"Denial of Service (Microsoft Defender for IoT)"

[ryan-aus]

Related to #19

Unsure how to correctly remediate Defender for IoT incidents

KQL from https://github.com/Azure/Azure-Sentinel/blob/735a9d926d0feb726ecea6fdcbbab09b43fdbb8f/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic%20Rules/IoTDenialofService.yaml#L10

SecurityAlert
  | where ProviderName == "IoTSecurity"
  | where AlertName == "Suspicion of Denial Of Service Attack"
  | extend ExtendedProperties = parse_json(ExtendedProperties)
  | where tostring(ExtendedProperties.isNew) == "True"
  | extend DeviceId = tostring(ExtendedProperties.DeviceId), 
           SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress), 
           DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress), 
           RemediationSteps = tostring(parse_json(RemediationSteps)[0]), 
           Protocol = tostring(ExtendedProperties.Protocol), 
           AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
  | project
    TimeGenerated,
    DeviceId,
    ProductName,
    ProductComponentName,
    AlertSeverity,
    AlertName,
    Description,
    Protocol,
    SourceDeviceAddress,
    DestDeviceAddress,
    RemediationSteps,
    Tactics,
    Entities,
    VendorOriginalId,
    AlertLink,
    AlertManagementUri,
    Techniques

[DGOV-Bryce]

These are hard without some actual logs to base things off of, but we could be generic from the point of looking at the entities it's pulling out (should this incident occur). As such, we could frame it from check the IP (as per norm), the remediation steps, whether the protocol should be in use with the device, etc.

Remediation would potentially involve blocking the IP(s), adding firewall exclusions, etc.

Alternatively, we could put those that we can't yet have confidence in the automation rule into a TBC group?

[ryan-aus]

My preference is to also leave them aside for now. I would rather give no advice than potentially incorrect advice and giving clients a false sense of confidence.