KQL Search

# Defender for IoT - Malware Detection

## Query Information

### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T0867 | Lateral Tool Transfer | https://attack.mitre.org/techniques/T0867/ |

### Description

Use the below query to retrieve Security Alerts from Defender for IoT when Malware was detected.

You can also use this query if you want to create a more specific Microsoft Sentinel Analytics rule instead of using the template avaialble in the Microsoft Sentinel content hub
"Suspicious malware found in the network (Microsoft Defender for IoT)".

#### References

- [Defender for IoT - Operational Engine Alerts](https://learn.microsoft.com/en-us/azure/defender-for-iot/organizations/alert-engine-messages#operational-engine-alerts)

### Microsoft Sentinel

```kql
SecurityAlert
| where ProviderName == "IoTSecurity"
| where AlertType == "IoT_MalwareDetected"
| extend SourceDeviceAddress = tostring(parse_json(ExtendedProperties).SourceDeviceAddress)
| extend SensorId = tostring(parse_json(ExtendedProperties).SensorId)
| extend Additional_Information = tostring(parse_json(ExtendedProperties).["Additional Information"])
| extend IOC = tostring(parse_json(ExtendedProperties).IOC)
| extend Port = tostring(parse_json(ExtendedProperties).Port)
| project TimeGenerated, AlertName, AlertSeverity, AlertType,SensorId, SourceDeviceAddress, Description, Tactics, Techniques, ProductComponentName, Additional_Information, IOC, Port,RemediationSteps
```