnectors:
- connectorId: IoT
dataTypes:
- SecurityAlert (ASC for IoT)
queryFrequency: 6h
queryPeriod: 6h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Execution
relevantTechniques:
- T858
query: |
SecurityAlert
| where ProductName == "Azure Security Center for IoT"
| where AlertName contains "PLC Operating Mode Changed"
| extend DeviceId = tostring(parse_json(ExtendedProperties).DeviceId)
| extend IPAddress = tostring(parse_json(tostring(parse_json(Entities)[0].IpAddress)).Address)
| extend Protocol = tostring(parse_json(tostring(parse_json(Entities)[0].Protocols))[0])
| extend DeviceType = tostring(parse_json(Entities)[0].DeviceName)
| extend IoTSecurityAgentId = tostring(parse_json(Entities)[0].IoTSecurityAgentId)
| extend Vendor = tostring(parse_json(Entities)[0].Vendor)
| extend RemediationSteps = tostring(parse_json(RemediationSteps)[0])
| project AlertName, ResourceId, DeviceId, IPAddress, Protocol, DeviceType, Vendor, IoTSecurityAgentId, Tactics, TimeGenerated, RemediationSteps
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0

35
Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoT_InternetAccess.yaml Normal file
Просмотреть файл

@ -0,0 +1,35 @@
id: 9ff3b13b-287a-4ed0-8f6b-7e7b66cbbcbd
name: OT Internet Access - Microsoft Defender for IoT
description: |
'OT device communicating with Internet addresses can either be an indication of improper configuration of an application (e.g., Antivirus software attempting to download updates from an external server) or indicate malicious activity on the network.'
severity: Medium
requiredDataConnectors:
- connectorId: IoT
dataTypes:
- SecurityAlert (ASC for IoT)
queryFrequency: 6h
queryPeriod: 6h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T883
query: |
SecurityAlert
| where ProductName == "Azure Security Center for IoT"
| where AlertName contains "Internet"
| extend DeviceId = tostring(parse_json(ExtendedProperties).DeviceId)
| extend IPAddress = tostring(parse_json(tostring(parse_json(Entities)[0].IpAddress)).Address)
| extend Protocol = tostring(parse_json(tostring(parse_json(Entities)[0].Protocols))[0])
| extend DeviceType = tostring(parse_json(Entities)[0].DeviceName)
| extend IoTSecurityAgentId = tostring(parse_json(Entities)[0].IoTSecurityAgentId)
| extend Vendor = tostring(parse_json(Entities)[0].Vendor)
| extend RemediationSteps = tostring(parse_json(RemediationSteps)[0])
| project AlertName, ResourceId, DeviceId, IPAddress, Protocol, DeviceType, Vendor, IoTSecurityAgentId, Tactics, TimeGenerated, RemediationSteps
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0

35
Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoT_Malware.yaml Normal file
Просмотреть файл

@ -0,0 +1,35 @@
id: 447dca20-f509-4336-ab00-7aa297b2ff4c
name: IoT/OT Malware - Microsoft Defender for IoT
description: |
'Suspicious malware found on the network indicates that suspicious malware is trying to compromise production.'
severity: Medium
requiredDataConnectors:
- connectorId: IoT
dataTypes:
- SecurityAlert (ASC for IoT)
queryFrequency: 6h
queryPeriod: 6h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Impact
relevantTechniques:
- T882
query: |
SecurityAlert
| where ProductName == "Azure Security Center for IoT"
| where AlertName contains "malware" or AlertName contains "Malicious" or AlertName contains "Implant" or AlertName == "Suspicion of Remote Code Execution with PsExec" or AlertName == "Suspicion of Remote Windows Service Management" or AlertName == "Suspicious Executable File Detected on Endpoint" or AlertName == "Suspicious Traffic Detected"
| extend DeviceId = tostring(parse_json(ExtendedProperties).DeviceId)
| extend IPAddress = tostring(parse_json(tostring(parse_json(Entities)[0].IpAddress)).Address)
| extend Protocol = tostring(parse_json(tostring(parse_json(Entities)[0].Protocols))[0])
| extend DeviceType = tostring(parse_json(Entities)[0].DeviceName)
| extend IoTSecurityAgentId = tostring(parse_json(Entities)[0].IoTSecurityAgentId)
| extend Vendor = tostring(parse_json(Entities)[0].Vendor)
| extend RemediationSteps = tostring(parse_json(RemediationSteps)[0])
| project AlertName, ResourceId, DeviceId, IPAddress, Protocol, DeviceType, Vendor, IoTSecurityAgentId, Tactics, TimeGenerated, RemediationSteps
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0

35
Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoT_NetworkScanning.yaml Normal file
Просмотреть файл

@ -0,0 +1,35 @@
id: 493916d5-a094-4bfa-bdd1-d983a063ea3d
name: OT Network Scanning - Microsoft Defender for IoT
description: |
'Multiple scans on the network can be either an indication of a new device on the network, new functionality of an existing device, misconfiguration of an application (e.g., due to a firmware update or reinstallation), or malicious activity on the network - reconnaissance.'
severity: Medium
requiredDataConnectors:
- connectorId: IoT
dataTypes:
- SecurityAlert (ASC for IoT)
queryFrequency: 6h
queryPeriod: 6h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Discovery
relevantTechniques:
- T842
query: |
SecurityAlert
| where ProductName == "Azure Security Center for IoT"
| where AlertName contains "scan"
| extend DeviceId = tostring(parse_json(ExtendedProperties).DeviceId)
| extend IPAddress = tostring(parse_json(tostring(parse_json(Entities)[0].IpAddress)).Address)
| extend Protocol = tostring(parse_json(tostring(parse_json(Entities)[0].Protocols))[0])
| extend DeviceType = tostring(parse_json(Entities)[0].DeviceName)
| extend IoTSecurityAgentId = tostring(parse_json(Entities)[0].IoTSecurityAgentId)
| extend Vendor = tostring(parse_json(Entities)[0].Vendor)
| extend RemediationSteps = tostring(parse_json(RemediationSteps)[0])
| project AlertName, ResourceId, DeviceId, IPAddress, Protocol, DeviceType, Vendor, IoTSecurityAgentId, Tactics, TimeGenerated, RemediationSteps
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0

35
Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoT_PLCStopCommand.yaml Normal file
Просмотреть файл

@ -0,0 +1,35 @@
id: a7d3f642-15d8-4e83-99ee-83ca3352525d
name: Programmable Logic Controller Stop Command - Microsoft Defender for IoT
description: |
'The PLC stop command could indicate either improper configuration of an application that has caused the PLC to stop functioning, or malicious activity on the network; a cyber threat that is attempting to manipulate PLC programming to affect the function of the network.'
severity: Medium
requiredDataConnectors:
- connectorId: IoT
dataTypes:
- SecurityAlert (ASC for IoT)
queryFrequency: 6h
queryPeriod: 6h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InhibitResponseFunction
relevantTechniques:
- T881
query: |
SecurityAlert
| where ProductName == "Azure Security Center for IoT"
| where AlertName contains "stop" or AlertName contains "restart" or AlertName contains "reset" or AlertName == "Slave Device Unrecoverable Failure" or AlertName == "Suspicion of Hardware Problems in Outstation"
| extend DeviceId = tostring(parse_json(ExtendedProperties).DeviceId)
| extend IPAddress = tostring(parse_json(tostring(parse_json(Entities)[0].IpAddress)).Address)
| extend Protocol = tostring(parse_json(tostring(parse_json(Entities)[0].Protocols))[0])
| extend DeviceType = tostring(parse_json(Entities)[0].DeviceName)
| extend IoTSecurityAgentId = tostring(parse_json(Entities)[0].IoTSecurityAgentId)
| extend Vendor = tostring(parse_json(Entities)[0].Vendor)
| extend RemediationSteps = tostring(parse_json(RemediationSteps)[0])
| project AlertName, ResourceId, DeviceId, IPAddress, Protocol, DeviceType, Vendor, IoTSecurityAgentId, Tactics, TimeGenerated, RemediationSteps
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0

35
Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoT_UnauthorizedDevice.yaml Normal file
Просмотреть файл

@ -0,0 +1,35 @@
id: 447dca20-f509-4336-ab00-7aa297b2ff4c
name: IoT/OT Unauthorized Device - Microsoft Defender for IoT
description: |
'An unauthorized device on the network may be either a legitimate new device recently installed on the network or an indication of unauthorized or even malicious activity on the network; a cyber threat attempting to manipulate the SCADA network.'
severity: Medium
requiredDataConnectors:
- connectorId: IoT
dataTypes:
- SecurityAlert (ASC for IoT)
queryFrequency: 6h
queryPeriod: 6h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Execution
relevantTechniques:
- T858
query: |
SecurityAlert
| where ProductName == "Azure Security Center for IoT"
| where AlertName == "Field Device Discovered Unexpectedly" or AlertName == "New Asset Detected" or AlertName == "Abnormal usage of MAC Addresses" or AlertName == "New LLDP Device Configuration"
| extend DeviceId = tostring(parse_json(ExtendedProperties).DeviceId)
| extend IPAddress = tostring(parse_json(tostring(parse_json(Entities)[0].IpAddress)).Address)
| extend Protocol = tostring(parse_json(tostring(parse_json(Entities)[0].Protocols))[0])
| extend DeviceType = tostring(parse_json(Entities)[0].DeviceName)
| extend IoTSecurityAgentId = tostring(parse_json(Entities)[0].IoTSecurityAgentId)
| extend Vendor = tostring(parse_json(Entities)[0].Vendor)
| extend RemediationSteps = tostring(parse_json(RemediationSteps)[0])
| project AlertName, ResourceId, DeviceId, IPAddress, Protocol, DeviceType, Vendor, IoTSecurityAgentId, Tactics, TimeGenerated, RemediationSteps
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0

35
Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoT_UnauthorizedNetworkConfiguration.yaml Normal file
Просмотреть файл

@ -0,0 +1,35 @@
id: c52ec521-9188-4a9e-a4cd-34a3dfbc3d27
name: IoT/OT Unauthorized Network Configuration - Microsoft Defender for IoT
description: |
'An unauthorized DHCP configuration on the network can be an indication of a new, unauthorized device operating on the network. This is either a legitimate new device recently deployed on the network or an indication of unauthorized or even malicious activity on the network; a cyber threat attempting to manipulate the SCADA network.'
severity: Medium
requiredDataConnectors:
- connectorId: IoT
dataTypes:
- SecurityAlert (ASC for IoT)
queryFrequency: 6h
queryPeriod: 6h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Impact
relevantTechniques:
- T813
query: |
SecurityAlert
| where AlertName == "Device Failed to Receive a Dynamic IP Address"
| where AlertName == "Field Device Discovered Unexpectedly" or AlertName == "New Asset Detected" or AlertName == "Abnormal usage of MAC Addresses" or AlertName == "New LLDP Device Configuration"
| extend DeviceId = tostring(parse_json(ExtendedProperties).DeviceId)
| extend IPAddress = tostring(parse_json(tostring(parse_json(Entities)[0].IpAddress)).Address)
| extend Protocol = tostring(parse_json(tostring(parse_json(Entities)[0].Protocols))[0])
| extend DeviceType = tostring(parse_json(Entities)[0].DeviceName)
| extend IoTSecurityAgentId = tostring(parse_json(Entities)[0].IoTSecurityAgentId)
| extend Vendor = tostring(parse_json(Entities)[0].Vendor)
| extend RemediationSteps = tostring(parse_json(RemediationSteps)[0])
| project AlertName, ResourceId, DeviceId, IPAddress, Protocol, DeviceType, Vendor, IoTSecurityAgentId, Tactics, TimeGenerated, RemediationSteps
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0

35
Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoT_UnauthorizedPLCModifications.yaml Normal file
Просмотреть файл

@ -0,0 +1,35 @@
id: c2fb27c7-5f67-49c4-aaf3-d82934234a69
name: IoT/OT Unauthorized Programmable Logic Controller Modifications - Microsoft Defender for IoT
description: |
'Unauthorized changes to PLC ladder logic code can be either an indication of new functionality in the PLC, improper configuration of an application (e.g., due to a firmware update or reinstallation), or malicious activity on the network; a cyber threat that attempts to manipulate PLC programming to compromise PLC function.'
severity: Medium
requiredDataConnectors:
- connectorId: IoT
dataTypes:
- SecurityAlert (ASC for IoT)
queryFrequency: 6h
queryPeriod: 6h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
relevantTechniques:
- T839
query: |
SecurityAlert
| where AlertName contains "Unpermitted" or AlertName contains "unauthorized" or AlertName contains "type settings" or AlertName contains "New Activity Detected"
| where AlertName <> "Unauthorized Internet Connectivity Detected"
| extend DeviceId = tostring(parse_json(ExtendedProperties).DeviceId)
| extend IPAddress = tostring(parse_json(tostring(parse_json(Entities)[0].IpAddress)).Address)
| extend Protocol = tostring(parse_json(tostring(parse_json(Entities)[0].Protocols))[0])
| extend DeviceType = tostring(parse_json(Entities)[0].DeviceName)
| extend IoTSecurityAgentId = tostring(parse_json(Entities)[0].IoTSecurityAgentId)
| extend Vendor = tostring(parse_json(Entities)[0].Vendor)
| extend RemediationSteps = tostring(parse_json(RemediationSteps)[0])
| project AlertName, ResourceId, DeviceId, IPAddress, Protocol, DeviceType, Vendor, IoTSecurityAgentId, Tactics, TimeGenerated, RemediationSteps
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0

34
Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoT_UnauthorizedRemoteAccess.yaml Normal file
Просмотреть файл

@ -0,0 +1,34 @@
id: 1ff4fa3d-150b-4c87-b733-26c289af0d49
name: IoT/OT Unauthorized Remote Access - Microsoft Defender for IoT
description: |
'Unauthorized remote access to the network can compromise the target device. That is, if another device on the network is compromised, the target devices can be accessed remotely, increasing the attack surface.'
severity: Medium
requiredDataConnectors:
- connectorId: IoT
dataTypes:
- SecurityAlert (ASC for IoT)
queryFrequency: 6h
queryPeriod: 6h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T886
query: |
SecurityAlert
| where AlertName == "Unauthorized SSH Access"
| extend DeviceId = tostring(parse_json(ExtendedProperties).DeviceId)
| extend IPAddress = tostring(parse_json(tostring(parse_json(Entities)[0].IpAddress)).Address)
| extend Protocol = tostring(parse_json(tostring(parse_json(Entities)[0].Protocols))[0])
| extend DeviceType = tostring(parse_json(Entities)[0].DeviceName)
| extend IoTSecurityAgentId = tostring(parse_json(Entities)[0].IoTSecurityAgentId)
| extend Vendor = tostring(parse_json(Entities)[0].Vendor)
| extend RemediationSteps = tostring(parse_json(RemediationSteps)[0])
| project AlertName, ResourceId, DeviceId, IPAddress, Protocol, DeviceType, Vendor, IoTSecurityAgentId, Tactics, TimeGenerated, RemediationSteps
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0

218
Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Playbooks/AutoCloseIncidents.json Normal file
Просмотреть файл

@ -0,0 +1,218 @@
{
"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion":"1.0.0.0",
"parameters":{
"PlaybookName":{
"defaultValue":"AD4IoT-AutoCloseIncidents",
"type":"String"
}
},
"variables":{
"AzureSentinelConnectionName":"[concat('azuresentinel-', parameters('PlaybookName'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[variables('AzureSentinelConnectionName')]",
"customParameterValues": {
},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]"
],
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
"Condition_2": {
"actions": {
"Update_incident": {
"inputs": {
"body": {
"classification": {
"ClassificationAndReason": "BenignPositive - SuspiciousButExpected",
"ClassificationReasonText": "Known Manitenence Activity - closed by Playbook "
},
"incidentArmId": "@triggerBody()?['object']?['id']",
"status": "Closed"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "put",
"path": "/Incidents"
},
"runAfter": {},
"type": "ApiConnection"
}
},
"expression": {
"and": [
{
"greater": [
"@length(body('Run_query_and_list_results')?['value'])",
0
]
},
{
"greater": [
"@int(substring(split(triggerBody()?['object']?['properties']?['createdTimeUtc'],'T')[1],0,2))",
"@int(0)"
]
},
{
"less": [
"@int(substring(split(triggerBody()?['object']?['properties']?['createdTimeUtc'],'T')[1],0,2))",
"@int(23)"
]
}
]
},
"runAfter": {
"Run_query_and_list_results": [
"Succeeded"
]
},
"type": "If"
},
"Initialize_variable": {
"inputs": {
"variables": [
{
"name": "WatchlistName",
"type": "string",
"value": "ipaddresses"
}
]
},
"runAfter": {
"Parse_JSON": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Parse_JSON": {
"inputs": {
"content": "@first(triggerBody()?['object']?['properties']?['Alerts'])?['properties']?['additionalData']",
"schema": {
"properties": {
"Category": {
"type": "string"
},
"CompromisedEntityId": {
"type": "string"
},
"DestinationDevice": {
"type": "string"
},
"DestinationDeviceAddress": {
"type": "string"
},
"DeviceId": {
"type": "string"
},
"ProcessedBySentinel": {
"type": "string"
},
"Protocol": {
"type": "string"
},
"SensorId": {
"type": "string"
},
"SourceDeviceAddress": {
"type": "string"
}
},
"type": "object"
}
},
"runAfter": {},
"type": "ParseJson"
},
"Run_query_and_list_results": {
"inputs": {
"body": "_GetWatchlist(\"@{variables('WatchlistName')}\") \n| where ip_address == \"@{body('Parse_JSON')?['SourceDeviceAddress']}\"",
"host": {
"connection": {
"name": "@parameters('$connections')['azuremonitorlogs']['connectionId']"
}
},
"method": "post",
"path": "/queryData",
"queries": {
"resourcegroups": "@triggerBody()?['workspaceInfo']?['ResourceGroupName']",
"resourcename": "@triggerBody()?['workspaceInfo']?['WorkspaceName']",
"resourcetype": "Log Analytics Workspace",
"subscriptions": "@triggerBody()?['workspaceInfo']?['SubscriptionId']",
"timerange": "Last 12 hours"
}
},
"runAfter": {
"Initialize_variable": [
"Succeeded"
]
},
"type": "ApiConnection"
}
},
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {
"When_Azure_Sentinel_incident_creation_rule_was_triggered": {
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/incident-creation"
},
"type": "ApiConnectionWebhook"
}
}
},
"parameters": {
"$connections":{
"value":{
"azuresentinel":{
"connectionId":"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"connectionName":"[variables('AzureSentinelConnectionName')]",
"id":"[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
}
}
}
}
]
}

230
Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Playbooks/MailBySensor.json Normal file
Просмотреть файл

@ -0,0 +1,230 @@
{
"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion":"1.0.0.0",
"parameters":{
"PlaybookName":{
"defaultValue":"AD4IoT-MailByProductionLine",
"type":"String"
}
},
"variables":{
"AzureSentinelConnectionName":"[concat('azuresentinel-', parameters('PlaybookName'))]",
"AzureOffice365ConnectionName":"[concat('office365', parameters('PlaybookName'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[variables('AzureSentinelConnectionName')]",
"customParameterValues": {
},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureOffice365ConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[variables('AzureOffice365ConnectionName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('AzureOffice365ConnectionName'))]"
],
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
"Condition": {
"actions": {
"Compose_-_Owner_email_address": {
"inputs": "@first(body('Run_query_and_list_results')?['value'])?['mail']",
"runAfter": {},
"type": "Compose"
},
"Send_an_email_(V2)": {
"inputs": {
"body": {
"Body": "<p>@{triggerBody()?['object']?['properties']?['title']} was detcted on IP address @{body('Parse_JSON')?['SourceDeviceAddress']}<br>\n<br>\n@{triggerBody()?['object']?['properties']?['description']}<br>\nView full incident in Azure Sentinel: @{triggerBody()?['object']?['properties']?['incidentUrl']}</p>",
"Subject": "@{triggerBody()?['object']?['properties']?['title']} detected",
"To": "@{outputs('Compose_-_Owner_email_address')}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['office365']['connectionId']"
}
},
"method": "post",
"path": "/v2/Mail"
},
"runAfter": {
"Compose_-_Owner_email_address": [
"Succeeded"
]
},
"type": "ApiConnection"
}
},
"expression": {
"and": [
{
"greater": [
"@length(body('Run_query_and_list_results')?['value'])",
0
]
}
]
},
"runAfter": {
"Run_query_and_list_results": [
"Succeeded"
]
},
"type": "If"
},
"Initialize_variable": {
"inputs": {
"variables": [
{
"name": "WatchlistName",
"type": "string",
"value": "MailsBySensor"
}
]
},
"runAfter": {},
"type": "InitializeVariable"
},
"Parse_JSON": {
"inputs": {
"content": "@first(triggerBody()?['object']?['properties']?['Alerts'])?['properties']?['additionalData']",
"schema": {
"properties": {
"Category": {
"type": "string"
},
"CompromisedEntityId": {
"type": "string"
},
"DestinationDevice": {
"type": "string"
},
"DestinationDeviceAddress": {
"type": "string"
},
"DeviceId": {
"type": "string"
},
"ProcessedBySentinel": {
"type": "string"
},
"Protocol": {
"type": "string"
},
"SensorId": {
"type": "string"
},
"SourceDeviceAddress": {
"type": "string"
}
},
"type": "object"
}
},
"runAfter": {
"Initialize_variable": [
"Succeeded"
]
},
"type": "ParseJson"
},
"Run_query_and_list_results": {
"inputs": {
"body": "_GetWatchlist(\"@{variables('WatchlistName')}\") \n| where Sensor == \"@{body('Parse_JSON')?['SensorId']}\"",
"host": {
"connection": {
"name": "@parameters('$connections')['azuremonitorlogs']['connectionId']"
}
},
"method": "post",
"path": "/queryData",
"queries": {
"resourcegroups": "@triggerBody()?['workspaceInfo']?['ResourceGroupName']",
"resourcename": "@triggerBody()?['workspaceInfo']?['WorkspaceName']",
"resourcetype": "Log Analytics Workspace",
"subscriptions": "@triggerBody()?['workspaceInfo']?['SubscriptionId']",
"timerange": "Last 12 hours"
}
},
"runAfter": {
"Parse_JSON": [
"Succeeded"
]
},
"type": "ApiConnection"
}
},
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {
"When_Azure_Sentinel_incident_creation_rule_was_triggered": {
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel_1']['connectionId']"
}
},
"path": "/incident-creation"
},
"type": "ApiConnectionWebhook"
}
}
},
"parameters": {
"$connections":{
"value":{
"azuresentinel":{
"connectionId":"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"connectionName":"[variables('AzureSentinelConnectionName')]",
"id":"[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
},
"office365":{
"connectionId":"[resourceId('Microsoft.Web/connections', variables('AzureOffice365ConnectionName'))]",
"connectionName":"[variables('AzureOffice365ConnectionName')]",
"id":"[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]"
}
}
}
}
}
}
]
}

188
Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Playbooks/NewAssetServiceNowTicket.json Normal file
Просмотреть файл

@ -0,0 +1,188 @@
{
"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion":"1.0.0.0",
"parameters":{
"PlaybookName":{
"defaultValue":"AD4IoT-NewAssetServiceNowTicket",
"type":"String"
}
},
"variables":{
"AzureSentinelConnectionName":"[concat('azuresentinel-', parameters('PlaybookName'))]",
"service-nowConnectionName":"[concat('ServiceNow-', parameters('PlaybookName'))]"
},
"resources":[
{
"type":"Microsoft.Web/connections",
"apiVersion":"2016-06-01",
"name":"[variables('AzureSentinelConnectionName')]",
"location":"[resourceGroup().location]",
"properties":{
"displayName":"[variables('AzureSentinelConnectionName')]",
"customParameterValues":{
},
"api":{
"id":"[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
},
{
"type":"Microsoft.Web/connections",
"apiVersion":"2016-06-01",
"name":"[variables('service-nowConnectionName')]",
"location":"[resourceGroup().location]",
"properties":{
"displayName":"[variables('service-nowConnectionName')]",
"customParameterValues":{
},
"api":{
"id":"[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/service-now')]"
}
}
},
{
"type":"Microsoft.Logic/workflows",
"apiVersion":"2017-07-01",
"name":"[parameters('PlaybookName')]",
"location":"[resourceGroup().location]",
"dependsOn":[
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('service-nowConnectionName'))]"
],
"properties":{
"state":"Enabled",
"definition":{
"$schema":"https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions":{
"Condition":{
"actions":{
"Create_Record":{
"inputs":{
"body":{
"short_description":"A new @{body('Parse_JSON')?['deviceType']} was detected with the following Ip address @{body('Parse_JSON')?['deviceName']}"
},
"host":{
"connection":{
"name":"@parameters('$connections')['service-now']['connectionId']"
}
},
"method":"post",
"path":"/api/now/v2/table/@{encodeURIComponent('incident')}",
"queries":{
"sysparm_display_value":true,
"sysparm_exclude_reference_link":true
}
},
"runAfter":{
},
"type":"ApiConnection"
}
},
"expression":{
"and":[
{
"equals":[
"@body('Parse_JSON')?['deviceType']",
"Engineering Station"
]
}
]
},
"runAfter":{
"Parse_JSON":[
"Succeeded"
]
},
"type":"If"
},
"Parse_JSON":{
"inputs":{
"content":"@\nfirst(triggerBody()?['object']?['properties']?['relatedEntities'])?['properties']",
"schema":{
"properties":{
"deviceId":{
"type":"string"
},
"deviceName":{
"type":"string"
},
"deviceType":{
"type":"string"
},
"friendlyName":{
"type":"string"
},
"iotHubEntityId":{
"type":"string"
},
"ipAddressEntityId":{
"type":"string"
},
"protocols":{
"items":{
"type":"string"
},
"type":"array"
}
},
"type":"object"
}
},
"runAfter":{
},
"type":"ParseJson"
}
},
"contentVersion":"1.0.0.0",
"outputs":{
},
"parameters":{
"$connections":{
"defaultValue":{
},
"type":"Object"
}
},
"triggers":{
"When_Azure_Sentinel_incident_creation_rule_was_triggered":{
"inputs":{
"body":{
"callback_url":"@{listCallbackUrl()}"
},
"host":{
"connection":{
"name":"@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path":"/incident-creation"
},
"type":"ApiConnectionWebhook"
}
}
},
"parameters":{
"$connections":{
"value":{
"azuresentinel":{
"connectionId":"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"connectionName":"[variables('AzureSentinelConnectionName')]",
"id":"[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
},
"service-now":{
"connectionId":"[resourceId('Microsoft.Web/connections', variables('service-nowConnectionName'))]",
"connectionName":"[variables('service-nowConnectionName')]",
"id":"[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/service-now')]"
}
}
}
}
}
}
]
}

18
Solutions/IoTOTThreatMonitoringwithDefenderforIoT/readme.md
Просмотреть файл

@ -1,13 +1,23 @@
# Overview
There has been a long-standing split between SCADA (OT) and Corporate (IT) cybersecurity. This split was often driven by significant differences in technology/tooling. Azure Defender for IoT's integration with Azure Sentinel drives convergency by providing a single pane for coverage of both D4IOT (OT) and Azure Sentinel (IT) alerting.
This solution includes (1) Workbook and (10) Analytics rules and provides a guided investigation for security operations teams. The workbook features IT/OT filtering for Security Alerts, Incidents, and Asset Inventory. The workbook also features a dynamic assessment of the MITRE ATT&CK for ICS matrix across your environment to analyze and respond to IOT-based threats. This solution is designed to enable SecOps Analysts, Security Engineers, and MSSPs to gain situational awareness for IT/OT security posture. This solution is enhanced when integrated with complimentary Microsoft Offerings such as ✳️ Azure Defender for IoT, ✳️ Azure Sentinel, and ✳️ Azure Security Center. This workbook augments staffing through automation, artificial intelligence, machine learning, query/alerting generation and visualizations.
This solution includes (1) Workbook, (13) Analytics rules, and (3) Playbooks providing a guide OT/IoT Detection, Analysis, and Response. The solution features IoT/OT filtering for Security Alerts, Incidents, and Asset Inventory. The workbook features a dynamic assessment of the MITRE ATT&CK for ICS matrix across your environment to analyze and respond to IoT/OT-based threats. This solution is designed to enable SecOps Analysts, Security Engineers, and MSSPs to gain situational awareness for IT/OT security posture. This solution is enhanced when integrated with complimentary Microsoft Offerings such as ✳️ Azure Defender for IoT, ✳️ Azure Sentinel, and ✳️ Azure Security Center. This workbook augments staffing through automation, artificial intelligence, machine learning, query/alerting generation and visualizations.
# Getting Started
1) [Onboard Azure Defender for IoT](https://docs.microsoft.com/azure/defender-for-iot/device-builders/quickstart-onboard-iot-hub)
2) [Onboard Azure Sentinel](https://docs.microsoft.com/azure/sentinel/quickstart-onboard)
3) [Enable Azure Defender for IoT Connector to Azure Sentinel](https://docs.microsoft.com/azure/defender-for-iot/organizations/how-to-configure-with-sentinel)
4) View the Workbook: Navigate to Azure Sentinel > Workbooks > My Workbooks > Unified Microsoft SOC for OT > View
4) View the Workbook: Navigate to Azure Sentinel > Workbooks > My Workbooks > IoT/OT Threat Monitoring with Defender for IoT > View
5) View the Analytics Rules: Navigate to Azure Sentinel > Analytics > Search "IOT"
6) View the Playbooks: Navigate to Azure Sentinel> Automation > Playbooks > Search "IOT"
# Playbooks
1) AutoCloseIncidents
## Overview
In some cases, maintenance activities generate alerts in Sentinel which distracts the SOC team from handling the real problems, the playbook allows to input the time period in which the maintenance is expected and the assets IP (Excel file can be found). The playbook requires a watchlist which includes all the IP addresses of the assets on which alerts will handled automatically. This playbook parses explicitly the IOT device entity fields. For more information, see [AD4IoT-AutoCloseIncidents](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AD4IoT-AutoCloseIncidents)
2) MailbyProductionLine
## Overview
The following playbook will send mail to notify specific stake holders.<br>
One example can be in the case of specific security team per product line or per physical location. The playbook requires a watchlist which maps between the sensors name and the mail addresses of the alerts stockholders. For more information, see [AD4IoT-MailbyProductionLine](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AD4IoT-MailbyProductionLine)
3) NewAssetServiceNowTicket
## Overview
Normally, the authorized entity to program a PLC is the Engineering Workstation, to program a PLC attackers might create a new Engineering Workstation to create malicious programing. The following playbook will open a ticket in ServiceNow each time a new Engineering Workstation is detected. This playbook parses explicitly the IOT device entity fields. For more information, see [AD4IoT-NewAssetServiceNowTicket](https://github.com/Azure/Azure-Sentinel/blob/master/Playbooks/AD4IoT-NewAssetServiceNowTicket/readme.md)