Tutorial: Integrate Microsoft Sentinel and Microsoft Defender for IoT
Microsoft Defender for IoT enables you to secure your entire OT environment, whether you need to protect existing OT devices or build security into new OT innovations.
Microsoft Sentinel and Microsoft Defender for IoT help to bridge the gap between IT and OT security challenges, and to empower SOC teams with out-of-the-box capabilities to efficiently and effectively detect and respond to OT threats. The integration between Microsoft Defender for IoT and Microsoft Sentinel helps organizations to quickly detect multistage attacks, which often cross IT and OT boundaries.
In this tutorial, you:
- Connect Microsoft Sentinel to Defender for IoT
- Use Log Analytics to query for Defender for IoT alerts
- Install the Microsoft Sentinel solution for Defender for IoT
- Learn about the analytics rules, workbooks, and playbooks deployed to your Microsoft Sentinel workspace with the Defender for IoT solution
Prerequisites
Before you start, make sure you have the following requirements on your workspace:
Read and Write permissions on your Microsoft Sentinel workspace
Contributor permissions on the subscription you want to connect
Defender for IoT must be enabled on your relevant IoT Hub instances.
Use the following procedure to verify or enable this setting if needed:
Go to the IoT Hub instance that you'd defined when onboarding your sensors in Defender for IoT.
Select Defender for IoT > Settings > Data Collection.
Under Microsoft Defender for IoT, select Enable Microsoft Defender for IoT.
For more information, see Permissions in Microsoft Sentinel and Quickstart: Get started with Defender for IoT.
Important
Currently, having both the Microsoft Defender for IoT and the Microsoft Defender for Cloud data connectors enabled on the same Microsoft Sentinel workspace simultaneously may result in duplicate alerts in Microsoft Sentinel. We recommend that you disconnect the Microsoft Defender for Cloud data connector before connecting to Microsoft Defender for IoT.
Connect your data from Defender for IoT to Microsoft Sentinel
Start by enabling the Defender for IoT data connector to stream all your Defender for IoT events into Microsoft Sentinel.
To enable the Defender for IoT data connector:
In Microsoft Sentinel, under Configuration, select Data connectors, and then locate the Microsoft Defender for IoT data connector.
At the bottom right, select Open connector page.
On the Instructions tab, under Configuration, select Connect for each subscription whose alerts and device alerts you want to stream into Microsoft Sentinel.
If you've made any connection changes, it can take 10 seconds or more for the Subscription list to update.
Tip
If you see an error message, make sure that you have Defender for IoT enabled on at least one IoT Hub instance within your selected subscription.
For more information, see Connect Microsoft Sentinel to Azure, Windows, Microsoft, and Amazon services.
View Defender for IoT alerts
View Defender for IoT alerts in the Microsoft Sentinel Logs area.
In Microsoft Sentinel, select Logs > AzureSecurityOfThings > SecurityAlert, or search for SecurityAlert.
Use the following sample queries to filter the logs and view alerts generated by Defender for IoT:
To see all alerts generated by Defender for IoT:
SecurityAlert | where ProductName == "Azure Security Center for IoT"To see specific sensor alerts generated by Defender for IoT:
SecurityAlert | where ProductName == "Azure Security Center for IoT" | where tostring(parse_json(ExtendedProperties).SensorId) == “<sensor_name>”To see specific OT engine alerts generated by Defender for IoT:
SecurityAlert | where ProductName == "Azure Security Center for IoT" | where ProductComponentName == "MALWARE" SecurityAlert | where ProductName == "Azure Security Center for IoT" | where ProductComponentName == "ANOMALY" SecurityAlert | where ProductName == "Azure Security Center for IoT" | where ProductComponentName == "PROTOCOL_VIOLATION" SecurityAlert | where ProductName == "Azure Security Center for IoT" | where ProductComponentName == "POLICY_VIOLATION" SecurityAlert | where ProductName == "Azure Security Center for IoT" | where ProductComponentName == "OPERATIONAL"To see high severity alerts generated by Defender for IoT:
SecurityAlert | where ProductName == "Azure Security Center for IoT" | where AlertSeverity == "High"To see specific protocol alerts generated by Defender for IoT:
SecurityAlert | where ProductName == "Azure Security Center for IoT" | where tostring(parse_json(ExtendedProperties).Protocol) == "<protocol_name>"
Note
The Logs page in Microsoft Sentinel is based on Azure Monitor's Log Analytics.
For more information, see Log queries overview in the Azure Monitor documentation and the Write your first KQL query Learn module.
Understand alert timestamps
Defender for IoT alerts, in both the Azure portal and on the sensor console, track the time an alert was first detected, last detected, and last changed.
The following table describes the Defender for IoT alert timestamp fields, with a mapping to the relevant fields from Log Analytics shown in Microsoft Sentinel.
| Defender for IoT field | Description | Log Analytics field |
|---|---|---|
| First detection | Defines the first time the alert was detected in the network. | StartTime |
| Last detection | Defines the last time the alert was detected in the network, and replaces the Detection time column. | EndTime |
| Last activity | Defines the last time the alert was changed, including manual updates for severity or status, or automated changes for device updates or device/alert de-duplication | TimeGenerated |
In Defender for IoT on the Azure portal and the sensor console, the Last detection column is shown by default. Edit the columns on the Alerts page to show the First detection and Last activity columns as needed.
For more information, see View alerts on the Defender for IoT portal and View alerts on your sensor.
Install the Defender for IoT solution
The IoT OT Threat Monitoring with Defender for IoT solution is a set of bundled content, including analytics rules, workbooks, and playbooks, configured specifically for Defender for IoT data. This solution currently supports only Operational Networks (OT/ICS).
Tip
Microsoft Sentinel solutions can help you onboard Microsoft Sentinel security content for a specific data connector using a single process. For example, the IoT OT Threat Monitoring with Defender for IoT supports the integration with Microsoft Sentinel's security orchestration, automation, and response (SOAR) capabilities by providing out-of-the-box and OT-optimized playbooks with automated response and prevention capabilities.
To install the solution
In Microsoft Sentinel, under Content management, select Content hub and then locate the IoT OT Threat Monitoring with Defender for IoT solution.
At the bottom right, select View details, and then Create. Select the subscription, resource group, and workspace where you want to install the solution, and then review the related security content that will be deployed.
When you're done, select Review + Create to install the solution.
For more information, see About Microsoft Sentinel content and solutions and Centrally discover and deploy out-of-the-box content and solutions.
Detect threats out-of-the-box with Defender for IoT data
Incidents aren't created for alerts generated by Defender for IoT data by default.
You can ensure that Microsoft Sentinel creates incidents for relevant alerts generated by Defender for IoT, either by using out-of-the-box analytics rules provided in the IoT OT Threat Monitoring with Defender for IoT solution, configuring analytics rules manually, or by configuring your data connector to automatically create incidents for all alerts generated by Defender for IoT.
For more information, see:
- Use out-of-the-box analytics rules
- Create and maintain analytics rules manually
- Configure the connector to create incidents for all alerts
Install the Defender for IoT solution to get out-of-the-box analytics rules deployed to your workspace, built specifically for Defender for IoT data.
The following table describes the out-of-the-box analytics rules provided in the IoT OT Threat Monitoring with Defender for IoT solution.
Tip
When working with the following analytics rules, we recommend that you turn off the default Microsoft Security Defender for the IoT analytics rules.
| Rule Name | Description |
|---|---|
| Illegal function codes for ICS/SCADA traffic | Illegal function codes in supervisory control and data acquisition (SCADA) equipment may indicate one of the following: - Improper application configuration, such as due to a firmware update or reinstallation. - Malicious activity. For example, a cyber threat that attempts to use illegal values within a protocol to exploit a vulnerability in the programmable logic controller (PLC), such as a buffer overflow. |
| Firmware update | Unauthorized firmware updates may indicate malicious activity on the network, such as a cyber threat that attempts to manipulate PLC firmware to compromise PLC function. |
| Unauthorized PLC changes | Unauthorized changes to PLC ladder logic code may be one of the following: - An indication of new functionality in the PLC. - Improper configuration of an application, such as due to a firmware update or reinstallation. - Malicious activity on the network, such as a cyber threat that attempts to manipulate PLC programming to compromise PLC function. |
| PLC insecure key state | The new mode may indicate that the PLC is not secure. Leaving the PLC in an insecure operating mode may allow adversaries to perform malicious activities on it, such as a program download. If the PLC is compromised, devices and processes that interact with it may be impacted. which may affect overall system security and safety. |
| PLC stop | The PLC stop command may indicate an improper configuration of an application that has caused the PLC to stop functioning, or malicious activity on the network. For example, a cyber threat that attempts to manipulate PLC programming to affect the functionality of the network. |
| Suspicious malware found in the network | Suspicious malware found on the network indicates that suspicious malware is trying to compromise production. |
| Multiple scans in the network | Multiple scans on the network can be an indication of one of the following: - A new device on the network - New functionality of an existing device - Misconfiguration of an application, such as due to a firmware update or reinstallation - Malicious activity on the network for reconnaissance |
| Internet connectivity | An OT device communicating with internet addresses may indicate an improper application configuration, such as anti-virus software attempting to download updates from an external server, or malicious activity on the network. |
| Unauthorized device in the SCADA network | An unauthorized device on the network may be a legitimate, new device recently installed on the network, or an indication of unauthorized or even malicious activity on the network, such as a cyber threat attempting to manipulate the SCADA network. |
| Unauthorized DHCP configuration in the SCADA network | An unauthorized DHCP configuration on the network may indicate a new, unauthorized device operating on the network. This may be one a legitimate, new device recently deployed on the network, or an indication of unauthorized or even malicious activity on the network, such as a cyber threat attempting to manipulate the SCADA network. |
| Excessive login attempts | Excessive sign in attempts may indicate improper service configuration, human error, or malicious activity on the network, such as a cyber threat attempting to manipulate the SCADA network. |
| High bandwidth in the network | An unusually high bandwidth may be an indication of a new service/process on the network, such as backup, or an indication of malicious activity on the network, such as a cyber threat attempting to manipulate the SCADA network. |
| Denial of Service | This alert detects attacks that would prevent the use or proper operation of the DCS system. |
| Unauthorized remote access to the network | Unauthorized remote access to the network can compromise the target device. This means that if another device on the network is compromised, the target devices can be accessed remotely, increasing the attack surface. |
| No traffic on Sensor Detected | A sensor that no longer detects network traffic indicates that the system may be insecure. |
Visualize and monitor Defender for IoT data
To visualize and monitor your Defender for IoT data, use the workbooks deployed to your Microsoft Sentinel workspace as part of the IoT OT Threat Monitoring with Defender for IoT solution.
The Defender for IoT workbooks provide guided investigations for OT entities based on open incidents, alert notifications, and activities for OT assets. They also provide a hunting experience across the MITRE ATT&CK® framework for ICS, and are designed to enable analysts, security engineers, and MSSPs to gain situational awareness of OT security posture.
View workbooks in Microsoft Sentinel on the Threat management > Workbooks > My workbooks tab. For more information, see Visualize collected data.
The following table describes the workbooks included in the IoT OT Threat Monitoring with Defender for IoT solution:
| Workbook | Description | Logs |
|---|---|---|
| Alerts | Displays data such as: Alert Metrics, Topmost Alerts, Alert over time, Alert by Severity, Alert by Engine, Alert by Device Type, Alert by Vendor and Alert by IP address. | Uses data from the following log: SecurityAlert |
| Incidents | Displays data such as: - Incident Metrics, Topmost Incident, Incident over time, Incident by Protocol, Incident by Device Type, Incident by Vendor, and Incident by IP address. - Incident by Severity, Incident Mean time to respond, Incident Mean time to resolve and Incident close reasons. |
Uses data from the following log: SecurityAlert |
| MITRE ATT&CK® for ICS | Displays data such as: Tactic Count, Tactic Details, Tactic over time, Technique Count. | Uses data from the following log: SecurityAlert |
| Device Inventory | Displays data such as: OT device name, type, IP address, Mac address, Model, OS, Serial Number, Vendor, Protocols. | Uses data from the following log: SecurityAlert |
Automate response to Defender for IoT alerts
Playbooks are collections of automated remediation actions that can be run from Microsoft Sentinel as a routine. A playbook can help automate and orchestrate your threat response; it can be run manually or set to run automatically in response to specific alerts or incidents, when triggered by an analytics rule or an automation rule, respectively.
The playbooks described in the following sections are deployed to your Microsoft Sentinel workspace as part of the IoT OT Threat Monitoring with Defender for IoT solution.
For more information, see:
- Tutorial: Use playbooks with automation rules in Microsoft Sentinel
- Automate threat response with playbooks in Microsoft Sentinel
Automatically close incidents
Playbook name: AD4IoT-AutoCloseIncidents
In some cases, maintenance activities generate alerts in Microsoft Sentinel that can distract a SOC team from handling the real problems. This playbook automatically closes incidents created from such alerts during a specified maintenance period, explicitly parsing the IoT device entity fields.
To use this playbook:
- Enter the relevant time period when the maintenance is expected to occur, and the IP addresses of any relevant assets, such as listed in an Excel file.
- Create a watchlist that includes all the asset IP addresses on which alerts should be handled automatically.
Email notifications by production line
Playbook name: AD4IoT-MailByProductionLine
This playbook sends mail to notify specific stakeholders about alerts and events that occur in your environment.
For example, when you have specific security teams assigned to specific product lines or geographic locations, you'll want that team to be notified about alerts that are relevant to their responsibilities.
To use this playbook, create a watchlist that maps between the sensor names and the mailing addresses of each of the stakeholders you want to alert.
Create a new ServiceNow ticket
Playbook name: AD4IoT-NewAssetServiceNowTicket
Typically, the entity authorized to program a PLC is the Engineering Workstation. Therefore, attackers might create new Engineering Workstations in order to create malicious PLC programming.
This playbook opens a ticket in ServiceNow each time a new Engineering Workstation is detected, explicitly parsing the IoT device entity fields.
Update alert statuses in Defender for IoT
Playbook name: AD4IoT-AutoAlertStatusSync
This playbook updates alert statuses in Defender for IoT whenever a related alert in Microsoft Sentinel has a Status update.
This synchronization overrides any status defined in Defender for IoT, in the Azure portal or the sensor console, so that the alert statuses match that of the related incident.
To use this playbook, make sure that you have the required role applied, valid connections where required, and an automation rule to connect incident triggers with the AD4IoT-AutoAlertStatusSync playbook:
To add the Security Admin role to the Azure subscription where the playbook is installed:
Open the AD4IoT-AutoAlertStatusSync playbook from the Microsoft Sentinel Automation page.
With the playbook opened as a Logic app, select Identity > System assigned, and then in the Permissions area, select the Azure role assignments button.
In the Azure role assignments page, select Add role assignment.
In the Add role assignment pane:
- Define the Scope as Subscription
- From the Subscription dropdown, select the subscription where your playbook is installed.
- From the Role dropdown, select the Security Admin role, and then select Save.
To ensure that you have valid connections for each of your connection steps in the playbook:
Open the AD4IoT-AutoAlertStatusSync playbook from the Microsoft Sentinel Automation page.
With the playbook opened as a Logic app, select Logic app designer. If you have invalid connection details, you may have warning signs in both of the Connections steps. For example:
Select a Connections step to expand it and add a valid connection as needed.
To connect your incidents, relevant analytics rules, and the AD4IoT-AutoAlertStatusSync playbook:
Add a new Microsoft Sentinel analytics rule, defined as follows:
In the Trigger field, select When an incident is updated
In the Conditions area, select If > Analytic rule name > Contains, and then select the specific analytics rules relevant for Defender for IoT in your organization.
You may be using out-of-the-box analytics rules, or you may have modified the out-of-the-box content, or created your own. For more information, see Detect threats out-of-the-box with Defender for IoT data.
In the Actions area, select Run playbook > AD4IoT-AutoAlertStatusSync.
For example:
Next steps
For more information, see:
Povratne informacije
Pošalјite i prikažite povratne informacije za