Query Details

Defender for IoT - FTP Authentication failure

D4IOT FTP Authentication Failure

Query

SecurityAlert
| where ProviderName == "IoTSecurity"
| where AlertType == "IoT_UserDefinedAlert"
| extend Description = tostring(parse_json(ExtendedProperties).["User Defined Description"])
| where parse_json(ExtendedProperties).["User Defined Description"] == "FTP Authentication failure"
| extend DestinationDevice = tostring(parse_json(ExtendedProperties).DestinationDevice)
| extend DestinationDeviceAddress = tostring(parse_json(ExtendedProperties).DestinationDeviceAddress)
| extend SourceDevice = tostring(parse_json(ExtendedProperties).SourceDevice)
| extend SourceDeviceAddress = tostring(parse_json(ExtendedProperties).SourceDeviceAddress)
| extend SensorId = tostring(parse_json(ExtendedProperties).SensorId)
| extend Protocol = tostring(parse_json(ExtendedProperties).Protocol)
| project TimeGenerated, AlertName, AlertSeverity, AlertType,SensorId, SourceDeviceAddress,DestinationDeviceAddress, Description, Tactics, Techniques, ProductComponentName, RemediationSteps, SourceDevice, DestinationDevice, Protocol

About this query

Defender for IoT - FTP Authentication failure

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T0867Lateral Tool Transferhttps://attack.mitre.org/techniques/T0867/

Description

Use the below query to retrieve Security Alerts from Defender for IoT when a failed FTP authentication event was detected.

You must create a custom alert rule in Defender for IoT

Name: FTP Authentication failure Message: FTP Authentication failure Conditions: FTPresponse_code > 0 or more specific (230 success / 530 failed) Action: Alert

References

Microsoft Sentinel

Explanation

This query retrieves Security Alerts from Defender for IoT when a failed FTP authentication event is detected. It creates a custom alert rule named "FTP Authentication failure" with specific conditions and actions. The query filters alerts based on certain criteria and extracts relevant information for analysis.

Details

Alex Verboon profile picture

Alex Verboon

Released: April 21, 2024

Tables

SecurityAlert

Keywords

SecurityAlertDefenderIoTFTPAuthenticationFailureProviderNameAlertTypeIoT_UserDefinedAlertExtendedPropertiesUser Defined DescriptionDestinationDeviceDestinationDeviceAddressSourceDeviceSourceDeviceAddressSensorIdProtocolTimeGeneratedAlertNameAlertSeverityTacticsTechniquesProductComponentNameRemediationSteps.

Operators

whereextendtostringparse_jsonproject

MITRE Techniques

Actions

GitHub