| title | description | author | ms.topic | ms.date | ms.author |
|---|---|---|---|---|---|
Integrate Microsoft Sentinel and Microsoft Defender for IoT | Microsoft Docs |
This tutorial describes how to use the Microsoft Sentinel data connector and solution for Microsoft Defender for IoT to secure your entire OT environment. Detect and respond to OT threats, including multistage attacks that may cross IT and OT boundaries. |
batamig |
tutorial |
12/20/2021 |
bagol |
Microsoft Defender for IoT enables you to secure your entire OT environment, whether you need to protect existing OT devices or build security into new OT innovations.
Microsoft Sentinel and Microsoft Defender for IoT help to bridge the gap between IT and OT security challenges, and to empower SOC teams with out-of-the-box capabilities to efficiently and effectively detect and respond to OT threats. The integration between Microsoft Defender for IoT and Microsoft Sentinel helps organizations to quickly detect multistage attacks, which often cross IT and OT boundaries.
In this tutorial, you:
[!div class="checklist"]
- Connect Microsoft Sentinel to Defender for IoT
- Use Log Analytics to query for Defender for IoT alerts
- Install the Microsoft Sentinel solution for Defender for IoT
- Learn about the analytics rules, workbooks, and playbooks deployed to your Microsoft Sentinel workspace with the Defender for IoT solution
Before you start, make sure you have the following requirements on your workspace:
-
Read and Write permissions on your Microsoft Sentinel workspace
-
Contributor permissions on the subscription you want to connect
-
Defender for IoT must be enabled on your relevant IoT Hub instances.
Use the following procedure to verify or enable this setting if needed:
-
Go to the IoT Hub instance that you'd defined when onboarding your sensors in Defender for IoT.
-
Select Defender for IoT > Settings > Data Collection.
-
Under Microsoft Defender for IoT, select Enable Microsoft Defender for IoT.
-
For more information, see Permissions in Microsoft Sentinel and Quickstart: Get started with Defender for IoT.
Important
Currently, having both the Microsoft Defender for IoT and the Microsoft Defender for Cloud data connectors enabled on the same Microsoft Sentinel workspace simultaneously may result in duplicate alerts in Microsoft Sentinel. We recommend that you disconnect the Microsoft Defender for Cloud data connector before connecting to Microsoft Defender for IoT.
Start by enabling the Defender for IoT data connector to stream all your Defender for IoT events into Microsoft Sentinel.
To enable the Defender for IoT data connector:
-
In Microsoft Sentinel, under Configuration, select Data connectors, and then locate the Microsoft Defender for IoT data connector.
-
At the bottom right, select Open connector page.
-
On the Instructions tab, under Configuration, select Connect for each subscription whose alerts and device alerts you want to stream into Microsoft Sentinel.
If you've made any connection changes, it can take 10 seconds or more for the Subscription list to update.
[!TIP] If you see an error message, make sure that you have Defender for IoT enabled on at least one IoT Hub instance within your selected subscription.
For more information, see Connect Microsoft Sentinel to Azure, Windows, Microsoft, and Amazon services.
View Defender for IoT alerts in the Microsoft Sentinel Logs area.
-
In Microsoft Sentinel, select Logs > AzureSecurityOfThings > SecurityAlert, or search for SecurityAlert.
-
Use the following sample queries to filter the logs and view alerts generated by Defender for IoT:
To see all alerts generated by Defender for IoT:
SecurityAlert | where ProductName == "Azure Security Center for IoT"
To see specific sensor alerts generated by Defender for IoT:
SecurityAlert | where ProductName == "Azure Security Center for IoT" | where tostring(parse_json(ExtendedProperties).SensorId) == “<sensor_name>”
To see specific OT engine alerts generated by Defender for IoT:
SecurityAlert | where ProductName == "Azure Security Center for IoT" | where ProductComponentName == "MALWARE" SecurityAlert | where ProductName == "Azure Security Center for IoT" | where ProductComponentName == "ANOMALY" SecurityAlert | where ProductName == "Azure Security Center for IoT" | where ProductComponentName == "PROTOCOL_VIOLATION" SecurityAlert | where ProductName == "Azure Security Center for IoT" | where ProductComponentName == "POLICY_VIOLATION" SecurityAlert | where ProductName == "Azure Security Center for IoT" | where ProductComponentName == "OPERATIONAL"
To see high severity alerts generated by Defender for IoT:
SecurityAlert | where ProductName == "Azure Security Center for IoT" | where AlertSeverity == "High"
To see specific protocol alerts generated by Defender for IoT:
SecurityAlert | where ProductName == "Azure Security Center for IoT" | where tostring(parse_json(ExtendedProperties).Protocol) == "<protocol_name>"
Note
The Logs page in Microsoft Sentinel is based on Azure Monitor's Log Analytics.
For more information, see Log queries overview in the Azure Monitor documentation and the Write your first KQL query Learn module.
The IoT OT Threat Monitoring with Defender for IoT solution is a set of bundled content, including analytics rules, workbooks, and playbooks, configured specifically for Defender for IoT data. This solution currently supports only Operational Networks (OT/ICS).
Tip
Microsoft Sentinel solutions can help you onboard Microsoft Sentinel security content for a specific data connector using a single process. For example, the IoT OT Threat Monitoring with Defender for IoT supports the integration with Microsoft Sentinel's security orchestration, automation, and response (SOAR) capabilities by providing out-of-the-box and OT-optimized playbooks with automated response and prevention capabilities.
To install the solution
-
In Microsoft Sentinel, under Content management, select Content hub and then locate the IoT OT Threat Monitoring with Defender for IoT solution.
-
At the bottom right, select View details, and then Create. Select the subscription, resource group, and workspace where you want to install the solution, and then review the related security content that will be deployed.
When you're done, select Review + Create to install the solution.
For more information, see About Microsoft Sentinel content and solutions and Centrally discover and deploy out-of-the-box content and solutions.
Incidents are not created for alerts generated by Defender for IoT data by default.
You can ensure that Microsoft Sentinel creates incidents for relevant alerts generated by Defender for IoT, either by using out-of-the-box analytics rules provided in the IoT OT Threat Monitoring with Defender for IoT solution, configuring analytics rules manually, or by configuring your data connector to automatically create incidents for all alerts generated by Defender for IoT.
For more information, see:
Install the Defender for IoT solution to get out-of-the-box analytics rules deployed to your workspace, built specifically for Defender for IoT data.
The following table describes the out-of-the-box analytics rules provided in the IoT OT Threat Monitoring with Defender for IoT solution.
Tip
When working with the following analytics rules, we recommend that you turn off the default Microsoft Security Defender for the IoT analytics rules.
| Rule Name | Description |
|---|---|
| Illegal function codes for ICS/SCADA traffic | Illegal function codes in supervisory control and data acquisition (SCADA) equipment may indicate one of the following: - Improper application configuration, such as due to a firmware update or reinstallation. - Malicious activity. For example, a cyber threat that attempts to use illegal values within a protocol to exploit a vulnerability in the programmable logic controller (PLC), such as a buffer overflow. |
| Firmware update | Unauthorized firmware updates may indicate malicious activity on the network, such as a cyber threat that attempts to manipulate PLC firmware to compromise PLC function. |
| Unauthorized PLC changes | Unauthorized changes to PLC ladder logic code may be one of the following: - An indication of new functionality in the PLC. - Improper configuration of an application, such as due to a firmware update or reinstallation. - Malicious activity on the network, such as a cyber threat that attempts to manipulate PLC programming to compromise PLC function. |
| PLC insecure key state | The new mode may indicate that the PLC is not secure. Leaving the PLC in an insecure operating mode may allow adversaries to perform malicious activities on it, such as a program download. If the PLC is compromised, devices and processes that interact with it may be impacted. which may affect overall system security and safety. |
| PLC stop | The PLC stop command may indicate an improper configuration of an application that has caused the PLC to stop functioning, or malicious activity on the network. For example, a cyber threat that attempts to manipulate PLC programming to affect the functionality of the network. |
| Suspicious malware found in the network | Suspicious malware found on the network indicates that suspicious malware is trying to compromise production. |
| Multiple scans in the network | Multiple scans on the network can be an indication of one of the following: - A new device on the network - New functionality of an existing device - Misconfiguration of an application, such as due to a firmware update or re-installation - Malicious activity on the network for reconnaissance |
| Internet connectivity | An OT device communicating with internet addresses may indicate an improper application configuration, such as anti-virus software attempting to download updates from an external server, or malicious activity on the network. |
| Unauthorized device in the SCADA network | An unauthorized device on the network may be a legitimate, new device recently installed on the network, or an indication of unauthorized or even malicious activity on the network, such as a cyber threat attempting to manipulate the SCADA network. |
| Unauthorized DHCP configuration in the SCADA network | An unauthorized DHCP configuration on the network may indicate a new, unauthorized device operating on the network. This may be one a legitimate, new device recently deployed on the network, or an indication of unauthorized or even malicious activity on the network, such as a cyber threat attempting to manipulate the SCADA network. |
| Excessive login attempts | Excessive login attempts may indicate improper service configuration, human error, or malicious activity on the network, such as a cyber threat attempting to manipulate the SCADA network. |
| High bandwidth in the network | An unusually high bandwidth may be an indication of a new service/process on the network, such as backup, or an indication of malicious activity on the network, such as a cyber threat attempting to manipulate the SCADA network. |
| Denial of Service | This alert detects attacks that would prevent the use or proper operation of the DCS system. |
| Unauthorized remote access to the network | Unauthorized remote access to the network can compromise the target device. This means that if another device on the network is compromised, the target devices can be accessed remotely, increasing the attack surface. |
Manually create and manage analytics rules in the Microsoft Sentinel Analytics > Active rules page. For more information, see Detect threats out-of-the-box.
Use this option if you haven't yet installed the IoT OT Threat Monitoring with Defender for IoT solution, if you want to use the out-of-the-box analytics rules as templates for customized rules, or if you'd like to configure analytics rules for scenarios not covered by the solution.
You can configure the Defender for IoT data connector to automatically create incidents for all alerts generated by Defender for IoT.
In the Instructions tab of the data connector page, scroll down to the Create incidents section and select Enable.
Caution
This option may cause a large number of incidents to be created in your workspace.
To visualize and monitor your Defender for IoT data, use the workbooks deployed to your Microsoft Sentinel workspace as part of the IoT OT Threat Monitoring with Defender for IoT solution.
The Defender for IoT workbooks provide guided investigations for OT entities based on open incidents, alert notifications, and activities for OT assets. They also provide a hunting experience across the MITRE ATT&CK® framework for ICS, and are designed to enable analysts, security engineers, and MSSPs to gain situational awareness of OT security posture.
View workbooks in Microsoft Sentinel on the Threat management > Workbooks > My workbooks tab. For more information, see Visualize collected data.
The following table describes the workbooks included in the IoT OT Threat Monitoring with Defender for IoT solution:
| Workbook | Description | Logs |
|---|---|---|
| Alerts | Displays data such as: Alert Metrics, Topmost Alerts, Alert over time, Alert by Severity, Alert by Engine, Alert by Device Type, Alert by Vendor and Alert by IP address. | Uses data from the following log: SecurityAlert |
| Incidents | Displays data such as: - Incident Metrics, Topmost Incident, Incident over time, Incident by Protocol, Incident by Device Type, Incident by Vendor, and Incident by IP address. - Incident by Severity, Incident Mean time to respond, Incident Mean time to resolve and Incident close reasons. |
Uses data from the following log: SecurityAlert |
| MITRE ATT&CK® for ICS | Displays data such as: Tactic Count, Tactic Details, Tactic over time, Technique Count. | Uses data from the following log: SecurityAlert |
| Device Inventory | Displays data such as: OT device name, type, IP address, Mac address, Model, OS, Serial Number, Vendor, Protocols. | Uses data from the following log: SecurityAlert |
Playbooks are collections of automated remediation actions that can be run from Microsoft Sentinel as a routine. A playbook can help automate and orchestrate your threat response; it can be run manually or set to run automatically in response to specific alerts or incidents, when triggered by an analytics rule or an automation rule, respectively.
The playbooks described in the following sections are deployed to your Microsoft Sentinel workspace as part of the IoT OT Threat Monitoring with Defender for IoT solution.
For more information, see:
- Tutorial: Use playbooks with automation rules in Microsoft Sentinel
- Automate threat response with playbooks in Microsoft Sentinel
Playbook name: AD4IoT-AutoCloseIncidents
In some cases, maintenance activities generate alerts in Microsoft Sentinel that can distract a SOC team from handling the real problems. This playbook automatically closes incidents created from such alerts during a specified maintenance period, explicitly parsing the IoT device entity fields.
To use this playbook:
- Enter the relevant time period when the maintenance is expected to occur, and the IP addresses of any relevant assets, such as listed in an Excel file.
- Create a watchlist that includes al the asset IP addresses on which alerts should be handled automatically.
Playbook name: AD4IoT-MailByProductionLine
This playbook sends mail to notify specific stakeholders about alerts and events that occur in your environment.
For example, when you have specific security teams assigned to specific product lines or geographic locations, you'll want that team to be notified about alerts that are relevant to their responsibilities.
To use this playbook, create a watchlist that maps between the sensor names and the mailing addresses of each of the stakeholders you want to alert.
Playbook name AD4IoT-NewAssetServiceNowTicket
Typically, the entity authorized to program a PLC is the Engineering Workstation. Therefore, attackers might create new Engineering Workstations in order to create malicious PLC programming.
This playbook opens a ticket in ServiceNow each time a new Engineering Workstation is detected, explicitly parsing the IoT device entity fields.
For more information, see: