Microsoft Defender for IoT alert reference
This article provides a reference of the alerts that are generated by Microsoft Defender for IoT network sensors, including a list of all alert types and descriptions. The reference also shows which alerts can be triaged as learnable or not, for more information on the learnable status, see Alert statuses and triaging options. You might use this reference to map alerts into playbooks, define forwarding rules on an Operational Technology (OT) network sensor, or other custom activity.
OT alerts turned off by default
Several alerts are turned off by default, as indicated by asterisks (*) in the tables below. OT sensor Admin users can enable or disable alerts from the Support page on a specific OT network sensor.
If you turn off alerts that are referenced in other places, such as alert forwarding rules, make sure to update those references as needed.
Alert severities
Defender for IoT alerts use the following severity levels:
| Azure portal | OT sensor | Description |
|---|---|---|
| High | Critical | Indicates a malicious attack that should be handled immediately. |
| Medium | Major | Indicates a security threat that's important to address. |
| Low | Minor, Warning | Indicates some deviation from the baseline behavior that might contain a security threat, or contains no security threats. |
Alert severities on this page list the severity as shown in the Azure portal.
Supported alert types
| Alert type | Description |
|---|---|
| Policy violation alerts | Triggered when the Policy Violation engine detects a deviation from traffic previously learned. For example: - A new device is detected. - A new configuration is detected on a device. - A device not defined as a programming device carries out a programming change. - A firmware version changed. |
| Protocol violation alerts | Triggered when the Protocol Violation engine detects packet structures or field values that don't comply with the protocol specification. |
| Operational alerts | Triggered when the Operational engine detects network operational incidents or a device malfunctioning. For example, a network device was stopped through a Stop PLC command, or an interface on a sensor stopped monitoring traffic. |
| Malware alerts | Triggered when the Malware engine detects malicious network activity. For example, the engine detects a known attack such as Conficker. |
| Anomaly alerts | Triggered when the Anomaly engine detects a deviation. For example, a device is performing network scans but isn't defined as a scanning device. |
Defender for IoT's alert detection policy steers the different alert engines to trigger alerts based on business impact and network context, and reduce low-value IT related alerts. For more information, see Focused alerts in OT/IT environments.
Supported alert categories
Each alert has one of the following categories:
- Abnormal Communication Behavior
- Abnormal HTTP Communication Behavior
- Authentication
- Backup
- Bandwidth Anomalies
- Buffer overflow
- Command Failures
- Configuration changes
- Custom Alerts
- Discovery
- Firmware change
- Illegal commands
- Internet Access
- Operation Failures
- Operational issues
- Programming
- Remote access
- Restart/Stop Commands
- Scan
- Sensor traffic
- Suspicion of malicious activity
- Suspicion of Malware
- Unauthorized Communication Behavior
- Unresponsive
Policy engine alerts
Policy engine alerts describe detected deviations from learned baseline behavior.
| Title | Description | Severity | Category | MITRE ATT&CK Tactics and techniques |
Learnable |
|---|---|---|---|---|---|
| Beckhoff Software Changed | Firmware was updated on a source device. This might be authorized activity, for example a planned maintenance procedure. | Medium | Firmware Change | Tactics: - Inhibit Response Function - Persistence Techniques: - T0857: System Firmware |
Learnable |
| Database Login Failed | A failed sign-in attempt was detected from a source device to a destination server. This might be the result of human error, but could also indicate a malicious attempt to compromise the server or data on it. Threshold: 2 sign-in failures in 5 minutes |
Medium | Authentication | Tactics: - Lateral Movement - Collection Techniques: - T0812: Default Credentials - T0811: Data from Information Repositories |
Not learnable |
| Emerson ROC Firmware Version Changed | Firmware was updated on a source device. This might be authorized activity, for example a planned maintenance procedure. | Medium | Firmware Change | Tactics: - Inhibit Response Function - Persistence Techniques: - T0857: System Firmware |
Learnable |
| External address within the network communicated with Internet | A source device defined as part of your network is communicating with Internet addresses. The source isn't authorized to communicate with Internet addresses. | High | Internet Access | Tactics: - Initial Access Techniques: - T0883: Internet Accessible Device |
Learnable |
| Field Device Discovered Unexpectedly | A new source device was detected on the network but isn't authorized. | Medium | Discovery | Tactics: - Discovery Techniques: - T0842: Network Sniffing |
Not learnable |
| Firmware Change Detected | Firmware was updated on a source device. This might be authorized activity, for example a planned maintenance procedure. | Medium | Firmware Change | Tactics: - Inhibit Response Function - Persistence Techniques: - T0857: System Firmware |
Not learnable |
| Firmware Version Changed | Firmware was updated on a source device. This might be authorized activity, for example a planned maintenance procedure. | Medium | Firmware Change | Tactics: - Inhibit Response Function - Persistence Techniques: - T0857: System Firmware |
Learnable |
| Foxboro I/A Unauthorized Operation | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Unauthorized Communication Behavior | Tactics: - Impair Process Control Techniques: - T0855: Unauthorized Command Message - T0836: Modify Parameter |
Learnable |
| FTP Login Failed | A failed sign-in attempt was detected from a source device to a destination server. This alert might be the result of human error, but could also indicate a malicious attempt to compromise the server or data on it. | Medium | Authentication | Tactics: - Lateral Movement - Command And Control Techniques: - T0812: Default Credentials - T0869: Standard Application Layer Protocol |
Not learnable |
| Function Code Raised Unauthorized Exception * | A source device (secondary) returned an exception to a destination device (primary). | Medium | Command Failures | Tactics: - Inhibit Response Function Techniques: - T0835: Manipulate I/O Image |
Learnable |
| GOOSE Message Type Settings | Message (identified by protocol ID) settings were changed on a source device. | Low | Unauthorized Communication Behavior | Tactics: - Impair Process Control Techniques: - T0836: Modify Parameter |
Learnable |
| Honeywell Firmware Version Changed | Firmware was updated on a source device. This might be authorized activity, for example a planned maintenance procedure. | Medium | Firmware Change | Tactics: - Inhibit Response Function - Persistence Techniques: - T0857: System Firmware |
Learnable |
| Illegal HTTP Communication * | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Abnormal HTTP Communication Behavior | Tactics: - Discovery Techniques: - T0846: Remote System Discovery |
Learnable |
| Internet Access Detected | A source device defined as part of your network is communicating with Internet addresses. The source isn't authorized to communicate with Internet addresses. | Medium | Internet Access | Tactics: - Initial Access Techniques: - T0883: Internet Accessible Device |
Learnable |
| Mitsubishi Firmware Version Changed | Firmware was updated on a source device. This might be authorized activity, for example a planned maintenance procedure. | Medium | Firmware Change | Tactics: - Inhibit Response Function - Persistence Techniques: - T0857: System Firmware |
Learnable |
| Modbus Address Range Violation | A primary device requested access to a new secondary memory address. | Medium | Unauthorized Communication Behavior | Tactics: - Discovery Techniques: - T0842: Network Sniffing |
Learnable |
| Modbus Firmware Version Changed | Firmware was updated on a source device. This might be authorized activity, for example a planned maintenance procedure. | Medium | Firmware Change | Tactics: - Inhibit Response Function - Persistence Techniques: - T0857: System Firmware |
Learnable |
| New Activity Detected - CIP Class | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Unauthorized Communication Behavior | Tactics: - Discovery Techniques: - T0888: Remote System Information Discovery |
Learnable |
| New Activity Detected - CIP Class Service | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Unauthorized Communication Behavior | Tactics: - Inhibit Response Function Techniques: - T0836: Modify Parameter |
Learnable |
| New Activity Detected - CIP PCCC Command | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Unauthorized Communication Behavior | Tactics: - Inhibit Response Function Techniques: - T0836: Modify Parameter |
Learnable |
| New Activity Detected - CIP Symbol | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Unauthorized Communication Behavior | Tactics: - Impair Process Control - Inhibit Response Function Techniques: - T0855: Unauthorized Command Message - T0836: Modify Parameter |
Learnable |
| New Activity Detected - EtherNet/IP I/O Connection | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Unauthorized Communication Behavior | Tactics: - Discovery - Inhibit Response Function Techniques: - T0846: Remote System Discovery - T0835: Manipulate I/O Image |
Learnable |
| New Activity Detected - EtherNet/IP Protocol Command | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Unauthorized Communication Behavior | Tactics: - Inhibit Response Function Techniques: - T0836: Modify Parameter |
Learnable |
| New Activity Detected - GSM Message Code | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Unauthorized Communication Behavior | Tactics: - CommandAndControl Techniques: - T0869: Standard Application Layer Protocol |
Learnable |
| New Activity Detected - LonTalk Command Codes | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Unauthorized Communication Behavior | Tactics: - Collection - Impair Process Control Techniques: - T0861 - Point & Tag Identification - T0855: Unauthorized Command Message |
Learnable |
| New Port Discovery | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Low | Discovery | Tactics: - Lateral Movement Techniques: - T0867: Lateral Tool Transfer |
Learnable |
| New Activity Detected - LonTalk Network Variable | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Unauthorized Communication Behavior | Tactics: - Impair Process Control Techniques: - T0855: Unauthorized Command Message |
Learnable |
| New Activity Detected - Ovation Data Request | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Unauthorized Communication Behavior | Tactics: - Collection - Discovery Techniques: - T0801: Monitor Process State - T0888: Remote System Information Discovery |
Learnable |
| New Activity Detected - Read/Write Command (AMS Index Group) | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Configuration Changes | Tactics: - Impair Process Control - Inhibit Response Function Techniques: - T0855: Unauthorized Command Message - T0836: Modify Parameter |
Learnable |
| New Activity Detected - Read/Write Command (AMS Index Offset) | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Configuration Changes | Tactics: - Impair Process Control - Inhibit Response Function Techniques: - T0855: Unauthorized Command Message - T0836: Modify Parameter |
Learnable |
| New Activity Detected - Unauthorized DeltaV Message Type | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Unauthorized Communication Behavior | Tactics: - Impair Process Control - Execution Techniques: - T0855: Unauthorized Command Message - T0821: Modify Controller Tasking |
Learnable |
| New Activity Detected - Unauthorized DeltaV ROC Operation | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Unauthorized Communication Behavior | Tactics: - Impair Process Control - Execution Techniques: - T0855: Unauthorized Command Message - T0821: Modify Controller Tasking |
Learnable |
| New Activity Detected - Unauthorized RPC Message Type | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Unauthorized Communication Behavior | Tactics: - Impair Process Control Techniques: - T0855: Unauthorized Command Message |
Learnable |
| New Activity Detected - Using AMS Protocol Command | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Unauthorized Communication Behavior | Tactics: - Impair Process Control - Inhibit Response Function - Execution Techniques: - T0855: Unauthorized Command Message - T0836: Modify Parameter - T0821: Modify Controller Tasking |
Learnable |
| New Activity Detected - Using Siemens SICAM Command | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Unauthorized Communication Behavior | Tactics: - Impair Process Control - Inhibit Response Function Techniques: - T0855: Unauthorized Command Message - T0836: Modify Parameter |
Learnable |
| New Activity Detected - Using Suitelink Protocol command | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Unauthorized Communication Behavior | Tactics: - Impair Process Control - Inhibit Response Function Techniques: - T0855: Unauthorized Command Message - T0836: Modify Parameter |
Learnable |
| New Activity Detected - Using Suitelink Protocol sessions | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Unauthorized Communication Behavior | Tactics: - Impair Process Control Techniques: - T0836: Modify Parameter |
Learnable |
| New Activity Detected - Using Yokogawa VNetIP Command | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Unauthorized Communication Behavior | Tactics: - Impair Process Control - Execution Techniques: - T0855: Unauthorized Command Message - T0821: Modify Controller Tasking |
Learnable |
| New Asset Detected | A new source device was detected on the network but isn't authorized. This alert applies to devices discovered in OT subnets. New devices discovered in IT subnets don't trigger an alert. |
Medium | Discovery | Tactics: - Discovery Techniques: - T0842: Network Sniffing |
Learnable |
| New LLDP Device Configuration | A new source device was detected on the network but isn't authorized. | Medium | Configuration Changes | Tactics: - Discovery Techniques: - T0842: Network Sniffing |
Learnable |
| Omron FINS Unauthorized Command | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Unauthorized Communication Behavior | Tactics: - Impair Process Control Techniques: - T0855: Unauthorized Command Message - T0836: Modify Parameter |
Learnable |
| S7 Plus PLC Firmware Changed | Firmware was updated on a source device. This might be authorized activity, for example a planned maintenance procedure. | Medium | Firmware Change | Tactics: - Inhibit Response Function - Persistence Techniques: - T0857: System Firmware |
Learnable |
| Sampled Values Message Type Settings | Message (identified by protocol ID) settings were changed on a source device. | Low | Unauthorized Communication Behavior | Tactics: - Impair Process Control Techniques: - T0836: Modify Parameter |
Not learnable |
| Suspicion of Illegal Integrity Scan * | A scan was detected on a DNP3 source device (outstation). This scan wasn't authorized as learned traffic on your network. | Medium | Scan | Tactics: - Discovery Techniques: - T0842: Network Sniffing |
Learnable |
| Toshiba Computer Link Unauthorized Command | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Low | Unauthorized Communication Behavior | Tactics: - Impair Process Control - Execution Techniques: - T0855: Unauthorized Command Message - T0821: Modify Controller Tasking |
Learnable |
| Unauthorized ABB Totalflow File Operation | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Unauthorized Communication Behavior | Tactics: - Impair Process Control - Execution Techniques: - T0855: Unauthorized Command Message - T0821: Modify Controller Tasking |
Not learnable |
| Unauthorized ABB Totalflow Register Operation | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Unauthorized Communication Behavior | Tactics: - Impair Process Control - Execution Techniques: - T0855: Unauthorized Command Message - T0821: Modify Controller Tasking |
Not learnable |
| Unauthorized Access to Siemens S7 Data Block | A source device attempted to access a resource on another device. An access attempt to this resource between these two devices isn't authorized as learned traffic on your network. | Low | Unauthorized Communication Behavior | Tactics: - Impair Process Control - Initial Access Techniques: - T0855: Unauthorized Command Message - T0811: Data from Information Repositories |
Learnable |
| Unauthorized Access to Siemens S7 Plus Object | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Unauthorized Communication Behavior | Tactics: - Impair Process Control - Execution - Inhibit Response Function Techniques: - T0855: Unauthorized Command Message - T0821: Modify Controller Tasking - T0809: Data Destruction |
Learnable |
| Unauthorized Access to Wonderware Tag | A source device attempted to access a resource on another device. An access attempt to this resource between these two devices isn't authorized as learned traffic on your network. | Medium | Unauthorized Communication Behavior | Tactics: - Collection - Impair Process Control Techniques: - T0861: Point & Tag Identification - T0855: Unauthorized Command Message |
Learnable |
| Unauthorized BACNet Object Access | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Unauthorized Communication Behavior | Tactics: - Impair Process Control - Execution Techniques: - T0855: Unauthorized Command Message - T0821: Modify Controller Tasking |
Learnable |
| Unauthorized BACNet Route | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Unauthorized Communication Behavior | Tactics: - Impair Process Control - Execution Techniques: - T0855: Unauthorized Command Message - T0821: Modify Controller Tasking |
Learnable |
| Unauthorized Database Login * | A sign-in attempt between a source client and destination server was detected. Communication between these devices isn't authorized as learned traffic on your network. | Medium | Authentication | Tactics: - Lateral Movement - Persistence - Collection Techniques: - T0859: Valid Accounts - T0811: Data from Information Repositories |
Learnable |
| Unauthorized Database Operation | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Abnormal Communication Behavior | Tactics: - Impair Process Control - Initial Access Techniques: - T0855: Unauthorized Command Message - T0811: Data from Information Repositories |
Learnable |
| Unauthorized Emerson ROC Operation | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Unauthorized Communication Behavior | Tactics: - Impair Process Control - Execution Techniques: - T0855: Unauthorized Command Message - T0821: Modify Controller Tasking |
Learnable |
| Unauthorized GE SRTP File Access | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Unauthorized Communication Behavior | Tactics: - Collection - LateralMovement - Persistence Techniques: - T0801: Monitor Process State - T0859: Valid Accounts |
Learnable |
| Unauthorized GE SRTP Protocol Command | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Unauthorized Communication Behavior | Tactics: - Impair Process Control Techniques: - T0855: Unauthorized Command Message - T0821: Modify Controller Tasking |
Learnable |
| Unauthorized GE SRTP System Memory Operation | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Unauthorized Communication Behavior | Tactics: - Discovery - Impair Process Control Techniques: - T0846: Remote System Discovery - T0855: Unauthorized Command Message |
Learnable |
| Unauthorized HTTP Activity | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Abnormal HTTP Communication Behavior | Tactics: - Initial Access - Command And Control Techniques: - T0822: External Remote Services - T0869: Standard Application Layer Protocol |
Learnable |
| Unauthorized HTTP SOAP Action * | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Abnormal HTTP Communication Behavior | Tactics: - Command And Control - Execution Techniques: - T0869: Standard Application Layer Protocol - T0871: Execution through API |
Learnable |
| Unauthorized HTTP User Agent * | An unauthorized application was detected on a source device. The application isn't authorized as a learned application on your network. | Medium | Abnormal HTTP Communication Behavior | Tactics: - Command And Control Techniques: - T0869: Standard Application Layer Protocol |
Learnable |
| Unauthorized Internet Connectivity Detected | A source device defined as part of your network is communicating with Internet addresses. The source isn't authorized to communicate with Internet addresses. | High | Internet Access | Tactics: - Initial Access Techniques: - T0883: Internet Accessible Device |
Learnable |
| Unauthorized Mitsubishi MELSEC Command | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Unauthorized Communication Behavior | Tactics: - Impair Process Control - Execution Techniques: - T0855: Unauthorized Command Message - T0821: Modify Controller Tasking |
Learnable |
| Unauthorized MMS Program Access | A source device attempted to access a resource on another device. An access attempt to this resource between these two devices isn't authorized as learned traffic on your network. | Medium | Programming | Tactics: - Impair Process Control - Execution Techniques: - T0855: Unauthorized Command Message - T0821: Modify Controller Tasking |
Learnable |
| Unauthorized MMS Service | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Unauthorized Communication Behavior | Tactics: - Impair Process Control - Execution Techniques: - T0855: Unauthorized Command Message - T0821: Modify Controller Tasking |
Learnable |
| Unauthorized Multicast/Broadcast Connection | A Multicast/Broadcast connection was detected between a source device and other devices. Multicast/Broadcast communication isn't authorized. | High | Abnormal Communication Behavior | Tactics: - Discovery Techniques: - T0842: Network Sniffing |
Learnable |
| Unauthorized Name Query | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Abnormal Communication Behavior | Tactics: - Impair Process Control Techniques: - T0836: Modify Parameter |
Not learnable |
| Unauthorized OPC UA Activity | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Unauthorized Communication Behavior | Tactics: - Impair Process Control Techniques: - T0836: Modify Parameter |
Learnable |
| Unauthorized OPC UA Request/Response | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Unauthorized Communication Behavior | Tactics: - Impair Process Control Techniques: - T0836: Modify Parameter |
Learnable |
| Unauthorized Operation was detected by a User Defined Rule | Traffic was detected between two devices. This activity is unauthorized, based on a Custom Alert Rule defined by a user. | Medium | Custom Alerts | Tactics: - Discovery Techniques: - T0842: Network Sniffing |
Not learnable |
| Unauthorized PLC Configuration Read | The source device isn't defined as a programming device but performed a read/write operation on a destination controller. Programming changes should only be performed by programming devices. A programming application might have been installed on this device. | Low | Configuration Changes | Tactics: - Collection Techniques: - T0801: Monitor Process State |
Learnable |
| Unauthorized PLC Configuration Write | The source device sent a command to read/write the program of a destination controller. This activity wasn't previously seen. | Medium | Configuration Changes | Tactics: - Impair Process Control - Persistence - Impact Techniques: - T0839: Module Firmware - T0831: Manipulation of Control - T0889: Modify Program |
Learnable |
| Unauthorized PLC Program Upload | The source device sent a command to read/write the program of a destination controller. This activity wasn't previously seen. | Medium | Programming | Tactics: - Impair Process Control - Persistence - Collection Techniques: - T0839: Module Firmware - T0845: Program Upload |
Learnable |
| Unauthorized PLC Programming | The source device isn't defined as a programming device but performed a read/write operation on a destination controller. Programming changes should only be performed by programming devices. A programming application might have been installed on this device. | High | Programming | Tactics: - Impair Process Control - Persistence - Lateral Movement Techniques: - T0839: Module Firmware - T0889: Modify Program - T0843: Program Download |
Learnable |
| Unauthorized Profinet Frame Type | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Unauthorized Communication Behavior | Tactics: - Impair Process Control Techniques: - T0836: Modify Parameter |
Learnable |
| Unauthorized SAIA S-Bus Command | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Unauthorized Communication Behavior | Tactics: - Impair Process Control Techniques: - T0855: Unauthorized Command Message |
Learnable |
| Unauthorized Siemens S7 Execution of Control Function | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Unauthorized Communication Behavior | Tactics: - Impair Process Control - Inhibit Response Function Techniques: - T0855: Unauthorized Command Message - T0809: Data Destruction |
Learnable |
| Unauthorized Siemens S7 Execution of User Defined Function | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Unauthorized Communication Behavior | Tactics: - Impair Process Control - Execution Techniques: - T0836: Modify Parameter - T0863: User Execution |
Learnable |
| Unauthorized Siemens S7 Plus Block Access | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Unauthorized Communication Behavior | Tactics: - Inhibit Response Function - Persistence - Execution Techniques: - T0803 - Block Command Message - T0889: Modify Program - T0821: Modify Controller Tasking |
Learnable |
| Unauthorized Siemens S7 Plus Operation | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Unauthorized Communication Behavior | Tactics: - Impair Process Control - Execution Techniques: - T0855: Unauthorized Command Message - T0863: User Execution |
Learnable |
| Unauthorized SMB Login | A sign-in attempt between a source client and destination server was detected. Communication between these devices isn't authorized as learned traffic on your network. | Medium | Authentication | Tactics: - Initial Access - Lateral Movement - Persistence Techniques: - T0886: Remote Services - T0859: Valid Accounts |
Learnable |
| Unauthorized SNMP Operation | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Abnormal Communication Behavior | Tactics: - Discovery - Command And Control Techniques: - T0842: Network Sniffing - T0885: Commonly Used Port |
Learnable |
| Unauthorized SSH Access | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Remote Access | Tactics: - InitialAccess - Lateral Movement - Command And Control Techniques: - T0886: Remote Services - T0869: Standard Application Layer Protocol |
Learnable |
| Unauthorized Windows Process | An unauthorized application was detected on a source device. The application isn't authorized as a learned application on your network. | Medium | Abnormal Communication Behavior | Tactics: - Execution - Privilege Escalation - Command And Control Techniques: - T0841: Hooking - T0885: Commonly Used Port |
Learnable |
| Unauthorized Windows Service | An unauthorized application was detected on a source device. The application isn't authorized as a learned application on your network. | Medium | Abnormal Communication Behavior | Tactics: - Initial Access - Lateral Movement Techniques: - T0866: Exploitation of Remote Services |
Learnable |
| Unauthorized Operation was detected by a User Defined Rule | New traffic parameters were detected. This parameter combination violates a user defined rule | Medium | Tactics: - Discovery Techniques: - T0842: Network Sniffing |
Not learnable | |
| Unpermitted Modbus Schneider Electric Extension | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Unauthorized Communication Behavior | Tactics: - Impair Process Control Techniques: - T0855: Unauthorized Command Message |
Learnable |
| Unpermitted Usage of ASDU Types | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Unauthorized Communication Behavior | Tactics: - Impair Process Control Techniques: - T0855: Unauthorized Command Message |
Learnable |
| Unpermitted Usage of DNP3 Function Code | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Unauthorized Communication Behavior | Tactics: - Impair Process Control Techniques: - T0836: Modify Parameter |
Learnable |
| Unpermitted Usage of Internal Indication (IIN) * | A DNP3 source device (outstation) reported an internal indication (IIN) that hasn't authorized as learned traffic on your network. | Medium | Illegal Commands | Tactics: - Discovery Techniques: - T0842: Network Sniffing |
Learnable |
| Unpermitted Usage of Modbus Function Code | New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. | Medium | Unauthorized Communication Behavior | Tactics: - Impair Process Control Techniques: - T0836: Modify Parameter |
Learnable |
Anomaly engine alerts
Note
This article contains references to the term slave, a term that Microsoft no longer uses. When the term is removed from the software, we’ll remove it from this article.
Anomaly engine alerts describe detected anomalies in network activity.
| Title | Description | Severity | Category | MITRE ATT&CK Tactics and techniques |
Learnable |
|---|---|---|---|---|---|
| Abnormal Exception Pattern in Slave * | An excessive number of errors were detected on a source device. This alert might be the result of an operational issue. Threshold: 20 exceptions in 1 hour |
Low | Abnormal Communication Behavior | Tactics: - Impair Process Control Techniques: - T0806: Brute Force I/O |
Not learnable |
| Abnormal HTTP Header Length * | The source device sent an abnormal message. This alert might indicate an attempt to attack the destination device. | High | Abnormal HTTP Communication Behavior | Tactics: - Initial Access - Lateral Movement - Command And Control Techniques: - T0866: Exploitation of Remote Services - T0869: Standard Application Layer Protocol |
Learnable |
| Abnormal Number of Parameters in HTTP Header * | The source device sent an abnormal message. This alert might indicate an attempt to attack the destination device. | High | Abnormal HTTP Communication Behavior | Tactics: - Initial Access - Lateral Movement - Command And Control Techniques: - T0866: Exploitation of Remote Services - T0869: Standard Application Layer Protocol |
Learnable |
| Abnormal Periodic Behavior In Communication Channel | A change in the frequency of communication between the source and destination devices was detected. | Low | Abnormal Communication Behavior | Tactics: - Discovery Techniques: - T0842: Network Sniffing |
Learnable |
| Abnormal Termination of Applications * | An excessive number of stop commands were detected on a source device. This alert might be the result of an operational issue or an attempt to manipulate the device. Threshold: 20 stop commands in 3 hours |
Medium | Abnormal Communication Behavior | Tactics: - Persistence - Impact Techniques: - T0889: Modify Program - T0831: Manipulation of Control |
Learnable |
| Abnormal Traffic Bandwidth * | Abnormal bandwidth was detected on a channel. Bandwidth appears to be lower/higher than previously detected. For details, work with the Total Bandwidth widget. | Low | Bandwidth Anomalies | Tactics: - Discovery Techniques: - T0842: Network Sniffing |
Learnable |
| Abnormal Traffic Bandwidth Between Devices * | Abnormal bandwidth was detected on a channel. Bandwidth appears to be lower/higher than previously detected. For details, work with the Total Bandwidth widget. | Low | Bandwidth Anomalies | Tactics: - Discovery Techniques: - T0842: Network Sniffing |
Not learnable |
| Address Scan Detected | A source device was detected scanning network devices. This device isn't authorized as a network scanning device. Threshold: 50 connections to the same B class subnet in 2 minutes |
High | Scan | Tactics: - Discovery Techniques: - T0842: Network Sniffing |
Learnable |
| ARP Address Scan Detected * | A source device was detected scanning network devices using Address Resolution Protocol (ARP). This device address isn't authorized as valid ARP scanning address. Threshold: 40 scans in 6 minutes |
High | Scan | Tactics: - Discovery - Collection Techniques: - T0842: Network Sniffing - T0830: Man in the Middle |
Learnable |
| ARP Spoofing * | An abnormal quantity of packets was detected in the network. This alert could indicate an attack, for example, an ARP spoofing or ICMP flooding attack. Threshold: 60 packets in 1 minute |
Low | Abnormal Communication Behavior | Tactics: - Collection Techniques: - T0830: Man in the Middle |
Not learnable |
| Excessive Login Attempts | A source device was seen performing excessive sign-in attempts to a destination server. This alert might indicate a brute force attack. The server might be compromised by a malicious actor. Threshold: 20 sign-in attempts in 1 minute |
High | Authentication | Tactics: - LateralMovement - Impair Process Control Techniques: - T0812: Default Credentials - T0806: Brute Force I/O |
Not learnable |
| Excessive Number of Sessions | A source device was seen performing excessive sign-in attempts to a destination server. This might indicate a brute force attack. The server might be compromised by a malicious actor. Threshold: 50 sessions in 1 minute |
High | Abnormal Communication Behavior | Tactics: - Lateral Movement - Impair Process Control Techniques: - T0812: Default Credentials - T0806: Brute Force I/O |
Not learnable |
| Excessive Restart Rate of an Outstation * | An excessive number of restart commands were detected on a source device. These alerts might be the result of an operational issue or an attempt to manipulate the device. Threshold: 10 restarts in 1 hour |
Medium | Restart/ Stop Commands | Tactics: - Inhibit Response Function - Impair Process Control Techniques: - T0814: Denial of Service - T0806: Brute Force I/O |
Not learnable |
| Excessive SMB login attempts | A source device was seen performing excessive sign-in attempts to a destination server. This might indicate a brute force attack. The server might be compromised by a malicious actor. Threshold: 10 sign-in attempts in 10 minutes |
High | Authentication | Tactics: - Persistence - Execution - LateralMovement Techniques: - T0812: Default Credentials - T0853: Scripting - T0859: Valid Accounts |
Not learnable |
| ICMP Flooding * | An abnormal quantity of packets was detected in the network. This alert could indicate an attack, for example, an ARP spoofing or ICMP flooding attack. Threshold: 60 packets in 1 minute |
Low | Abnormal Communication Behavior | Tactics: - Discovery - Collection Techniques: - T0842: Network Sniffing - T0830: Man in the Middle |
Not learnable |
| Illegal HTTP Header Content * | The source device initiated an invalid request. | High | Abnormal HTTP Communication Behavior | Tactics: - Initial Access - LateralMovement Techniques: - T0866: Exploitation of Remote Services |
Not learnable |
| Inactive Communication Channel * | A communication channel between two devices was inactive during a period in which activity is usually observed. This might indicate that the program generating this traffic was changed, or the program might be unavailable. It's recommended to review the configuration of installed program and verify that it's configured properly. Threshold: 1 minute |
Low | Unresponsive | Tactics: - Inhibit Response Function Techniques: - T0881: Service Stop |
Not lernable |
| Long Duration Address Scan Detected * | A source device was detected scanning network devices. This device isn't authorized as a network scanning device. Threshold: 50 connections to the same B class subnet in 10 minutes |
High | Scan | Tactics: - Discovery Techniques: - T0842: Network Sniffing |
Learnable |
| Password Guessing Attempt Detected | A source device was seen performing excessive sign-in attempts to a destination server. This might indicate a brute force attack. The server might be compromised by a malicious actor. Threshold: 100 attempts in 1 minute |
High | Authentication | Tactics: - Lateral Movement Techniques: - T0812: Default Credentials - T0806: Brute Force I/O |
Not learnable |
| PLC Scan Detected | A source device was detected scanning network devices. This device isn't authorized as a network scanning device. Threshold: 10 scans in 2 minutes |
High | Scan | Tactics: - Discovery Techniques: - T0842: Network Sniffing |
Learnable |
| Port Scan Detected | A source device was detected scanning network devices. This device isn't authorized as a network scanning device. Threshold: 25 scans in 2 minutes |
High | Scan | Tactics: - Discovery Techniques: - T0842: Network Sniffing |
Learnable |
| Unexpected message length | The source device sent an abnormal message. This alert might indicate an attempt to attack the destination device. Threshold: text length - 32768 |
High | Abnormal Communication Behavior | Tactics: - InitialAccess - LateralMovement Techniques: - T0869: Exploitation of Remote Services |
Not learnable |
| Unexpected Traffic for Standard Port * | Traffic was detected on a device using a port reserved for another protocol. | Medium | Abnormal Communication Behavior | Tactics: - Command And Control - Discovery Techniques: - T0869: Standard Application Layer Protocol - T0842: Network Sniffing |
Not learnable |
Protocol violation engine alerts
Protocol engine alerts describe detected deviations in the packet structure, or field values compared to protocol specifications.
| Title | Description | Severity | Category | MITRE ATT&CK Tactics and techniques |
Learnable |
|---|---|---|---|---|---|
| Excessive Malformed Packets In a Single Session * | An abnormal number of malformed packets sent from the source device to the destination device. This alert might indicate erroneous communications, or an attempt to manipulate the targeted device. Threshold: 2 malformed packets in 10 minutes |
Medium | Illegal Commands | Tactics: - Impair Process Control Techniques: - T0806: Brute Force I/O |
Not learnable |
| Firmware Update | A source device sent a command to update firmware on a destination device. Verify that recent programming, configuration and firmware upgrades made to the destination device are valid. | Low | Firmware Change | Tactics: - Inhibit Response Function - Persistence Techniques: - T0857: System Firmware |
Learnable |
| Function Code Not Supported by Outstation | The destination device received an invalid request. | Medium | Illegal Commands | Tactics: - Impair Process Control Techniques: - T0855: Unauthorized Command Message |
Not learnable |
| Illegal BACNet message | The source device initiated an invalid request. | Medium | Illegal Commands | Tactics: - Impair Process Control Techniques: - T0855: Unauthorized Command Message - T0836: Modify Parameter |
Not learnable |
| Illegal Connection Attempt on Port 0 | A source device attempted to connect to destination device on port number zero (0). For TCP, port 0 is reserved and can’t be used. For UDP, the port is optional and a value of 0 means no port. There's usually no service on a system that listens on port 0. This event might indicate an attempt to attack the destination device, or indicate that an application was programmed incorrectly. | Low | Illegal Commands | Tactics: - Impair Process Control Techniques: - T0855: Unauthorized Command Message - T0836: Modify Parameter |
Not learnable |
| Illegal DNP3 Operation | The source device initiated an invalid request. | Medium | Illegal Commands | Tactics: - Initial Access - Lateral Movement Techniques: - T0866: Exploitation of Remote Services |
Not learnable |
| Illegal MODBUS Operation (Exception Raised by Master) | The source device initiated an invalid request. | Medium | Illegal Commands | Tactics: - Initial Access - Lateral Movement Techniques: - T0866: Exploitation of Remote Services |
Not learnable |
| Illegal MODBUS Operation (Function Code Zero) * | The source device initiated an invalid request. | Medium | Illegal Commands | Tactics: - Initial Access - Lateral Movement Techniques: - T0866: Exploitation of Remote Services |
Not learnable |
| Illegal Protocol Version * | The source device initiated an invalid request. | Medium | Illegal Commands | Tactics: - Initial Access - LateralMovement - Impair Process Control Techniques: - T0820: Remote Services - T0836: Modify Parameter |
Not learnable |
| Incorrect Parameter Sent to Outstation | The destination device received an invalid request. | Medium | Illegal Commands | Tactics: - Impair Process Control Techniques: - T0855: Unauthorized Command Message - T0836: Modify Parameter |
Not learnable |
| Initiation of an Obsolete Function Code (Initialize Data) | The source device initiated an invalid request. | Low | Illegal Commands | Tactics: - Impair Process Control Techniques: - T0855: Unauthorized Command Message |
Not learnable |
| Initiation of an Obsolete Function Code (Save Config) | The source device initiated an invalid request. | Low | Illegal Commands | Tactics: - Impair Process Control Techniques: - T0855: Unauthorized Command Message |
Not learnable |
| Master Requested an Application Layer Confirmation | The source device initiated an invalid request. | Low | Illegal Commands | Tactics: - Command And Control Techniques: - T0869: Standard Application Layer Protocol |
Not learnable |
| Modbus Exception | A source device (secondary) returned an exception to a destination device (primary). | Medium | Illegal Commands | Tactics: - Inhibit Response Function Techniques: - T0814: Denial of Service |
Not learnable |
| Slave Device Received Illegal ASDU Type | The destination device received an invalid request. | Medium | Illegal Commands | Tactics: - Impair Process Control Techniques: - T0836: Modify Parameter |
Not learnable |
| Slave Device Received Illegal Command Cause of Transmission | The destination device received an invalid request. | Medium | Illegal Commands | Tactics: - Impair Process Control Techniques: - T0855: Unauthorized Command Message - T0836: Modify Parameter |
Not learnable |
| Slave Device Received Illegal Common Address | The destination device received an invalid request. | Medium | Illegal Commands | Tactics: - Impair Process Control Techniques: - T0855: Unauthorized Command Message - T0836: Modify Parameter |
Not learnable |
| Slave Device Received Illegal Data Address Parameter * | The destination device received an invalid request. | Medium | Illegal Commands | Tactics: - Impair Process Control Techniques: - T0855: Unauthorized Command Message - T0836: Modify Parameter |
Not learnable |
| Slave Device Received Illegal Data Value Parameter * | The destination device received an invalid request. | Medium | Illegal Commands | Tactics: - Impair Process Control Techniques: - T0855: Unauthorized Command Message - T0836: Modify Parameter |
Not learnable |
| Slave Device Received Illegal Function Code * | The destination device received an invalid request. | Medium | Illegal Commands | Tactics: - Impair Process Control Techniques: - T0855: Unauthorized Command Message - T0836: Modify Parameter |
Not learnable |
| Slave Device Received Illegal Information Object Address | The destination device received an invalid request. | Medium | Illegal Commands | Tactics: - Impair Process Control Techniques: - T0855: Unauthorized Command Message - T0836: Modify Parameter |
Not learnable |
| Unknown Object Sent to Outstation | The destination device received an invalid request. | Medium | Illegal Commands | Tactics: - Impair Process Control Techniques: - T0855: Unauthorized Command Message |
Not learnable |
| Usage of a Reserved Function Code | The source device initiated an invalid request. | Medium | Illegal Commands | Tactics: - Impair Process Control Techniques: - T0836: Modify Parameter |
Not learnable |
| Usage of Improper Formatting by Outstation * | The source device initiated an invalid request. | Low | Illegal Commands | Tactics: - Impair Process Control Techniques: - T0855: Unauthorized Command Message |
Not learnable |
| Usage of Reserved Status Flags (IIN) | A DNP3 source device (outstation) used the reserved Internal Indicator 2.6. It's recommended to check the device's configuration. | Low | Illegal Commands | Tactics: - Impair Process Control Techniques: - T0836: Modify Parameter |
Not learnable |
Malware engine alerts
Malware engine alerts describe detected malicious network activity.
| Title | Description | Severity | Category | MITRE ATT&CK Tactics and techniques |
Learnable |
|---|---|---|---|---|---|
| Connection Attempt to Known Malicious IP | Suspicious network activity was detected. This activity might be associated with an attack exploiting a method used by known malware. Triggered by both OT and Enterprise IoT network sensors. |
High | Suspicion of Malicious Activity | Tactics: - Initial Access - Command And Control Techniques: - T0883: Internet Accessible Device - T0884: Connection Proxy |
Not learnable |
| Invalid SMB Message (DoublePulsar Backdoor Implant) | Suspicious network activity was detected. This activity might be associated with an attack exploiting a method used by known malware. | High | Suspicion of Malware | Tactics: - Initial Access - LateralMovement Techniques: - T0866: Exploitation of Remote Services |
Not learnable |
| Malicious Domain Name Request | Suspicious network activity was detected. This activity might be associated with an attack exploiting a method used by known malware. Triggered by both OT and Enterprise IoT network sensors. |
High | Suspicion of Malicious Activity | Tactics: - Initial Access - Command And Control Techniques: - T0883: Internet Accessible Device - T0884: Connection Proxy |
Learnable |
| Malware Test File Detected - EICAR AV Success | An EICAR AV test file was detected in traffic between two devices (over any transport - TCP or UDP). The file isn't malware. It's used to confirm that the antivirus software is installed correctly. Demonstrate what happens when a virus is found, and check internal procedures and reactions when a virus is found. Antivirus software should detect EICAR as if it were a real virus. | High | Suspicion of Malicious Activity | Tactics: - Discovery Techniques: - T0842: Network Sniffing |
Not learnable |
| Suspicion of Conficker Malware | Suspicious network activity was detected. This activity might be associated with an attack exploiting a method used by known malware. | Medium | Suspicion of Malware | Tactics: - Initial Access - Impact Techniques: - T0826: Loss of Availability - T0828: Loss of Productivity and Revenue - T0847: Replication Through Removable Media |
Not learnable |
| Suspicion of Denial Of Service Attack | A source device attempted to initiate an excessive number of new connections to a destination device. This might indicate a Denial Of Service (DOS) attack against the destination device, and might interrupt device functionality, affect performance and service availability, or cause unrecoverable errors. Threshold: 3000 attempts in 1 minute |
High | Suspicion of Malicious Activity | Tactics: - Inhibit Response Function Techniques: - T0814: Denial of Service |
Learnable |
| Suspicion of Malicious Activity | Suspicious network activity was detected. This activity might be associated with an attack that triggered known 'Indicators of Compromise' (IOCs). Alert metadata should be reviewed by the security team. | High | Suspicion of Malicious Activity | Tactics: - Lateral Movement Techniques: - T0867: Lateral Tool Transfer |
Not learnable |
| Suspicion of Malicious Activity (BlackEnergy) | Suspicious network activity was detected. This activity might be associated with an attack exploiting a method used by known malware. | High | Suspicion of Malware | Tactics: - Command And Control Techniques: - T0869: Standard Application Layer Protocol |
Not learnable |
| Suspicion of Malicious Activity (DarkComet) | Suspicious network activity was detected. This activity might be associated with an attack exploiting a method used by known malware. | High | Suspicion of Malware | Tactics: - Impact Techniques: - T0882: Theft of Operational Information |
Not learnable |
| Suspicion of Malicious Activity (Duqu) | Suspicious network activity was detected. This activity might be associated with an attack exploiting a method used by known malware. | High | Suspicion of Malware | Tactics: - Impact Techniques: - T0882: Theft of Operational Information |
Not learnable |
| Suspicion of Malicious Activity (Flame) | Suspicious network activity was detected. This activity might be associated with an attack exploiting a method used by known malware. | High | Suspicion of Malware | Tactics: - Collection - Impact Techniques: - T0882: Theft of Operational Information - T0811: Data from Information Repositories |
Not learnable |
| Suspicion of Malicious Activity (Havex) | Suspicious network activity was detected. This activity might be associated with an attack exploiting a method used by known malware. | High | Suspicion of Malware | Tactics: - Collection - Discovery - Inhibit Response Function Techniques: - T0861: Point & Tag Identification - T0846: Remote System Discovery - T0814: Denial of Service |
Not learnable |
| Suspicion of Malicious Activity (Karagany) | Suspicious network activity was detected. This activity might be associated with an attack exploiting a method used by known malware. | High | Suspicion of Malware | Tactics: - Impact Techniques: - T0882: Theft of Operational Information |
Not learnable |
| Suspicion of Malicious Activity (LightsOut) | Suspicious network activity was detected. This activity might be associated with an attack exploiting a method used by known malware. | High | Suspicion of Malware | Tactics: - Evasion Techniques: - T0849: Masquerading |
Not learnable |
| Suspicion of Malicious Activity (Name Queries) | Suspicious network activity was detected. This activity might be associated with an attack exploiting a method used by known malware. Threshold: 25 name queries in 1 minute |
High | Suspicion of Malicious Activity | Tactics: - Command And Control Techniques: - T0884: Connection Proxy |
Not learnable |
| Suspicion of Malicious Activity (Poison Ivy) | Suspicious network activity was detected. This activity might be associated with an attack exploiting a method used by known malware. | High | Suspicion of Malware | Tactics: - Initial Access - Lateral Movement Techniques: - T0866: Exploitation of Remote Services |
Not learnable |
| Suspicion of Malicious Activity (Regin) | Suspicious network activity was detected. This activity might be associated with an attack exploiting a method used by known malware. | High | Suspicion of Malware | Tactics: - Initial Access - Lateral Movement - Impact Techniques: - T0866: Exploitation of Remote Services - T0882: Theft of Operational Information |
Not learnable |
| Suspicion of Malicious Activity (Stuxnet) | Suspicious network activity was detected. This activity might be associated with an attack exploiting a method used by known malware. | High | Suspicion of Malware | Tactics: - Initial Access - Lateral Movement - Impact Techniques: - T0818: Engineering Workstation Compromise - T0866: Exploitation of Remote Services - T0831: Manipulation of Control |
Not learnable |
| Suspicion of Malicious Activity (WannaCry) * | Suspicious network activity was detected. This activity might be associated with an attack exploiting a method used by known malware. | Medium | Suspicion of Malware | Tactics: - Initial Access - Lateral Movement Techniques: - T0866: Exploitation of Remote Services - T0867: Lateral Tool Transfer |
Not learnable |
| Suspicion of NotPetya Malware - Illegal SMB Parameters Detected | Suspicious network activity was detected. This activity might be associated with an attack exploiting a method used by known malware. | High | Suspicion of Malware | Tactics: - Initial Access - Lateral Movement Techniques: - T0866: Exploitation of Remote Services |
Not learnable |
| Suspicion of NotPetya Malware - Illegal SMB Transaction Detected | Suspicious network activity was detected. This activity might be associated with an attack exploiting a method used by known malware. | High | Suspicion of Malware | Tactics: - Lateral Movement Techniques: - T0867: Lateral Tool Transfer |
Not learnable |
| Suspicion of Remote Code Execution with PsExec | Suspicious network activity was detected. This activity might be associated with an attack exploiting a method used by known malware. | High | Suspicion of Malicious Activity | Tactics: - Lateral Movement - Initial Access Techniques: - T0866: Exploitation of Remote Services |
Not learnable |
| Suspicion of Remote Windows Service Management * | Suspicious network activity was detected. This activity might be associated with an attack exploiting a method used by known malware. | High | Suspicion of Malicious Activity | Tactics: - Initial Access Techniques: - T0822: NetworkExternal Remote Services |
Not learnable |
| Suspicious Executable File Detected on Endpoint | Suspicious network activity was detected. This activity might be associated with an attack exploiting a method used by known malware. | High | Suspicion of Malicious Activity | Tactics: - Evasion - Inhibit Response Function Techniques: - T0851: Rootkit |
Learnable |
| Suspicious Traffic Detected * | Suspicious network activity was detected. This activity might be associated with an attack that triggered known 'Indicators of Compromise' (IOCs). Alert metadata should be reviewed by the security team | High | Suspicion of Malicious Activity | Tactics: - Discovery Techniques: - T0842: Network Sniffing |
Not learnable |
| Backup Activity with Antivirus Signatures | Traffic detected between the source device and the destination backup server triggered this alert. The traffic includes backup of antivirus software that might contain malware signatures. This is most likely legitimate backup activity. | Low | Backup | Tactics: - Impact Techniques: - T0882: Theft of Operational Information |
Not learnable |
Operational engine alerts
Operational engine alerts describe detected operational incidents, or malfunctioning entities.
| Title | Description | Severity | Category | MITRE ATT&CK Tactics and techniques |
Learnable |
|---|---|---|---|---|---|
| An S7 Stop PLC Command was Sent | The source device sent a stop command to a destination controller. The controller stops operating until a start command is sent. | Low | Restart/ Stop Commands | Tactics: - Lateral Movement - Defense Evasion - Execution - Inhibit Response Function Techniques: - T0843: Program Download - T0858: Change Operating Mode - T0814: Denial of Service |
Not learnable |
| BACNet Operation Failed | A server returned an error code. This alert indicates a server error or an invalid request by a client. | Medium | Command Failures | Tactics: - Impair Process Control Techniques: - T0855: Unauthorized Command Message |
Not learnable |
| Bad MMS Device State | An MMS Virtual Manufacturing Device (VMD) sent a status message. The message indicates that the server might not be configured correctly, partially operational, or not operational at all. | Medium | Operational Issues | Tactics: - Inhibit Response Function Techniques: - T0814: Denial of Service |
Not learnable |
| Change of Device Configuration * | A configuration change was detected on a source device. | Low | Configuration Changes | Tactics: - Impair Process Control Techniques: - T0836: Modify Parameter |
Not learnable |
| Continuous Event Buffer Overflow at Outstation * | A buffer overflow event was detected on a source device. The event might cause data corruption, program crashes, or execution of malicious code. Threshold: 3 occurrences in 10 minutes |
Medium | Buffer Overflow | Tactics: - Inhibit Response Function - Impair Process Control - Persistence Techniques: - T0814: Denial of Service - T0806: Brute Force I/O - T0839: Module Firmware |
Not learnable |
| Controller Reset | A source device sent a reset command to a destination controller. The controller stopped operating temporarily and started again automatically. | Low | Restart/ Stop Commands | Tactics: - Defense Evasion - Execution - Inhibit Response Function Techniques: - T0858: Change Operating Mode - T0814: Denial of Service |
Not learnable |
| Controller Stop | The source device sent a stop command to a destination controller. The controller stops operating until a start command is sent. | Low | Restart/ Stop Commands | Tactics: - Lateral Movement - Defense Evasion - Execution - Inhibit Response Function Techniques: - T0843: Program Download - T0858: Change Operating Mode - T0814: Denial of Service |
Not learnable |
| Device Failed to Receive a Dynamic IP Address | The source device is configured to receive a dynamic IP address from a DHCP server but didn't receive an address. This indicates a configuration error on the device, or an operational error in the DHCP server. It's recommended to notify the network administrator of the incident | Medium | Command Failures | Tactics: - Discovery Techniques: - T0842: Network Sniffing |
Not learnable |
| Device is Suspected to be Disconnected (Unresponsive) | A source device didn't respond to a command sent to it. It might have been disconnected when the command was sent. Threshold: 8 attempts in 5 minutes |
Medium | Unresponsive | Tactics: - Inhibit Response Function Techniques: - T0881: Service Stop |
Not learnable |
| EtherNet/IP CIP Service Request Failed | A server returned an error code. This indicates a server error or an invalid request by a client. | Medium | Command Failures | Tactics: - Impair Process Control Techniques: - T0855: Unauthorized Command Message |
Not learnable |
| EtherNet/IP Encapsulation Protocol Command Failed | A server returned an error code. This indicates a server error or an invalid request by a client. | Medium | Command Failures | Tactics: - Collection Techniques: - T0801: Monitor Process State |
Not learnable |
| Event Buffer Overflow in Outstation | A buffer overflow event was detected on a source device. The event might cause data corruption, program crashes, or execution of malicious code. | Medium | Buffer Overflow | Tactics: - Inhibit Response Function - Impair Process Control - Persistence Techniques: - T0814: Denial of Service - T0839: Module Firmware |
Not learnable |
| Expected Backup Operation Did Not Occur | Expected backup/file transfer activity didn't occur between two devices. This alert might indicate errors in the backup / file transfer process. Threshold: 100 seconds |
Medium | Backup | Tactics: - Inhibit Response Function Techniques: - T0809: Data Destruction |
Learnable |
| GE SRTP Command Failure | A server returned an error code. This alert indicates a server error or an invalid request by a client. | Medium | Command Failures | Tactics: - Impair Process Control Techniques: - T0855: Unauthorized Command Message |
Not learnable |
| GE SRTP Stop PLC Command was Sent | The source device sent a stop command to a destination controller. The controller stops operating until a start command is sent. | Low | Restart/ Stop Commands | Tactics: - Lateral Movement - Defense Evasion - Execution - Inhibit Response Function Techniques: - T0843: Program Download - T0858: Change Operating Mode - T0814: Denial of Service |
Not learnable |
| GOOSE Control Block Requires Further Configuration | A source device sent a GOOSE message indicating that the device needs commissioning. This means that the GOOSE control block requires further configuration and GOOSE messages are partially or completely non-operational. | Medium | Configuration Changes | Tactics: - Impair Process Control - Inhibit Response Function Techniques: - T0803: Block Command Message - T0821: Modify Controller Tasking |
Not learnable |
| GOOSE Dataset Configuration was Changed * | A message (identified by protocol ID) dataset was changed on a source device. This means the device reports a different dataset for this message. | Low | Configuration Changes | Tactics: - Impair Process Control Techniques: - T0836: Modify Parameter |
Not learnable |
| Honeywell Controller Unexpected Status | A Honeywell Controller sent an unexpected diagnostic message indicating a status change. | Low | Operational Issues | Tactics: - Evasion - Execution Techniques: - T0858: Change Operating Mode |
Not learnable |
| HTTP Client Error * | The source device initiated an invalid request. | Low | Abnormal HTTP Communication Behavior | Tactics: - Command And Control Techniques: - T0869: Standard Application Layer Protocol |
Not learnable |
| Illegal IP Address | System detected traffic between a source device and an IP address that is an invalid address. This might indicate wrong configuration or an attempt to generate illegal traffic. | Low | Abnormal Communication Behavior | Tactics: - Discovery - Impair Process Control Techniques: - T0842: Network Sniffing - T0836: Modify Parameter |
Not learnable |
| Master-Slave Authentication Error | The authentication process between a DNP3 source device (primary) and a destination device (outstation) failed. | Low | Authentication | Tactics: - Lateral Movement - Persistence Techniques: - T0859: Valid Accounts |
Not learnable |
| MMS Service Request Failed | A server returned an error code. This indicates a server error or an invalid request by a client. | Medium | Command Failures | Tactics: - Impair Process Control Techniques: - T0855: Unauthorized Command Message |
Not learnable |
| No Traffic Detected on Sensor Interface | A sensor stopped detecting network traffic on a network interface. | High | Sensor Traffic | Tactics: - Inhibit Response Function Techniques: - T0881: Service Stop |
Not learnable |
| OPC UA Server Raised an Event That Requires User's Attention | An OPC UA server sent an event notification to a client. This type of event requires user attention | Medium | Operational Issues | Tactics: - Inhibit Response Function Techniques: - T0838: Modify Alarm Settings |
Not learnable |
| OPC UA Service Request Failed | A server returned an error code. This indicates a server error or an invalid request by a client. | Medium | Command Failures | Tactics: - Impair Process Control Techniques: - T0855: Unauthorized Command Message |
Not learnable |
| Outstation Restarted | A cold restart was detected on a source device. This means the device was physically turned off and back on again. | Low | Restart/ Stop Commands | Tactics: - Inhibit Response Function Techniques: - T0816: Device Restart/Shutdown |
Not learnable |
| Outstation Restarts Frequently | An excessive number of cold restarts were detected on a source device. This means the device was physically turned off and back on again an excessive number of times. Threshold: 2 restarts in 10 minutes |
Low | Restart/ Stop Commands | Tactics: - Inhibit Response Function Techniques: - T0814: Denial of Service - T0816: Device Restart/Shutdown |
Not learnable |
| Outstation's Configuration Changed | A configuration change was detected on a source device. | Medium | Configuration Changes | Tactics: - Inhibit Response Function - Persistence Techniques: - T0857: System Firmware |
Not learnable |
| Outstation's Corrupted Configuration Detected | This DNP3 source device (outstation) reported a corrupted configuration. | Medium | Configuration Changes | Tactics: - Inhibit Response Function Techniques: - T0809: Data Destruction |
Not learnable |
| Profinet DCP Command Failed | A server returned an error code. This indicates a server error or an invalid request by a client. | Medium | Command Failures | Tactics: - Impair Process Control Techniques: - T0855: Unauthorized Command Message |
Not learnable |
| Profinet Device Factory Reset | A source device sent a factory reset command to a Profinet destination device. The reset command clears Profinet device configurations and stops its operation. | Low | Restart/ Stop Commands | Tactics: - Defense Evasion - Execution - Inhibit Response Function Techniques: - T0858: Change Operating Mode - T0814: Denial of Service |
Not learnable |
| RPC Operation Failed * | A server returned an error code. This alert indicates a server error or an invalid request by a client. | Medium | Command Failures | Tactics: - Impair Process Control Techniques: - T0855: Unauthorized Command Message |
Not learnable |
| Sampled Values Message Dataset Configuration was Changed * | A message (identified by protocol ID) dataset was changed on a source device. This means the device reports a different dataset for this message. | Low | Configuration Changes | Tactics: - Impair Process Control Techniques: - T0836: Modify Parameter |
Not learnable |
| Slave Device Unrecoverable Failure * | An unrecoverable condition error was detected on a source device. This kind of error usually indicates a hardware failure or failure to perform a specific command. | Medium | Command Failures | Tactics: - Inhibit Response Function Techniques: - T0814: Denial of Service |
Not learnable |
| Suspicion of Hardware Problems in Outstation | An unrecoverable condition error was detected on a source device. This kind of error usually indicates a hardware failure or failure to perform a specific command. | Medium | Operational Issues | Tactics: - Inhibit Response Function Techniques: - T0814: Denial of Service - T0881: Service Stop |
Not learnable |
| Suspicion of Unresponsive MODBUS Device | A source device didn't respond to a command sent to it. It might have been disconnected when the command was sent. Threshold: Minimum of 1 valid response for a minimum of 3 requests within 5 minutes |
Low | Unresponsive | Tactics: - Inhibit Response Function Techniques: - T0881: Service Stop |
Not learnable |
| Traffic Detected on Sensor Interface | A sensor resumed detecting network traffic on a network interface. | Low | Sensor Traffic | Tactics: - Discovery Techniques: - T0842: Network Sniffing |
Not learnable |
| PLC Operating Mode Changed | The operating mode on this PLC changed. The new mode might indicate that the PLC isn't secure. Leaving the PLC in an unsecure operating mode might allow adversaries to perform malicious activities on it, such as a program download. If the PLC is compromised, devices and processes that interact with it might be impacted. This might affect overall system security and safety. | Low | Configuration changes | Tactics: - Execution - Evasion Techniques: - T0858: Change Operating Mode |
Not learnable |
Next steps
For more information, see:
- View and manage alerts on the Defender for IoT portal
- View alerts on your sensor
- Accelerate alert workflows
- Forward alert information
- Work with alerts on the on-premises management console
- Alert management API reference for on-premises management consoles
- Alert management API reference for OT monitoring sensors
- Forward alert information
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for