Query Details
D4IOT Io T PLC Operating Mode
Query
# Defender for IoT - PLC Operating Mode Changed ## Query Information ### MITRE ATT&CK Technique(s) | Technique ID | Title | Link | | --- | --- | --- | | T0858 | Change Operating Mode | https://attack.mitre.org/techniques/T0858/ | ### Description Use the below query to retrieve Security Alerts from Defender for IoT when a PLC Operating Mode change was detected. #### References - [Defender for IoT - Operational Engine Alerts](https://learn.microsoft.com/en-us/azure/defender-for-iot/organizations/alert-engine-messages#operational-engine-alerts) ### Microsoft Sentinel ```kql SecurityAlert | where ProviderName == "IoTSecurity" | where AlertName == "PLC Operating Mode Changed" | extend SourceDeviceAddress = tostring(parse_json(ExtendedProperties).SourceDeviceAddress) | extend SensorId = tostring(parse_json(ExtendedProperties).SensorId) | project TimeGenerated, AlertName, AlertSeverity, AlertType,SensorId, SourceDeviceAddress, Description, Tactics, Techniques, ProductComponentName,RemediationSteps ```
Explanation
This query retrieves Security Alerts from Defender for IoT when a PLC Operating Mode change is detected. It filters alerts from the "IoTSecurity" provider with the name "PLC Operating Mode Changed" and includes details like time generated, alert severity, sensor ID, source device address, description, tactics, techniques, product component name, and remediation steps.
Details
Alex Verboon
Released: April 21, 2024
Tables
SecurityAlert
Keywords
SecurityAlert,IoTSecurity,PLCOperatingModeChanged,SourceDeviceAddress,SensorId,TimeGenerated,AlertName,AlertSeverity,AlertType,Description,Tactics,Techniques,ProductComponentName,RemediationSteps
Operators
whereextendparse_jsonproject