Defender for IoT - Malware Detection
D4IOT Io T Malware Detected
Query
SecurityAlert
| where ProviderName == "IoTSecurity"
| where AlertType == "IoT_MalwareDetected"
| extend SourceDeviceAddress = tostring(parse_json(ExtendedProperties).SourceDeviceAddress)
| extend SensorId = tostring(parse_json(ExtendedProperties).SensorId)
| extend Additional_Information = tostring(parse_json(ExtendedProperties).["Additional Information"])
| extend IOC = tostring(parse_json(ExtendedProperties).IOC)
| extend Port = tostring(parse_json(ExtendedProperties).Port)
| project TimeGenerated, AlertName, AlertSeverity, AlertType,SensorId, SourceDeviceAddress, Description, Tactics, Techniques, ProductComponentName, Additional_Information, IOC, Port,RemediationStepsAbout this query
Defender for IoT - Malware Detection
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T0867 | Lateral Tool Transfer | https://attack.mitre.org/techniques/T0867/ |
Description
Use the below query to retrieve Security Alerts from Defender for IoT when Malware was detected.
You can also use this query if you want to create a more specific Microsoft Sentinel Analytics rule instead of using the template avaialble in the Microsoft Sentinel content hub "Suspicious malware found in the network (Microsoft Defender for IoT)".
References
Microsoft Sentinel
Explanation
This query retrieves Security Alerts from Defender for IoT when Malware is detected. It filters the alerts by ProviderName and AlertType, then extends and projects specific information related to the alert. This query can be used to create a more specific Microsoft Sentinel Analytics rule for detecting malware in IoT devices.
Details

Alex Verboon
Released: April 21, 2024
Tables
Keywords
Operators
MITRE Techniques