adding IoT exploration queries (#1934)

* adding IoT exploration queries pP: Table structure isn't final, so query would have to be adjusted.
2021-04-20 09:48:51 +03:00 · 2021-04-20 09:48:51 +03:00 · c47a637adf
--- a/Queries/InputEntity_Host/ConnectionData_DefenderForIoT_GetHost2Host.yml
+++ b/Queries/InputEntity_Host/ConnectionData_DefenderForIoT_GetHost2Host.yml
@ -0,0 +1,53 @@
+Id: 4e0d1f17-e3a9-4c1a-aa7d-3842828c10a2
+DisplayName: DefenderForIoT - Hosts communicating the most amount of data with this Host
+Description: Hosts communicating the most amount of data with this Host during the range of -3d and +3d
+InputEntityType: Host
+InputFields:
+  - HostName
+OutputEntityTypes:
+  - Host
+QueryPeriodBefore: 3d
+QueryPeriodAfter: 3d
+DataSources:
+    - SecurityIoTRawEvent
+Tactics:
+  - Exfiltration
+  - CommandAndControl
+  - Collection
+query: |
+    let ConnectionData_DefenderForIoT_GetHost2Host = (v_Host_HostName:string) {
+    let connectionData = SecurityIoTRawEvent 
+    | extend ClientDeviceType = todynamic(extractjson("$ClientDevice", EventDetails)).deviceType
+    | extend ClientDeviceId = todynamic(extractjson("$ClientDevice", EventDetails)).deviceId
+    | extend ClientIpAddress = todynamic(extractjson("$ClientDevice", EventDetails)).ipAddress
+    | extend ClientisExternal = todynamic(extractjson("$ClientDevice", EventDetails)).isExternal
+    | extend ServerDeviceType = todynamic(extractjson("$ServerDevice", EventDetails)).deviceType
+    | extend ServerDeviceId = todynamic(extractjson("$ServerDevice", EventDetails)).deviceId
+    | extend ServerIpAddress = todynamic(extractjson("$ServerDevice", EventDetails)).ipAddress
+    | extend ServerisExternal = todynamic(extractjson("$ServerDevice", EventDetails)).isExternal
+    | extend ClientDeviceName = tostring(todynamic(extractjson("$ClientDevice", EventDetails)).deviceName)
+    | extend ServerDeviceName = tostring(todynamic(extractjson("$ServerDevice", EventDetails)).deviceName)
+    | extend Bandwidth = todynamic(extractjson("$Bandwidth", EventDetails))
+    | extend LastActivity = todynamic(extractjson("$LastActivity", EventDetails))
+    | extend Protocol = todynamic(extractjson("$Protocol", EventDetails))
+    | extend ServerPort = todynamic(extractjson("$ServerPort", EventDetails))
+    | extend ServerDevice = extractjson("$ServerDevice", EventDetails)
+    | extend ClientDevice = extractjson("$ClientDevice", EventDetails)
+    | extend SensorId = DeviceId
+    | extend ClientDeviceGUID = strcat(SensorId, "_", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, "_", ServerDeviceId);
+    connectionData
+    | where ClientDeviceName == v_Host_HostName or ServerDeviceName == v_Host_HostName
+    | extend Direction = iff(ClientDeviceName == v_Host_HostName, "Outbound", "Inbound")
+    | project DeviceGUID = iff(Direction == "Outbound", ServerDeviceGUID, ClientDeviceGUID), 
+    DeviceType = iff(Direction == "Outbound", ServerDeviceType, ClientDeviceType),
+    DeviceIp = iff(Direction == "Outbound", ServerIpAddress, ClientIpAddress),
+    DeviceName = iff(Direction == "Outbound", ServerDeviceName, ClientDeviceName),
+    SensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort
+    | summarize TotalBandwidth = sum(Bandwidth), LastActivity = max(LastActivity), Protocols = make_set(Protocol), ServerPorts = make_set(ServerPort) by DeviceGUID, DeviceName, IpAddress = tostring(DeviceIp), IoTDevice_DeviceType = tostring(DeviceType)
+    | project-rename TotalBandwidth_MB = TotalBandwidth
+    | where IoTDevice_DeviceType in ("Domain Controller", "DB Server", "Workstation", "Server", "Terminal Station", "Storage", "Smart Phone", "Tablet", "Backup Server ")
+    | extend TotalBandwidth_MB = floor(todecimal(TotalBandwidth_MB / 1000), 0.1)
+    | project Host_HostName = DeviceName, Host_Aux_IpAddress = IpAddress,Host_Aux_Type = IoTDevice_DeviceType, Host_Aux_LastActivity = LastActivity, Host_Aux_Protocols = Protocols, Host_Aux_ServerPorts = ServerPorts, Host_Aux_TotalBandwidth_MB = TotalBandwidth_MB
+    | top 10 by Host_Aux_TotalBandwidth_MB
+    };
+    ConnectionData_DefenderForIoT_GetHost2Host('<HostName>')
--- a/Queries/InputEntity_Host/ConnectionData_DefenderForIoT_GetHost2IP.yml
+++ b/Queries/InputEntity_Host/ConnectionData_DefenderForIoT_GetHost2IP.yml
@ -0,0 +1,54 @@
+Id: cc942838-2ce5-4a05-8bf9-25a00102a7b7
+DisplayName: DefenderForIoT - IP Addresses communicating the most amount of data with this Host
+Description: IP Addresses communicating the most amount of data with this Host during the range of -3d and +3d
+InputEntityType: Host
+InputFields:
+  - HostName
+OutputEntityTypes:
+  - Ip
+QueryPeriodBefore: 3d
+QueryPeriodAfter: 3d
+DataSources:
+    - SecurityIoTRawEvent
+Tactics:
+  - Exfiltration
+  - CommandAndControl
+  - Collection
+query: |
+    let ConnectionData_DefenderForIoT_GetHost2IP = (v_Host_HostName: string) {
+    let connectionData = SecurityIoTRawEvent 
+    | extend ClientDeviceType = todynamic(extractjson("$ClientDevice", EventDetails)).deviceType
+    | extend ClientDeviceId = todynamic(extractjson("$ClientDevice", EventDetails)).deviceId
+    | extend ClientIpAddress = todynamic(extractjson("$ClientDevice", EventDetails)).ipAddress
+    | extend ClientisExternal = todynamic(extractjson("$ClientDevice", EventDetails)).isExternal
+    | extend ServerDeviceType = todynamic(extractjson("$ServerDevice", EventDetails)).deviceType
+    | extend ServerDeviceId = todynamic(extractjson("$ServerDevice", EventDetails)).deviceId
+    | extend ServerIpAddress = todynamic(extractjson("$ServerDevice", EventDetails)).ipAddress
+    | extend ServerisExternal = todynamic(extractjson("$ServerDevice", EventDetails)).isExternal
+    | extend ClientDeviceName = tostring(todynamic(extractjson("$ClientDevice", EventDetails)).deviceName)
+    | extend ServerDeviceName = tostring(todynamic(extractjson("$ServerDevice", EventDetails)).deviceName)
+    | extend Bandwidth = todynamic(extractjson("$Bandwidth", EventDetails))
+    | extend LastActivity = todynamic(extractjson("$LastActivity", EventDetails))
+    | extend Protocol = todynamic(extractjson("$Protocol", EventDetails))
+    | extend ServerPort = todynamic(extractjson("$ServerPort", EventDetails))
+    | extend ServerDevice = extractjson("$ServerDevice", EventDetails)
+    | extend ClientDevice = extractjson("$ClientDevice", EventDetails)
+    | extend SensorId = DeviceId
+    | extend ClientDeviceGUID = strcat(SensorId, "_", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, "_", ServerDeviceId);
+    connectionData
+    | where ClientDeviceName == v_Host_HostName or ServerDeviceName == v_Host_HostName
+    | extend Direction = iff(ClientDeviceName == v_Host_HostName, "Outbound", "Inbound")
+    | project DeviceGUID = iff(Direction == "Outbound", ServerDeviceGUID, ClientDeviceGUID), 
+    DeviceType = iff(Direction == "Outbound", ServerDeviceType, ClientDeviceType),
+    DeviceIp = iff(Direction == "Outbound", ServerIpAddress, ClientIpAddress),
+    DeviceIsExternal = iff(Direction == "Outbound", ServerisExternal, ClientisExternal),
+    SensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort, Direction
+    | summarize TotalBandwidth = sum(Bandwidth), LastActivity = max(LastActivity), Protocols = make_set(Protocol), ServerPorts = make_set(ServerPort) by IoTDevice_DeviceId = DeviceGUID, IoTDevice_IpAddress = tostring(DeviceIp), IoTDevice_DeviceType = tostring(DeviceType), DeviceIsExternal = tostring(DeviceIsExternal)
+    | project-rename TotalBandwidth_MB = TotalBandwidth
+    | where IoTDevice_DeviceType in ("", "Unknown", "Internet", "Group") or 
+    IoTDevice_DeviceType in ("Multicast/Broadcast", "Wireless Access Point", "Router", "Switch", "Firewall", "VPN Gateway", "NTP Server", "Wifi Pineapple", "Physical Location", "I/O Adapter", "Protocol Converter")
+    | project IP_Address = IoTDevice_IpAddress, IP_Aux_DeviceType = IoTDevice_DeviceType, IP_Aux_LastActivity = LastActivity, IP_Aux_Protocols = Protocols, IP_Aux_ServerPorts = ServerPorts, IP_Aux_TotalBandwidth_MB = TotalBandwidth_MB, IP_Aux_IsExternal = DeviceIsExternal
+    | extend IP_Aux_TotalBandwidth_MB = floor(todecimal(IP_Aux_TotalBandwidth_MB / 1000), 0.1)
+    | top 10 by IP_Aux_TotalBandwidth_MB
+    };
+    ConnectionData_DefenderForIoT_GetHost2IP('<HostName>')
--- a/Queries/InputEntity_Host/ConnectionData_DefenderForIoT_GetHost2IoTDevice.yml
+++ b/Queries/InputEntity_Host/ConnectionData_DefenderForIoT_GetHost2IoTDevice.yml
@ -0,0 +1,51 @@
+Id: ec41f36e-3fbe-44e3-a09e-adf99bc87dcb
+DisplayName: DefenderForIoT - IoT\OT Devices communicating the most amount of data with this Host
+Description: IoT\OT Devices communicating the most amount of data with this Host during the range of -3d and +3d
+InputEntityType: Host
+InputFields:
+  - HostName
+OutputEntityTypes:
+  - IoTDevice
+QueryPeriodBefore: 3d
+QueryPeriodAfter: 3d
+DataSources:
+    - SecurityIoTRawEvent
+Tactics:
+  - Exfiltration
+  - CommandAndControl
+  - Collection
+query: |
+    let ConnectionData_DefenderForIoT_GetHost2IoTDevice = (v_Host_HostName:string) {
+    SecurityIoTRawEvent 
+    | extend ClientDeviceType = todynamic(extractjson("$ClientDevice", EventDetails)).deviceType
+    | extend ClientDeviceId = todynamic(extractjson("$ClientDevice", EventDetails)).deviceId
+    | extend ClientIpAddress = todynamic(extractjson("$ClientDevice", EventDetails)).ipAddress
+    | extend ClientisExternal = todynamic(extractjson("$ClientDevice", EventDetails)).isExternal
+    | extend ServerDeviceType = todynamic(extractjson("$ServerDevice", EventDetails)).deviceType
+    | extend ServerDeviceId = todynamic(extractjson("$ServerDevice", EventDetails)).deviceId
+    | extend ServerIpAddress = todynamic(extractjson("$ServerDevice", EventDetails)).ipAddress
+    | extend ServerisExternal = todynamic(extractjson("$ServerDevice", EventDetails)).isExternal
+    | extend ClientDeviceName = tostring(todynamic(extractjson("$ClientDevice", EventDetails)).deviceName)
+    | extend ServerDeviceName = tostring(todynamic(extractjson("$ServerDevice", EventDetails)).deviceName)
+    | extend Bandwidth = todynamic(extractjson("$Bandwidth", EventDetails))
+    | extend LastActivity = todynamic(extractjson("$LastActivity", EventDetails))
+    | extend Protocol = todynamic(extractjson("$Protocol", EventDetails))
+    | extend ServerPort = todynamic(extractjson("$ServerPort", EventDetails))
+    | extend ServerDevice = extractjson("$ServerDevice", EventDetails)
+    | extend ClientDevice = extractjson("$ClientDevice", EventDetails)
+    | extend SensorId = DeviceId
+    | extend ClientDeviceGUID = strcat(SensorId, "_", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, "_", ServerDeviceId)
+    | where ClientDeviceName == v_Host_HostName or ServerDeviceName == v_Host_HostName
+    | extend Direction = iff(ClientDeviceName == v_Host_HostName, "Outbound", "Inbound")
+    | project DeviceGUID = iff(Direction == "Outbound", ServerDeviceGUID, ClientDeviceGUID), 
+    DeviceType = iff(Direction == "Outbound", ServerDeviceType, ClientDeviceType),
+    DeviceIp = iff(Direction == "Outbound", ServerIpAddress, ClientIpAddress),
+    DeviceName = iff(Direction == "Outbound", ServerDeviceName, ClientDeviceName),
+    SensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort
+    | summarize TotalBandwidth = sum(Bandwidth), IoTDevice_Aux_LastActivity = max(LastActivity), IoTDevice_Aux_Protocols = make_set(Protocol), IoTDevice_Aux_ServerPorts = make_set(ServerPort) by IoTDevice_DeviceId = DeviceGUID, IoTDevice_DeviceName =  DeviceName, IoTDevice_IpAddress = tostring(DeviceIp), IoTDevice_DeviceType = tostring(DeviceType)
+    | project-rename IoTDevice_Aux_TotalBandwidth_MB = TotalBandwidth
+    | where IoTDevice_DeviceType !in ("", "Unknown", "Internet", "Group") and IoTDevice_DeviceType !in ("Multicast/Broadcast", "Wireless Access Point", "Router", "Switch", "Firewall", "VPN Gateway", "NTP Server", "Wifi Pineapple", "Physical Location", "I/O Adapter", "Protocol Converter") and IoTDevice_DeviceType !in ("Domain Controller", "DB Server", "Workstation", "Server", "Terminal Station", "Storage", "Smart Phone", "Tablet", "Backup Server ")
+    | extend IoTDevice_Aux_TotalBandwidth_MB = floor(todecimal(IoTDevice_Aux_TotalBandwidth_MB / 1000), 0.1)
+    | top 10 by IoTDevice_Aux_TotalBandwidth_MB
+    };
+    ConnectionData_DefenderForIoT_GetHost2IoTDevice('<HostName>')
--- a/Queries/InputEntity_IP/ConnectionData_DefenderForIoT_GetIP2Host.yml
+++ b/Queries/InputEntity_IP/ConnectionData_DefenderForIoT_GetIP2Host.yml
@ -0,0 +1,53 @@
+Id: b66111f6-42ff-4f5a-8e3e-66ca1a71a758
+DisplayName: DefenderForIoT - Hosts communicating the most amount of data with this IP Address
+Description: IP addresses communicating the most amount of data with this IP during the range of -3d and +3d
+InputEntityType: Ip
+InputFields:
+  - Address
+OutputEntityTypes:
+  - Host
+QueryPeriodBefore: 3d
+QueryPeriodAfter: 3d
+DataSources:
+    - SecurityIoTRawEvent
+Tactics:
+  - Exfiltration
+  - CommandAndControl
+  - Collection
+query: |
+    let ConnectionData_DefenderForIoT_GetIP2Host = (v_IP_Address:string) {
+    let connectionData = SecurityIoTRawEvent 
+    | extend ClientDeviceType = todynamic(extractjson("$ClientDevice", EventDetails)).deviceType
+    | extend ClientDeviceId = todynamic(extractjson("$ClientDevice", EventDetails)).deviceId
+    | extend ClientIpAddress = todynamic(extractjson("$ClientDevice", EventDetails)).ipAddress
+    | extend ClientisExternal = todynamic(extractjson("$ClientDevice", EventDetails)).isExternal
+    | extend ServerDeviceType = todynamic(extractjson("$ServerDevice", EventDetails)).deviceType
+    | extend ServerDeviceId = todynamic(extractjson("$ServerDevice", EventDetails)).deviceId
+    | extend ServerIpAddress = todynamic(extractjson("$ServerDevice", EventDetails)).ipAddress
+    | extend ServerisExternal = todynamic(extractjson("$ServerDevice", EventDetails)).isExternal
+    | extend ClientDeviceName = tostring(todynamic(extractjson("$ClientDevice", EventDetails)).deviceName)
+    | extend ServerDeviceName = tostring(todynamic(extractjson("$ServerDevice", EventDetails)).deviceName)
+    | extend Bandwidth = todynamic(extractjson("$Bandwidth", EventDetails))
+    | extend LastActivity = todynamic(extractjson("$LastActivity", EventDetails))
+    | extend Protocol = todynamic(extractjson("$Protocol", EventDetails))
+    | extend ServerPort = todynamic(extractjson("$ServerPort", EventDetails))
+    | extend ServerDevice = extractjson("$ServerDevice", EventDetails)
+    | extend ClientDevice = extractjson("$ClientDevice", EventDetails)
+    | extend SensorId = DeviceId
+    | extend ClientDeviceGUID = strcat(SensorId, "_", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, "_", ServerDeviceId);
+    connectionData
+    | where ClientIpAddress == v_IP_Address or ServerIpAddress == v_IP_Address
+    | extend Direction = iff(ClientIpAddress == v_IP_Address, "Outbound", "Inbound")
+    | project DeviceGUID = iff(Direction == "Outbound", ServerDeviceGUID, ClientDeviceGUID), 
+    DeviceType = iff(Direction == "Outbound", ServerDeviceType, ClientDeviceType),
+    DeviceIp = iff(Direction == "Outbound", ServerIpAddress, ClientIpAddress),
+    DeviceName = iff(Direction == "Outbound", ServerDeviceName, ClientDeviceName),
+    SensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort
+    | summarize TotalBandwidth = sum(Bandwidth), LastActivity = max(LastActivity), Protocols = make_set(Protocol), ServerPorts = make_set(ServerPort) by DeviceGUID, DeviceName, IpAddress = tostring(DeviceIp), IoTDevice_DeviceType = tostring(DeviceType)
+    | project-rename TotalBandwidth_MB = TotalBandwidth
+    | where IoTDevice_DeviceType in ("Domain Controller", "DB Server", "Workstation", "Server", "Terminal Station", "Storage", "Smart Phone", "Tablet", "Backup Server ")
+    | extend TotalBandwidth_MB = floor(todecimal(TotalBandwidth_MB / 1000), 0.1)
+    | project Host_HostName = DeviceName, Host_Aux_IpAddress = IpAddress, Host_Aux_Type = IoTDevice_DeviceType, Host_Aux_LastActivity = LastActivity, Host_Aux_Protocols = Protocols, Host_Aux_ServerPorts = ServerPorts, Host_Aux_TotalBandwidth_MB = TotalBandwidth_MB
+    | top 10 by Host_Aux_TotalBandwidth_MB
+    };
+    ConnectionData_DefenderForIoT_GetIP2Host('<Address>')
--- a/Queries/InputEntity_IP/ConnectionData_DefenderForIoT_GetIP2IP.yml
+++ b/Queries/InputEntity_IP/ConnectionData_DefenderForIoT_GetIP2IP.yml
@ -0,0 +1,53 @@
+Id: b7bd2812-f485-4430-bfac-6b0a1dd4c3f7
+DisplayName: DefenderForIoT - IP Addresses communicating the most amount of data with this IP Address
+Description: IP addresses communicating the most amount of data with this IP Address during the range of -3d and +3d
+InputEntityType: Ip
+InputFields:
+  - Address
+OutputEntityTypes:
+  - Ip
+QueryPeriodBefore: 3d
+QueryPeriodAfter: 3d
+DataSources:
+    - SecurityIoTRawEvent
+Tactics:
+  - Exfiltration
+  - CommandAndControl
+  - Collection
+query: |
+    let ConnectionData_DefenderForIoT_GetIP2IP = (v_IP_Address:string) {
+    let connectionData = SecurityIoTRawEvent 
+    | extend ClientDeviceType = todynamic(extractjson("$ClientDevice", EventDetails)).deviceType
+    | extend ClientDeviceId = todynamic(extractjson("$ClientDevice", EventDetails)).deviceId
+    | extend ClientIpAddress = todynamic(extractjson("$ClientDevice", EventDetails)).ipAddress
+    | extend ClientisExternal = todynamic(extractjson("$ClientDevice", EventDetails)).isExternal
+    | extend ServerDeviceType = todynamic(extractjson("$ServerDevice", EventDetails)).deviceType
+    | extend ServerDeviceId = todynamic(extractjson("$ServerDevice", EventDetails)).deviceId
+    | extend ServerIpAddress = todynamic(extractjson("$ServerDevice", EventDetails)).ipAddress
+    | extend ServerisExternal = todynamic(extractjson("$ServerDevice", EventDetails)).isExternal
+    | extend Bandwidth = todynamic(extractjson("$Bandwidth", EventDetails))
+    | extend LastActivity = todynamic(extractjson("$LastActivity", EventDetails))
+    | extend Protocol = todynamic(extractjson("$Protocol", EventDetails))
+    | extend ServerPort = todynamic(extractjson("$ServerPort", EventDetails))
+    | extend ServerDevice = extractjson("$ServerDevice", EventDetails)
+    | extend ClientDevice = extractjson("$ClientDevice", EventDetails)
+    | extend SensorId = DeviceId
+    | extend ClientDeviceGUID = strcat(SensorId, "_", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, "_", ServerDeviceId);
+    connectionData
+    | where ClientIpAddress == v_IP_Address or ServerIpAddress == v_IP_Address
+    | extend Direction = iff(ClientIpAddress == v_IP_Address, "Outbound", "Inbound")
+    | project DeviceGUID = iff(Direction == "Outbound", ServerDeviceGUID, ClientDeviceGUID), 
+    DeviceType = iff(Direction == "Outbound", ServerDeviceType, ClientDeviceType),
+    DeviceIp = iff(Direction == "Outbound", ServerIpAddress, ClientIpAddress),
+    DeviceIsExternal = iff(Direction == "Outbound", ServerisExternal, ClientisExternal),
+    SensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort, Direction
+    | summarize TotalBandwidth = sum(Bandwidth), LastActivity = max(LastActivity), Protocols = make_set(Protocol), ServerPorts = make_set(ServerPort) by IoTDevice_DeviceId = DeviceGUID, IoTDevice_IpAddress = tostring(DeviceIp), IoTDevice_DeviceType = tostring(DeviceType), DeviceIsExternal = tostring(DeviceIsExternal)
+    | project-rename TotalBandwidth_MB = TotalBandwidth
+    | where IoTDevice_DeviceType in ("", "Unknown", "Internet", "Group") or 
+    IoTDevice_DeviceType in ("Multicast/Broadcast", "Wireless Access Point", "Router", "Switch", "Firewall", "VPN Gateway", "NTP Server", "Wifi Pineapple", "Physical Location", "I/O Adapter", "Protocol Converter")
+    | project IP_Address = IoTDevice_IpAddress, IP_Aux_DeviceType = IoTDevice_DeviceType, IP_Aux_LastActivity = LastActivity, IP_Aux_Protocols = Protocols, IP_Aux_ServerPorts = ServerPorts, IP_Aux_TotalBandwidth_MB = TotalBandwidth_MB, IP_Aux_IsExternal = DeviceIsExternal
+    | extend IP_Aux_TotalBandwidth_MB = floor(todecimal(IP_Aux_TotalBandwidth_MB / 1000), 0.1)
+    | top 10 by IP_Aux_TotalBandwidth_MB
+    };
+    ConnectionData_DefenderForIoT_GetIP2IP('<Address>')
+    
--- a/Queries/InputEntity_IP/ConnectionData_DefenderForIoT_GetIP2IoTDevice.yml
+++ b/Queries/InputEntity_IP/ConnectionData_DefenderForIoT_GetIP2IoTDevice.yml
@ -0,0 +1,54 @@
+Id: 3d110544-328c-4c02-ad49-eabc2b69f26d
+DisplayName: DefenderForIoT - IoT\OT Devices communicating the most amount of data with this IP Address
+Description: IP addresses communicating the most amount of data with this IP during the range of -3d and +3d
+InputEntityType: Ip
+InputFields:
+  - Address
+OutputEntityTypes:
+  - IoTDevice
+QueryPeriodBefore: 3d
+QueryPeriodAfter: 3d
+DataSources:
+    - SecurityIoTRawEvent
+Tactics:
+  - Exfiltration
+  - CommandAndControl
+  - Collection
+query: |
+    let ConnectionData_DefenderForIoT_GetIP2IoTDevice = (v_IP_Address:string) {
+    let connectionData = SecurityIoTRawEvent 
+    | extend ClientDeviceType = todynamic(extractjson("$ClientDevice", EventDetails)).deviceType
+    | extend ClientDeviceId = todynamic(extractjson("$ClientDevice", EventDetails)).deviceId
+    | extend ClientIpAddress = todynamic(extractjson("$ClientDevice", EventDetails)).ipAddress
+    | extend ClientisExternal = todynamic(extractjson("$ClientDevice", EventDetails)).isExternal
+    | extend ServerDeviceType = todynamic(extractjson("$ServerDevice", EventDetails)).deviceType
+    | extend ServerDeviceId = todynamic(extractjson("$ServerDevice", EventDetails)).deviceId
+    | extend ServerIpAddress = todynamic(extractjson("$ServerDevice", EventDetails)).ipAddress
+    | extend ServerisExternal = todynamic(extractjson("$ServerDevice", EventDetails)).isExternal
+    | extend ClientDeviceName = tostring(todynamic(extractjson("$ClientDevice", EventDetails)).deviceName)
+    | extend ServerDeviceName = tostring(todynamic(extractjson("$ServerDevice", EventDetails)).deviceName)
+    | extend Bandwidth = todynamic(extractjson("$Bandwidth", EventDetails))
+    | extend LastActivity = todynamic(extractjson("$LastActivity", EventDetails))
+    | extend Protocol = todynamic(extractjson("$Protocol", EventDetails))
+    | extend ServerPort = todynamic(extractjson("$ServerPort", EventDetails))
+    | extend ServerDevice = extractjson("$ServerDevice", EventDetails)
+    | extend ClientDevice = extractjson("$ClientDevice", EventDetails)
+    | extend SensorId = DeviceId
+    | extend ClientDeviceGUID = strcat(SensorId, "_", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, "_", ServerDeviceId);
+    connectionData
+    | where ClientIpAddress == v_IP_Address or ServerIpAddress == v_IP_Address
+    | extend Direction = iff(ClientIpAddress == v_IP_Address, "Outbound", "Inbound")
+    | project DeviceGUID = iff(Direction == "Outbound", ServerDeviceGUID, ClientDeviceGUID), 
+    DeviceType = iff(Direction == "Outbound", ServerDeviceType, ClientDeviceType),
+    DeviceIp = iff(Direction == "Outbound", ServerIpAddress, ClientIpAddress),
+    DeviceName = iff(Direction == "Outbound", ServerDeviceName, ClientDeviceName),
+    SensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort
+    | summarize TotalBandwidth = sum(Bandwidth), IoTDevice_Aux_LastActivity = max(LastActivity), IoTDevice_Aux_Protocols = make_set(Protocol), IoTDevice_Aux_ServerPorts = make_set(ServerPort) by IoTDevice_DeviceId = DeviceGUID, IoTDevice_DeviceName =  DeviceName, IoTDevice_IpAddress_Address = tostring(DeviceIp), IoTDevice_DeviceType = tostring(DeviceType)
+        | project-rename IoTDevice_Aux_TotalBandwidth_MB = TotalBandwidth
+    | where IoTDevice_DeviceType !in ("", "Unknown", "Internet", "Group") and 
+    IoTDevice_DeviceType !in ("Multicast/Broadcast", "Wireless Access Point", "Router", "Switch", "Firewall", "VPN Gateway", "NTP Server", "Wifi Pineapple", "Physical Location", "I/O Adapter", "Protocol Converter")
+    and IoTDevice_DeviceType !in ("Domain Controller", "DB Server", "Workstation", "Server", "Terminal Station", "Storage", "Smart Phone", "Tablet", "Backup Server ")
+        | extend IoTDevice_Aux_TotalBandwidth_MB = floor(todecimal(IoTDevice_Aux_TotalBandwidth_MB / 1000), 0.1)
+        | top 10 by IoTDevice_Aux_TotalBandwidth_MB
+    };
+    ConnectionData_DefenderForIoT_GetIP2IoTDevice('<Address>')
--- a/Queries/IoT/ConnectionData_DefenderForIoT_GetIoTDevice2Host.yml
+++ b/Queries/IoT/ConnectionData_DefenderForIoT_GetIoTDevice2Host.yml
@ -0,0 +1,53 @@
+Id: c07c8936-d2a7-41a7-97d2-d3afdf267da4
+DisplayName: DefenderForIoT - Hosts communicating the most amount of data with this IoT\OT Device
+Description: IP addresses communicating the most amount of data with this IP during the range of -3d and +3d
+InputEntityType: IoTDevice
+InputFields:
+  - DeviceId
+OutputEntityTypes:
+  - Host
+QueryPeriodBefore: 3d
+QueryPeriodAfter: 3d
+DataSources:
+    - SecurityIoTRawEvent
+Tactics:
+  - Exfiltration
+  - CommandAndControl
+  - Collection
+query: |
+    let ConnectionData_DefenderForIoT_GetIoTDevice2Host = (v_IoTDevice_DeviceId:string) {
+    let connectionData = SecurityIoTRawEvent 
+    | extend ClientDeviceType = todynamic(extractjson("$ClientDevice", EventDetails)).deviceType
+    | extend ClientDeviceId = todynamic(extractjson("$ClientDevice", EventDetails)).deviceId
+    | extend ClientIpAddress = todynamic(extractjson("$ClientDevice", EventDetails)).ipAddress
+    | extend ClientisExternal = todynamic(extractjson("$ClientDevice", EventDetails)).isExternal
+    | extend ServerDeviceType = todynamic(extractjson("$ServerDevice", EventDetails)).deviceType
+    | extend ServerDeviceId = todynamic(extractjson("$ServerDevice", EventDetails)).deviceId
+    | extend ServerIpAddress = todynamic(extractjson("$ServerDevice", EventDetails)).ipAddress
+    | extend ServerisExternal = todynamic(extractjson("$ServerDevice", EventDetails)).isExternal
+    | extend ClientDeviceName = tostring(todynamic(extractjson("$ClientDevice", EventDetails)).deviceName)
+    | extend ServerDeviceName = tostring(todynamic(extractjson("$ServerDevice", EventDetails)).deviceName)
+    | extend Bandwidth = todynamic(extractjson("$Bandwidth", EventDetails))
+    | extend LastActivity = todynamic(extractjson("$LastActivity", EventDetails))
+    | extend Protocol = todynamic(extractjson("$Protocol", EventDetails))
+    | extend ServerPort = todynamic(extractjson("$ServerPort", EventDetails))
+    | extend ServerDevice = extractjson("$ServerDevice", EventDetails)
+    | extend ClientDevice = extractjson("$ClientDevice", EventDetails)
+    | extend SensorId = DeviceId
+    | extend ClientDeviceGUID = strcat(SensorId, "_", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, "_", ServerDeviceId);
+    connectionData
+    | where ClientDeviceGUID == v_IoTDevice_DeviceId or ServerDeviceGUID == v_IoTDevice_DeviceId
+    | extend Direction = iff(ClientDeviceGUID == v_IoTDevice_DeviceId, "Outbound", "Inbound")
+    | project DeviceGUID = iff(Direction == "Outbound", ServerDeviceGUID, ClientDeviceGUID), 
+    DeviceType = iff(Direction == "Outbound", ServerDeviceType, ClientDeviceType),
+    DeviceIp = iff(Direction == "Outbound", ServerIpAddress, ClientIpAddress),
+    DeviceName = iff(Direction == "Outbound", ServerDeviceName, ClientDeviceName),
+    SensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort
+    | summarize TotalBandwidth = sum(Bandwidth), LastActivity = max(LastActivity), Protocols = make_set(Protocol), ServerPorts = make_set(ServerPort) by DeviceGUID, DeviceName, IpAddress = tostring(DeviceIp), IoTDevice_DeviceType = tostring(DeviceType)
+    | project-rename TotalBandwidth_MB = TotalBandwidth
+    | where IoTDevice_DeviceType in ("Domain Controller", "DB Server", "Workstation", "Server", "Terminal Station", "Storage", "Smart Phone", "Tablet", "Backup Server ")
+    | extend TotalBandwidth_MB = floor(todecimal(TotalBandwidth_MB / 1000), 0.1)
+    | project Host_HostName = DeviceName, Host_Aux_IpAddress = IpAddress, Host_Aux_Type = IoTDevice_DeviceType, Host_Aux_LastActivity = LastActivity, Host_Aux_Protocols = Protocols, Host_Aux_ServerPorts = ServerPorts, Host_Aux_TotalBandwidth_MB = TotalBandwidth_MB
+    | top 10 by Host_Aux_TotalBandwidth_MB
+    };
+    ConnectionData_DefenderForIoT_GetIoTDevice2Host('<DeviceId>')
--- a/Queries/IoT/ConnectionData_DefenderForIoT_GetIoTDevice2IP.yml
+++ b/Queries/IoT/ConnectionData_DefenderForIoT_GetIoTDevice2IP.yml
@ -0,0 +1,52 @@
+Id: f1cce474-7a4f-435c-a7ee-3d5a800a6df4
+DisplayName: DefenderForIoT - IP Addresses communicating the most amount of data with this IoT\OT Device
+Description: IP addresses communicating the most amount of data with this IoT\OT Device during the range of -3d and +3d
+InputEntityType: IoTDevice
+InputFields:
+  - DeviceId
+OutputEntityTypes:
+  - Ip
+QueryPeriodBefore: 3d
+QueryPeriodAfter: 3d
+DataSources:
+    - SecurityIoTRawEvent
+Tactics:
+  - Exfiltration
+  - CommandAndControl
+  - Collection
+query: |
+    let ConnectionData_DefenderForIoT_GetIoTDevice2IP = (v_IoTDevice_DeviceId:string) {
+    let connectionData = SecurityIoTRawEvent 
+    | extend ClientDeviceType = todynamic(extractjson("$ClientDevice", EventDetails)).deviceType
+    | extend ClientDeviceId = todynamic(extractjson("$ClientDevice", EventDetails)).deviceId
+    | extend ClientIpAddress = todynamic(extractjson("$ClientDevice", EventDetails)).ipAddress
+    | extend ClientisExternal = todynamic(extractjson("$ClientDevice", EventDetails)).isExternal
+    | extend ServerDeviceType = todynamic(extractjson("$ServerDevice", EventDetails)).deviceType
+    | extend ServerDeviceId = todynamic(extractjson("$ServerDevice", EventDetails)).deviceId
+    | extend ServerIpAddress = todynamic(extractjson("$ServerDevice", EventDetails)).ipAddress
+    | extend ServerisExternal = todynamic(extractjson("$ServerDevice", EventDetails)).isExternal
+    | extend Bandwidth = todynamic(extractjson("$Bandwidth", EventDetails))
+    | extend LastActivity = todynamic(extractjson("$LastActivity", EventDetails))
+    | extend Protocol = todynamic(extractjson("$Protocol", EventDetails))
+    | extend ServerDevice = extractjson("$ServerDevice", EventDetails)
+    | extend ServerPort = todynamic(extractjson("$ServerPort", EventDetails))
+    | extend ClientDevice = extractjson("$ClientDevice", EventDetails)
+    | extend SensorId = DeviceId
+    | extend ClientDeviceGUID = strcat(SensorId, "_", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, "_", ServerDeviceId);
+    connectionData
+    | where ClientDeviceGUID == v_IoTDevice_DeviceId or ServerDeviceGUID == v_IoTDevice_DeviceId
+    | extend Direction = iff(ClientDeviceGUID == v_IoTDevice_DeviceId, "Outbound", "Inbound")
+    | project DeviceGUID = iff(Direction == "Outbound", ServerDeviceGUID, ClientDeviceGUID), 
+    DeviceType = iff(Direction == "Outbound", ServerDeviceType, ClientDeviceType),
+    DeviceIp = iff(Direction == "Outbound", ServerIpAddress, ClientIpAddress),
+    DeviceIsExternal = iff(Direction == "Outbound", ServerisExternal, ClientisExternal),
+    SensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort
+    | summarize TotalBandwidth = sum(Bandwidth), LastActivity = max(LastActivity), Protocols = make_set(Protocol), ServerPorts = make_set(ServerPort) by DeviceGUID, IpAddress = tostring(DeviceIp), IoTDevice_DeviceType = tostring(DeviceType), DeviceIsExternal = tostring(DeviceIsExternal)
+    | project-rename TotalBandwidth_MB = TotalBandwidth
+    | where IoTDevice_DeviceType in ("", "Unknown", "Internet", "Group") or 
+    IoTDevice_DeviceType in ("Multicast/Broadcast", "Wireless Access Point", "Router", "Switch", "Firewall", "VPN Gateway", "NTP Server", "Wifi Pineapple", "Physical Location", "I/O Adapter", "Protocol Converter")
+    | project IP_Address = IpAddress, IP_Aux_DeviceType = IoTDevice_DeviceType, IP_Aux_LastActivity = LastActivity, IP_Aux_Protocols = Protocols, IP_Aux_ServerPorts = ServerPorts, IP_Aux_TotalBandwidth_MB = TotalBandwidth_MB, IP_Aux_IsExternal = DeviceIsExternal
+    | extend IP_Aux_TotalBandwidth_MB = floor(todecimal(IP_Aux_TotalBandwidth_MB / 1000), 0.1)
+    | top 10 by IP_Aux_TotalBandwidth_MB
+    };
+    ConnectionData_DefenderForIoT_GetIoTDevice2IP('<DeviceId>')
--- a/Queries/IoT/ConnectionData_DefenderForIoT_GetIoTDevice2IoTDevice.yml
+++ b/Queries/IoT/ConnectionData_DefenderForIoT_GetIoTDevice2IoTDevice.yml
@ -0,0 +1,52 @@
+Id: 233eaf89-cbb0-461a-bc45-e0f873ad6b15
+DisplayName: DefenderForIoT - IoT\OT Devicees communicating the most amount of data with this IoT\OT Device
+Description: IP addresses communicating the most amount of data with this IP during the range of -3d and +3d
+InputEntityType: IoTDevice
+InputFields:
+  - DeviceId
+OutputEntityTypes:
+  - IoTDevice
+QueryPeriodBefore: 3d
+QueryPeriodAfter: 3d
+DataSources:
+    - SecurityIoTRawEvent
+Tactics:
+  - Exfiltration
+  - CommandAndControl
+  - Collection
+query: |
+    let ConnectionData_DefenderForIoT_GetIoTDevice2IoTDevice = (v_IoTDevice_DeviceId:string) {
+    let connectionData = SecurityIoTRawEvent 
+    | extend ClientDeviceType = todynamic(extractjson("$ClientDevice", EventDetails)).deviceType
+    | extend ClientDeviceId = todynamic(extractjson("$ClientDevice", EventDetails)).deviceId
+    | extend ClientIpAddress = todynamic(extractjson("$ClientDevice", EventDetails)).ipAddress
+    | extend ClientisExternal = todynamic(extractjson("$ClientDevice", EventDetails)).isExternal
+    | extend ServerDeviceType = todynamic(extractjson("$ServerDevice", EventDetails)).deviceType
+    | extend ServerDeviceId = todynamic(extractjson("$ServerDevice", EventDetails)).deviceId
+    | extend ServerIpAddress = todynamic(extractjson("$ServerDevice", EventDetails)).ipAddress
+    | extend ServerisExternal = todynamic(extractjson("$ServerDevice", EventDetails)).isExternal
+    | extend ClientDeviceName = tostring(todynamic(extractjson("$ClientDevice", EventDetails)).deviceName)
+    | extend ServerDeviceName = tostring(todynamic(extractjson("$ServerDevice", EventDetails)).deviceName)
+    | extend Bandwidth = todynamic(extractjson("$Bandwidth", EventDetails))
+    | extend LastActivity = todynamic(extractjson("$LastActivity", EventDetails))
+    | extend Protocol = todynamic(extractjson("$Protocol", EventDetails))
+    | extend ServerPort = todynamic(extractjson("$ServerPort", EventDetails))
+    | extend ServerDevice = extractjson("$ServerDevice", EventDetails)
+    | extend ClientDevice = extractjson("$ClientDevice", EventDetails)
+    | extend SensorId = DeviceId
+    | extend ClientDeviceGUID = strcat(SensorId, "_", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, "_", ServerDeviceId);
+    connectionData
+    | where ClientDeviceGUID == v_IoTDevice_DeviceId or ServerDeviceGUID == v_IoTDevice_DeviceId
+    | extend Direction = iff(ClientDeviceGUID == v_IoTDevice_DeviceId, "Outbound", "Inbound")
+    | project DeviceGUID = iff(Direction == "Outbound", ServerDeviceGUID, ClientDeviceGUID), 
+    DeviceType = iff(Direction == "Outbound", ServerDeviceType, ClientDeviceType),
+    DeviceIp = iff(Direction == "Outbound", ServerIpAddress, ClientIpAddress),
+    DeviceName = iff(Direction == "Outbound", ServerDeviceName, ClientDeviceName),
+    SensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort
+    | summarize TotalBandwidth = sum(Bandwidth), IoTDevice_Aux_LastActivity = max(LastActivity), IoTDevice_Aux_Protocols = make_set(Protocol), IoTDevice_Aux_ServerPorts = make_set(ServerPort) by IoTDevice_DeviceId = DeviceGUID, IoTDevice_DeviceName =  DeviceName, IoTDevice_IpAddress_Address = tostring(DeviceIp), IoTDevice_DeviceType = tostring(DeviceType)
+    | project-rename IoTDevice_Aux_TotalBandwidth_MB = TotalBandwidth
+    | where IoTDevice_DeviceType !in ("", "Unknown", "Internet", "Multicast/Broadcast")
+    | extend IoTDevice_Aux_TotalBandwidth_MB = floor(todecimal(IoTDevice_Aux_TotalBandwidth_MB / 1000), 0.1)
+    | top 10 by IoTDevice_Aux_TotalBandwidth_MB
+    };
+    ConnectionData_DefenderForIoT_GetIoTDevice2IoTDevice('<DeviceId>')